Scary Occurrence on M1 MacBook Air
I was setting up my daughter's new M1 MacBook Air (Apple Silicon) last night. I installed 1Password and logged her into her account so she could get to her 1Password vaults and then I noticed I screwed up and typo'd her macOS user name. I tried just changing the user name and her home directory, but this led to issues as the old user name appeared in several "plist" files in her home directory "Library" directory (e.g.: all finder and dock preferences seemed to be lost), so I decided to reinstall macOS and start over since I had not gotten that far.
To reinstall macOS, I did the following:
- Erased the "Macintosh HD" with "Disk Utility"
- Erased the "Container" volume for "Macintosh HD" as well to ensure the "Data" directory was removed (again with "Disk Utility")
- Ultimately could not reinstall because of an M1 Big Sur reinstall issue and re-imaged the M1 MacBook Air using DFU mode and "Configurator 2" using the Big Sur 11.1 IPSW file and the "Configurator 2" "restore" option
By all accounts, my M1 MacBook Air was now a new machine from the factory that I would think I could resell if I wanted to (in fact, I don't know what else I might do to prep it for resale).
Then I setup her user account again (with the same iCloud account) and reinstalled 1Password (and Rosetta 2 so I could run 1Password).
When I launched 1Password for the first time I got out my iPhone so I could scan the QR code again, but this time I was not asked for the QR code. This time it asked me I wanted to reuse my same 1Password.com Family Account for my daughter that it remembered and simply required me to sign in to it with her password. It did NOT even ask me for the "secret key".
How did it know? I literally erased the hard drive and made a brand new user account (albeit by the same name) -- how did 1Password have any trace of the old 1Password account.
My only guess is that 1Password is storing some kind of token identifying the user in the iCloud account or in the M1's Secure Enclave.
Please advise me how 1Password 7 already knew which account to use so I can confirm that a new person setting up an old Mac I sold them (or traded in for warranty repair) won't get access to my 1Password account secret key or account user name.
1Password Version: 7
Extension Version: Not Provided
OS Version: macOS 11.1 (Big Sur)
Sync Type: 1Password.com
Comments
-
I tried posting this before, but it seems my post deleted itself after editing it.
I was setting up my daughter's M1 MacBook Air (Apple Silicon) last night and after completing the setup wizard to create my daughter's user account with her iCloud account, I installed 1Password 7 (and Rosetta 2) and then pulled out my iPhone to get the QR code from the "Emergency Kit" PDF in my 1Password Vault so the MacBook camera could scan it and get the "secret key" and I could log my daughter into her vaults. All went as expected.
Then I noticed that I had typo'd my daughter's user name. I tried to change the user name (and home directory), but after logging in again it seemed that Finder (and Dock) had lost all preferences. To make matters worse, I could find occurrences of my daughter's incorrect user name in many "plist" files in **~/Library ** directory.
So I decided that since I had not gotten very far in setting up her MacBook that I would simply erase the drive and reinstall Big Sur (which has its own issues if you have been following the news on re-imaging an M1 Mac).
In the process of doing this I did the following in the macOS Recovery Mode:
1) Tried a reinstall of Big Sur without doing anything else -- but then cancelled as I realized that I needed to erase the drive first2) I then erased the APFS "Macintosh HD" using "Disk Utility", but left the "Data" volume behind -- this prevented me from reinstalling macOS since it wanted me to login to a non-existent user account to complete the installation.
3) I then erased the "Container" volume that contained both APFS "Macintosh HD" and the APFS "Data" volume (again with "Disk Utility") and was able to reinstall macOS Big Sur, but when I got to the step to "Create a Computer Account" in the setup wizard, it kept failing to create her account.
4) Finally, I put the M1 MacBook Air in DFU mode and connected it to my MacBook Pro running "Apple Configurator 2". I downloaded the macOS Big Sur 11.1 IPSW file from Apple and did a "Restore" via "Configurator 2" to the M1 MacBook Air to re-image the machine to factory settings (supposedly replacing the System Restore firmware, the macOS Restore partition and the normal macOS disk volumes) -- I was finally able to go through the initial setup wizard and recreate my daughter's user account with the correct user name (and the same iCloud account)
So now it was time to reinstall 1Password 7 and log her in again my scanning the QR code on my iPhone to get the "secret key". Except, this time on my supposedly clean Mac install with a brand new clean user account, 1Password did not prompt me to scan my QR code, but asked if I wanted to use the previously used 1Password.com account. It already knew the secret key and account user name and just required me to enter the account password.
How did it know? If I were to trade this machine into Apple for warranty replacement or sell it on eBay, I cannot imagine what steps I could have taken to better erase my data -- but here I was with a supposedly clean install that already knew my user name and secret key for 1Password.com.
I have two guesses....
1) 1Password 7 put something in the user's iCloud account from the previous setup
2) 1Password 7 put something in the M1's Secure Enclave from the previous setupEither way, both things make me nervous (with option 2 being worse). I need to know how to completely wipe all traces of 1Password setup from the machine and if it is different for the Apple Silicon Macs versus the Intel Macs.
1Password Version: 7
Extension Version: Not Provided
OS Version: macOS 11.1 (Big Sur)
Sync Type: 1Password.com0 -
Interesting tale (gotta watch those flying fingers during setup). Curious to see what 1P Support has to say in answer to your question.
0 -
I am completely baffled and very anxious to hear what they have to say. Either my re-imaging steps were somehow incomplete (despite multiple drive erasures) or something was left behind on the MacBook or in iCloud.
0 -
Then I setup her user account again (with the same iCloud account) and reinstalled 1Password (and Rosetta 2 so I could run 1Password).
iCloud setup is the key indicator here.
As a convenience feature, to make signing into the 1Password apps across multiple Apple devices easier, if you've set up your device with an Apple ID and have iCloud Keychain enabled (https://support.apple.com/en-us/HT204085), then when you sign into a 1Password membership inside one of our apps for Mac or iOS, the app will write some of your sign-in details to your encrypted iCloud storage. Then, if you go to sign into an account on a different Apple device that's set up with the same Apple ID and iCloud Keychain, the 1Password app there will find the account details stored in iCloud, and will present it as a list of found accounts to make signing into them easier.
0