Repetitive prompts for 1Password account password on the iPhone

System

This discussion was created from comments split from: The 1password app on my iPhone logs out immediately and I have to re-enter the master password..

CraigTorell

I am a brand new 1Password user (as of 08/16/2021) and am having a similar problem on iOS (iPhone 12 Pro and iPad Pro, both with latest iOS updates). On the iPhone I set 1Password Security settings as Lock on Exit = Off, Auto-Lock = 10 Minutes. I am using Chrome browser. (I also set the 1Password Browser > User Agent to Chrome, but don't know if this has anything to do with the problem). When I bring up a web site in Chrome and then tap on a username (or password) field I normally get the "key" icon at the bottom of the screen with the word "Passwords" displayed next to it; when I tap on the "Key" I get the logon screen for 1Password, which -- after entering the master password -- will then work for that logon attempt and then immediately locks again. When I enable Face ID it works, i.e., when I tap on the Key icon it logs me in to 1Password without requiring the master password, but your web site says that Face ID utilizes Keychain, and hence there is always a possibility that the master password can be hacked. (In other words, I don't want to use Face ID).

By the way, I was careful to leave the 1Password in memory when I was using Chrome, although I believe that's not actually necessary. Please advise. Thanks!

Dave_1P

Hello @CraigTorell! 👋

I'm sorry to hear that you're having issues with unlocking 1Password on your iPhone. Note that I've split your question into a new thread so that we can focus on your issue specifically. :)

The behaviour that you mentioned is a limitation of our integration with the iOS Password AutoFill feature - when going through Password AutoFill's interface to open 1Password, 1Password is opening in a more restricted mode than when you launch the main app itself, and in this more restricted mode 1Password requires that you authenticate in order to fill and save your passwords.

1Password does store an obfuscated secret in your iPhone's Keychain when you enable Face ID however this secret is encrypted so that only 1Password is able to read it and it never leaves your device. You can read more about Face ID security here: About Face ID security in 1Password for iOS. As the security article states:

1. Your device must be unlocked for the secret to be accessible.
2. Your device must have a device passcode set. If you turn off your device passcode, the secret is deleted.
3. The secret cannot be restored to a different device.
4. The secret is not included in iCloud backups.
5. Only 1Password can access the secret.

Our implementation of Face ID is secure and I personally feel confident using it on my own devices. However if you'd like to avoid enabling Face ID then you can continue to enter your 1Password account password to unlock 1Password when saving or filling in other apps.

CraigTorell

Well, obviously, it's not practical to type in my master password every time I want to use the app for auto-fill. I appreciate that your technical article on Face ID is very complete (I I had forgotten the part about how iOS Keychain isn't the same as iCloud keychain); so complete, in fact, that the mention of jailbreaking at the end of the article was enough to give me pause. The article doesn't discuss the degree of obfuscation that is applied to the master password when storing it in the iOS keychain, but I understand that it would take a lot for a hacker to get to that point anyway. Enough that I would hope that I could change my master password on 1Password.com prior to anyone actually being able to access my data.

Concerning the iOS app Security settings, it is definitely confusing for a new user such as myself to set Lock on Exit to "off" and Auto-Lock for "10 Minutes" but still have to fill in the master password for auto-fill even if the 1Password app is still in memory. Perhaps a little clarification in the explanatory text in the Security settings might help?

Thanks for your response. I appreciate your time and patience!

Dave_1P

Thanks for the reply @CraigTorell.

The information stored in the Keychain is encrypted and only accessible to the 1Password app. It also doesn't leave your device. A hacker would have had to completely compromise your iPhone in order to extract this information and at that point it would likely be easier for the hacker to setup a hidden keylogger or screen recorder in order to exfiltrate data from your iPhone.

The settings that you mentioned only apply to the main 1Password app and not the lighter version of 1Password that is invoked when you fill inside of other apps. I do agree that this could be improved and we're planning to release an entirely new filling experience for Safari (unfortunately not Chrome yet since it doesn't yet support web extensions) when Apple releases iOS 15 in the fall. If you'd like to read more about what's coming you can check out our blog: WWDC21: Virtual Conference, Redux

I hope that helps. :)

CraigTorell

Thanks. Hope Chrome can get on board with that as well!

Dave_1P

I agree, I hope that web extensions can be made available in Chrome on iOS one day as well. :)