Request: Document "Show Usernames and Websites" security implications

pzuraq
pzuraq
Community Member

I wanted to open a discussion around the Show Usernames and Websites setting in password autocomplete because I believe that enabling it can significantly reduce the security of the 1Password vault. To be clear, this is not a software vulnerability or exploit, more of a design flaw (mainly from iOS, IMO), but I didn't realize just how much this would weaken my security model when it was enabled.

Essentially, the issue is that if:

  1. You have Face ID enabled for 1Password
  2. You have password autocomplete enabled for 1Password
  3. You selected Show Usernames and Websites when enabling autocomplete
  4. An attacker has observed your iPhone passcode

Then the attacker can access any passwords that can be autofilled via iOS autofill. This can be done by the attacker either triggering a failure of Face ID, causing it to fallback to passcode, or by simply disabling Face ID for password autofill in Settings (doable if you know the phone's passcode) since then it won't even do any check before autofilling.

Generally, most people have their phone passcodes set to be a 6 digit PIN. For the average person's threat model, this is a reasonable security level - it's convenient when you need to access your phone without Face ID, and not too easy to guess on its own, but it is still pretty weak overall. The idea is that it's ok if an attacker gets into the phone, because most sensitive info is kept behind a second layer of passwords (e.g. bank apps, password managers, etc), and those are all protected with much stronger passwords. It's a balance between ease of access and usability vs security, and for most people it seems to work pretty well.

With the above settings, however, it appears that all of your sensitive info can leak if someone gets your phone passcode. It's possible to set a longer passcode of course, but many people don't (I didn't), and it's very inconvenient.

Disabling Show Usernames and Websites seems to prevent this issue. When disabled, autofilling a password with 1Password opens a window which requires Face ID, and falls back to using your master password. It appears that the 1Password team has thought about this and that's why this option exists, and I'm really grateful for it! And once again, I really think this is a failure moreso in iOS's design around password management and 1Password works really well within the constraints that are given, I realize that the team does not have much control over these areas because they're using native features built into the OS.

I guess the main thing I would hope to see is a clearer warning about the implications of this setting somewhere, ideally when the user is enabling it. I only discovered this because my friend of mine recently had his iphone stolen and had every single account of his hacked - email, apple, banks, etc. To be clear, they were using Keychain, not 1Password (and the problems are sooooo much worse with Keychain), but it started me off on an audit of my own setup and I found this. So, a warning that this can seriously reduce security, and maybe a documentation article or blog post about the implications, would be great. If one already exists then I apologize! I searched the forum and google'd a bit and didn't find anything. Also, apologies if I'm missing something here, I'm not a security expert so definitely could be!

This discussion has been closed.