Can you further clarify how Face ID uses the master password?

bfan
bfan
Community Member

On this page https://support.1password.com/face-id-security/ there is the statement:
_When you turn on Face ID, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your account password.
_

Can you clarify what that means? My understanding is you don't store the master password, but it sounds like you are storing the equivalent of the master password. Is that correct? It sounds like there is something equivalent to the master password that only you and Apple have access to on the phone. Can you explain further and, in particular, how this is meaningfully different from 1password knowing the master password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Hi there @bfan

    When you turn on Face ID for 1Password, 1Password generates a new secret, completely unrelated to your account password, Secret Key, or anything else. It then signs this key and asks iOS to store it in the Secure Enclave.

    It sounds like there is something equivalent to the master password that only you and Apple have access to on the phone.

    When you say "Apple have access", I'd be interested to learn more about what you're expecting here. The secret that's stored in the iOS keychain isn't backed up anywhere (such as iCloud) and it's stored in the Secure Enclave. This is the security chip in your iPhone and is a "black box" of secure storage – only the app which stores a secret in the Secure Enclave can retrieve it. This means that only 1Password can retrieve the secret it's stored in the Secure Enclave.

    The secret stored in the Secure Enclave is functionally equivalent to the account password, but it would only ever unlock 1Password on that device, and no others.

    Also, the secret stored in the Secure Enclave would be destroyed if any of the following happen:

    • When your face isn’t recognized five times in a row
    • When the amount of time in Settings > Security > “Require password” has elapsed
    • When you reset Face ID or set up an alternate appearance on your device

    In those cases, you would need to unlock 1Password using your account password. 1Password would then generate a new secret to replace the destroyed one.

    how this is meaningfully different from 1password knowing the master password?

    1Password doesn't know your account password at all. If you unlock 1Password using your account password, 1Password performs calculations on what was entered to derive the Account Unlock Key (AUK). It then tries to use that AUK to decrypt the data. If the correct account password was used, the AUK will be able to decrypt the data. If the wrong AUK was used, the data can't be decrypted and you'll be prompted to enter your account password again.

    In the case of using Face ID, we're essentially creating a second key to unlock 1Password, entirely separate from the account password. However, as noted above, this secret isn't permanent and can be destroyed and replaced.

    I hope that answers your question, but if you need more detail or have any questions, let me know and I'll be happy to help. :)

    — Grey

  • bfan
    bfan
    Community Member

    @GreyM1P - Fantastic response! Thank you for the clarity and the details.
    "1Password generates a new secret, completely unrelated to your account password" was what I wanted to see.

    It is comforting how transparent you all are with the security approach.

  • We're happy to hear Grey could be of assistance. If you have any other questions please let us know.

This discussion has been closed.