Is Unlocking the same as Decrypting or is it more Vulnerable?

Community Member

Hi - I'm trying to understand what the state of the 1Password Vault(s) is/are on the local device when you have an app locked or are using Face ID/Touch ID/Windows Hello to access? I could only find some info in the Knowledgebase and not enough to clarify the exact process - is there some specific details of the process somewhere, or a white paper covering it. For example:

This section about use of Face ID (on iPhones & iPads) Your 1Password account password is stored securely talks about the obfuscated secret stored in the iOS Keychain being used to "unlock" 1Password when your face is recognised. So does that mean:

  1. The vault(s) is/are stored decrypted somewhere (like in memory) and the Master Password isn't needed to access them while in this state; or that this 'secret' then gives access to a cached (possibly encrypted?) version of the master password to then decrypt the vault(s) on the fly or at that moment they are accessed (and therefore they are still always encrypted when at rest, even if the app is open as long as it's "locked")?
  2. If the former where are these vaults in a decrypted state stored?
  3. In the example above on an iPhone or iPad for example I assume the device passcode (PIN) has access to the same secret stored in the iOS Keychain, since Face ID (or Touch ID) is simply substituting for the device passcode/PIN? So the device passcode/PIN can also unlock the 1Password App/Vault?
  4. If it is stored decrypted or in some other form (as opposed to its fully encrypted state when at rest or being sync'd with the 1Password Servers) how vulnerable is it - if its cached or on local drive and was exfiltrated (i.e. copied off by a remote intruder or alternately the whole device physically stolen) can they then more easily break into that vault, because it's not encrypted with the master password and only 'locked' with a secret (key) that's on the device locally? e.g. could they then make innumerable guesses to unlock the vault without it re-encrypting back to the normal state where it needs the Master Password?

I realise an iPhone or similar is probably a more secure O/S environment so not best example for intrusion, but the same could be true on a MacBook (with Touch ID) or a Laptop with Windows Hello active (using just a PIN or biometrics). Essentially, is, however inconceivable it might be that it gets exfiltrated, that someone's vault is less secure when using the options that provide easier access than typing in your Master Password? Especially if removed from the device in that state and accessed outside of the 1Password App?

It would be good to fully understand how the 'lock' process works versus the full log in and log out when just the Master Password is used to access the app and vault(s). TIA.

1Password Version: n/a
Extension Version: n/a
OS Version: n/a
Browser: n/a


  • Hey there @Mycenius

    First off, you might like to take a look at our 1Password Security Design White Paper, which covers all our security model in depth:

    1Password Security Design White Paper (PDF)

    I'm trying to understand what the state of the 1Password Vault(s) is/are on the local device when you have an app locked or are using Face ID/Touch ID/Windows Hello to access?

    Encrypted, unless 1Password is unlocked. This also applies when using biometrics. For biometrics to work, 1Password lodges a separate (and destructible) secret with the OS. On macOS and iOS, this secret is signed and stored in the Secure Enclave. On Windows, the TPM is used in a similar way.

    On a successful biometric unlock, the OS passes that signed secret back to 1Password and 1Password unlocks. If multiple failed unlock attempts are made, the secret is destroyed and the user will have to unlock 1Password using the account password in order for 1Password to be able to generate and set a new one.

    That secret which could be used to unlock 1Password is kept in the Secure Enclave itself, to use the Apple example. It's not possible for anything except 1Password to interact with any secrets it's stored in the Secure Enclave. The only exception to this would be if the Secure Enclave contents were destroyed as the result of removing the device passcode, resetting all settings, or erasing the device, among others. But then you have a different problem. :)

    1Password's encryption is "spring-loaded", if that makes sense. Restarting the device while 1Password is unlocked won't keep it unlocked, for example. 1Password is held unlocked until you manually lock it, or auto-lock does it for you. Quitting 1Password completely does the same thing. In this context, "lock" means discarding the key which holds 1Password unlocked (and thus, decrypted). That "spring-loadedness" of 1Password kicks in and all vault data is encrypted. Signing out completely removes the account from 1Password and destroys the local encrypted copy of the data from disk. To sign back in, you'd need the full set of credentials (email address, Secret Key, account password) so that 1Password can download the encrypted vault data again.

    I hope that answers your question (and that you find the White Paper useful), but please do let me know if I can be of any further help. :)

    — Grey

  • Mycenius
    Community Member

    Thanks @GreyM1P - much appreciated - and thanks for white paper, will get onto digesting that!

This discussion has been closed.