I am wondering about an unlikely scenario. Let's say I am forced to reveal my iPhone passcode and turnover my iPhone. The unlocked iPhone now has access to all my 1Password stored accounts, and my email accountss allowing the criminal(s) to access my entire life. Seems bad. How would you mitigate against this threat? I thought about a hardware 2FA key, but I don't want to have to use that every time I need to login to a web site. I could not store key passwords (e.g. financial accounts) in 1Password, but that sort of defeats the purpose of a password manager. Anyone else concerned about this? Thanks. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided

I do think about this a lot but there’s not much to be done if you reveal your passcode. Security models generally exclude the scenario of unprotected device access. That said, 1Password will only unlock if given your biometric or the master password, both of which the attacker wouldn’t have with a stolen phone. Not much they can do with your email accounts except receive reset tokens - here is where a hardware key may come in handy but even then many accounts offer the ability to reset if you lose that key. One thing to recognize is that credit cards will often protect you from financial fraud in these situations so as long as you don’t keep a debit card on your phone, that should be remedied. Also you can use Screen Time to restrict access to account, passcode and mail account changes behind a different passcode - I do this. Given that 1Password is not accessible, my hope is that I can get to a computing device fast enough after the theft to deactivate email accounts on the iPhone after it is stolen. Outside of that, if you’re in a situation where you’re under threat to life, please go ahead and reveal your passcode. Most fraud of this kind can be remediated, and your life is more precious.

This is a big vulnerability! They don't need to force you at all. Only observe you type in your passcode, and then steal your phone. With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords! This defeats the vault password. If anyone knows how to prevent this, please let us know. See this article https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a

If you don't set up autofill in the settings app, then you can close that hole in security, I think.

Does anyone know whether a hardware key with apple 2FA prevents reseting Apple ID with just a trusted device?

Hi all. Just wanted to address a couple of points in this thread: Let's say I am forced to reveal my iPhone passcode and turnover my iPhone. The unlocked iPhone now has access to all my 1Password stored accounts Your iPhone passcode cannot unlock 1Password. You need your account password or biometrics (Face ID or Touch ID) to unlock it. It's worth mentioning, though, that if you're already in a situation where someone has threatened you to make you reveal one secret (your iPhone passcode), it's quite plausible they'll also want a second (your 1Password account password). By that point, if someone is that determined, there isn't really anything you can do. With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords! Your 1Password items shouldn't be appearing here! If you imported your passwords from iCloud Keychain, but didn't delete them from Keychain afterwards, that may explain it, but 1Password does not put anything in that list. — Grey

How to protect against compromised iPhone passcode

1P_Dave
Moderator
2 years ago
Rene123

That's correct. iOS Settings > Passwords is where you'll see passwords that you're storing in iCloud Keychain, not 1Password. 1Password does not, and never has, used iCloud Keychain to store your passwords and other items.

If anyone else sees passwords in that location then I recommend migrating them to 1Password and then removing them from iCloud Keychain: Move your iCloud Passwords from Safari to 1Password

-Dave
Rene123
New Contributor
2 years ago

This is a big vulnerability! ... With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords! ... This defeats the vault password. If anyone knows how to prevent this, please let us know.

I need to issue a correction. # This is no longer a vulnerability, or never was. I deleted all passwords from iOS settings > passwords and they are gone and don't reappear. Staff confirmed that this should never happen as 1pw doesn't write to iOS Settings > passwords.

So even if a thief has my passcode, he still has to break into 1password app, in order to access my passwords.

Thanks for the assistance.
1P_Dave
Moderator
2 years ago
Thank you for the feedback. 🙂

-Dave
omzaz
New Contributor
2 years ago
1P_Dave Thanks for passing on suggestion.
1P_Dave
Moderator
2 years ago
schmudi

Thank you for the kind words. 😊

-Dave
schmudi
Occasional Contributor
2 years ago
1P_Dave That's a well appreciated feedback! Thank you for your great work and the amazing security design.
1P_Dave
Moderator
2 years ago
schmudi

If a thief steals your iPhone's passcode and adds an alternate appearance to Face ID on your iPhone, Face ID will be automatically disabled for 1Password and you will be required to enter your account password to re-enable Face ID the next time that you try to unlock the app. You can read more about this here: About Face ID security in 1Password for iOS

omzaz and Rene123

I can see how it would be useful to be able to selectively add or remove vaults from certain devices and I have added your feature request to our internal tracker so our product team can consider it as they are considering new features to add to future versions of 1Password.

At the moment the only way to restrict a vault to only certain devices would be to create a separate "family member" account for yourself in a 1Password Families membership which would only contain that vault and then only add that account to selected devices. It's not an elegant workaround but I'm sharing it in case it helps. 🙂

-Dave

ref: PB-31392749
ref: PB-31392759
schmudi
Occasional Contributor
2 years ago
If a thief has my passcode and would have my locked out of all my other devices. Couldn't he just reset face-id on my iPhone, add his on face to face-id and the open my 1Password vault, as I have previously enabled login with face-id in 1Password?

If this is the case, is the only option to prevent it to disable face-id?
omzaz
New Contributor
2 years ago
Rene123 Yes, using up two accounts from a family plan is an option. But I'd really prefer to see selective sync and selective secret key access as an option within individual accounts.

Regarding the original topic (presumably related to recent WSJ article) - when it comes to iOS devices (and Android for that matter) I'm not sure there's anything to say beyond what others have already said. If a thief has obtained your device and device passcode they can access your device but not 1Password. To access 1Password they would also need your 1Password master password or ability to dupe the device biometrics.

However, I think there is an issue on Windows (I don't know about Mac). Turning on ability to unlock 1Password on Windows using biometrics (Windows Hello) seems to bring with it the ability to unlock 1Password with the computer Pin/Passcode/Password. As far as I can tell if you want access via biometrics it doesn't seem possible to exclude access via Windows pin/passcode/password.
Rene123
New Contributor
2 years ago

Give us a selective sync option for vaults. If this were an option I would put all my most highly sensitive info/passwords (financial accounts / important email accounts) into a vault which I would elect not to sync to my phone.

Can the family feature offer help here? Keep sensitive stuff in a Private vault, and login on the phone with a Shared Vault.

This is going off-topic by the way as the OP was about iPhone passcode exploits

Forum Discussion

How to protect against compromised iPhone passcode

Recent Discussions

2 FA not working.

Feature Request – Default Item Name Should Be Blank

Unable to claim the student pack!

Add a photo of a credit card issue (Windows)

Update from 1pw7 to 1pw8 - login to the app failed