Security Feedback: 1Password App Doesn't Require Master Password If iPhone Passcode Is Changed
I recall that 1Password 7 would require re-entry of your master password if Face ID, for example, was changed, and the user attempted to unlock 1Password. I just tested to see if changing the iPhone passcode has the same effect in 1Password 8 (latest release), and it doesn't. There's been an increase in iPhones being stolen, along with the user's passcode (someone watches over their shoulder, or uses some other social engineering tactic), which is all that's needed to gain access and entire control of a user's Apple account. My understanding is someone could add an Alternative Appearance, since the threat actor knows the device passcode, and then is able to gain access to 1Password, assuming the user has setup Face ID for 1Password. Can 1Password require re-entry of the Master Password anytime the device credentials are changed (passcode, Face ID, Touch ID, etc.)?
(Edited to clarify and better vet my concern.)
1Password Version: 8.10.1
Extension Version: N/A
OS Version: iOS 16.x.x & macOS 13.2.1