Security Feedback: 1Password App Doesn't Require Master Password If iPhone Passcode Is Changed
I recall that 1Password 7 would require re-entry of your master password if Face ID, for example, was changed, and the user attempted to unlock 1Password. I just tested to see if changing the iPhone passcode has the same effect in 1Password 8 (latest release), and it doesn't. There's been an increase in iPhones being stolen, along with the user's passcode (someone watches over their shoulder, or uses some other social engineering tactic), which is all that's needed to gain access and entire control of a user's Apple account. My understanding is someone could add an Alternative Appearance, since the threat actor knows the device passcode, and then is able to gain access to 1Password, assuming the user has setup Face ID for 1Password. Can 1Password require re-entry of the Master Password anytime the device credentials are changed (passcode, Face ID, Touch ID, etc.)?
(Edited to clarify and better vet my concern.)
1Password Version: 8.10.1
Extension Version: N/A
OS Version: iOS 16.x.x & macOS 13.2.1
Browser:_ N/A
Comments
-
Hello @nimvio!
If someone steals your iPhone's passcode and adds an alternate appearance to Face ID on your iPhone, Face ID will be automatically disabled for 1Password and you will be required to enter your account password to re-enable Face ID the next time that you try to unlock the app. You can read more about this here: About Face ID security in 1Password for iOS
Let me know if that answers your concerns. 🙂
-Dave
0 -
Thanks for having this discussion. As I understand Dave's link, nimvio is correct but irrelevant. To restate, yes, someone can steal your phone and change the passcode but they still won't be able to use 1P which relies on either knowing the 1P password or using Face ID which 1) cannot be changed without resetting 1P's secret or 2) will fail and fall back to relying on 1P password.
It would be helpful to other 1P customers if that support article could be expanded to explain not just 1P's internal logic but why the logic effectively blocks someone who has stolen the phone from getting access to a 1P vault. Or provide a link to another support article that explains it.
As an aside, I'm reading other articles (example: https://macandegg.com/2023/02/icloud-account-can-be-taken-over-with-only-iphone-passcode/) that recommend NOT using iOS's builtin password manager. It's been years since I've used it but I guess its rules are simpler. For example, it re-uses the phone's passcode so there's no further way to authenticate the user. So glad I use a 3rd party password mgr.
Do I have this all straight?
0 -
It sounds like you have it right. 🙂
Based on customer demand, we are planning to add, as an optional feature that is off by default, the ability to unlock 1Password using your iPhone's passcode. When this feature is released I believe that we'll be updating articles such as this to incorporate the new option and expand on the security implications.
-Dave
0 -
@Dave_1P Is this really necessary considering the bulk of iPhones in use today have Face ID and Touch ID?
0 -
Using your device passcode to unlock 1Password will be optional and disabled by default. If it's something that you aren't interested in using then you can keep the feature disabled.
-Dave
0 -
@Dave_1P Well sure, I just don't understand the use case for this feature and wonder whether it's worth focusing resources on?
0 -
Unlocking 1Password for iOS using a passcode is one of the most requested features that we've received from the forums. I know that a lot of folks here will be happy when it comes out: Building a Better, More Useful 1Password
One example of a use case, that someone shared with me in another thread, is a user whose iPhone's Touch ID sensor no longer works but they can't afford to upgrade their device. Without passcode unlock that user would have to enter their account password each time to unlock 1Password which isn't convenient.
Since this conversation is veering a bit off-topic, and the OP's question has been answered, I'm going to close the thread to save others the notifications. 🙂
-Dave
0