Reauthorize after setting for 1Password in Safari

System

This discussion was created from comments split from: How to protect against compromised iPhone passcode.

unhappychappy

One problem I can see is that although you can't unlock 1password without biometric auth or the master password, that's not always going to be strictly necessary. Try this...

1. Fail biometric auth and unlock your iPhone with pin
2. Try to open 1password, fail biometric auth, it asks for master password... great... but...
3. Load Safari, go to a website which you have stored in 1password... there's your login and password available! The same is not true on macOS.

omzaz

Load Safari, go to a website which you have stored in 1password... there's your login and password available!

Don't know if this is related to a specific setting within 1Password but I get prompted to unlock 1Password. It doesn't auto-fill the login fields for me.

unhappychappy

It looks like there is a "reauthorise after" setting for the Safari extension. It seems to default to 1 day, or at least I don't remember changing it. The shortest period is 15 minutes, which is plenty of time for a knowledgable person to get up to no good! Maybe we can have a shorter option added, like say 1 or 2 minutes?

Edit: Actually, rethinking this, why doesn't the Safari extension lock whenever the device/1Password locks? This seems to be the case on macOS.

unhappychappy

This, along with the default of "1 day" for Safari extension authorisation makes me start to question the security model of 1Password...

Dave_1P

Hello @unhappychappy! 👋

I've split your comments into a separate thread to keep the other thread on-topic and to better focus on your specific concerns. 🙂

1Password for Safari requires at least iOS 15 and modern iPhone and iPads do a great job of requiring that users have a passcode or Face ID / Touch ID to unlock the device. If your device is locked then no one can unlock it and use 1Password for Safari without first providing your device's passcode or unlocking the device using Face ID / Touch ID.

The extension by default has "Reauthorize after" set to 1 Day but you can indeed reduce it to 15 minutes if that better fits your personal threat model.

With the recent concerns about the stealing of iOS passcodes, I can certainly understand the desire to set an even shorter timeout period and, while I can't make any promises, I have added your feature request to our internal tracker so our product team can consider it as they are looking into new features to add to future versions of 1Password for iOS.

In the meantime, if you are concerned about your iPhone's passcode being stolen you can set a longer and more secure passcode: Set a passcode on iPhone - Apple Support (CA)

-Dave

ref: PB-31391551

unhappychappy

Thanks for your reply @Dave_1P. I wonder whether it's possible to have the Safari extension have the same lock status as 1Password, just like it does macOS? In other words, if the 1Password itself is locked then so is the extension.

Dave_1P

@unhappychappy

On the Mac (as well as on Windows and Linux), our developers have created an integration feature called "Shared Lock State" that allows the 1Password app to communicate with 1Password in the browser. I'm not a developer myself but my understanding is that on iOS we're unable to build the same sort of integration between the app and the browser extension because of how iOS sandboxes apps as well as limitations in the APIs available to us in both iOS and Safari.

That being said, integration between the app and the browser extension on iOS is something that I wish for as well and I've filed a feature request for this on your behalf. Thank you for the feedback. 🙂

-Dave

ref: PB-31394968