How did 1Password automatically know my account on a new Mac?
Hello,
I'm curious about something I encountered recently...
I was setting up a new Mac. I had not transferred any of my data over, but I did sign in to my Apple ID. Upon installing and opening 1Password, it already had my email address, and just prompted me for my password.
How is this possible? I have iCloud Keychain turned off, so I didn't think any app credentials would sync to my new Mac. The last time I installed 1Password on a Mac (years ago), I believe it prompted me for my email, secret key, and password. I was expecting the same thing this time around.
After some digging, I noticed that the Keychain Access app on my Mac had three AgileBits entries, two of which were last modified on the date of installation, but one of which was last modified years ago, and belonged to a "com.agilebits.onepassword-ios" access group. The "password" in that entry was my email address. (The passwords in the other two entries were my secret key). I'm not too familiar with the Keychain Access app, but is there where the new installation of 1Password got my email address from? And if so, it just brings me back to my earlier question - why is it there? I thought it would have only been there if I turned on iCloud Keychain. It's a little confusing, to be honest.
1Password Version: 8.10.34
Extension Version: Not Provided
OS Version: macOS 14.5
Browser: Not Provided
Comments
-
Hi Swerve. When signing into iCloud on a new Mac, Apple automatically toggles most iCloud services, including iCloud Keychain, to the on position. Syncing occurs immediately thereafter, and the user is forced to wait a moment until the iCloud service toggles can be manually controlled. Even after disabling iCloud Keychain, synced entries can and often do remain on the system.
At some point in the past, likely after an upgrade, iCloud Keychain was enabled on one of your Mac devices and the entries you're seeing for Agilebits were synced to the cloud. After installing 1Password on your new Mac, 1Password referenced the entries that were present in iCloud to assist in setting up your new device.
0 -
Oh, well that's.... frustrating. Seems like Apple is harvesting information without my consent.
Is there any way to get around it? I don't want Apple sweeping up my 1Password credentials. I know iCloud Keychain should be end-to-end encrypted, but still - I'd rather not give them stuff that they don't need in the first place.
0 -
No, there is not a way to disable the feature. They keychain entry is encrypted. You're not supplying the information to Apple. It is there for your use and yours alone.
0 -
@Swerve The issue you're concerned about is related to how Apple activates iCloud on new devices, which inevitably syncs data to iCloud before a user can manually deactivate the service via the toggles in the 'Apps Using iCloud' settings.
That said, according to Apple, "Keychain items are transferred from device to device, traveling through Apple servers, but are encrypted end-to-end so that Apple and other devices can’t read their contents."
You may wish to report feedback related to this concern to Apple on either of these pages.
https://www.apple.com/feedback/icloud.html
https://www.apple.com/feedback/macos/The Keychain entry for 1Password contains the account key, account name, email address, the last used date, your 1Password url (custom subdomain if business, teams), and a UUID. Your 1Password password is never stored in Keychain by 1Password.
0 -
The only possible way would be to disable keychain syncing which would likely stop many Apple services from working. If you look at keychain it includes entries of may kinds. The entries for 1Password do not include your account password. They are encrypted. They contain your Secret Key which is known on any device you use. If it were not then you'd need to enter it on each device.
https://1passwordstatic.com/files/security/1password-white-paper.pdf
Our two-secret key derivation mixes your locally held
Secret Key with your account password so that data we store cannot
be used in cracking attempts.--
Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Drive enabled and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your Password.
0 -
Apologies for the late reply. I have a bad habit of disappearing from threads.
Thank you @lmilsfsd for your explanation. I do understand that iCloud Keychain is supposed to be end-to-end encrypted, but I'm a little paranoid, so I still don't want to be giving companies data that isn't necessary to operate their services. I'm no security expert, but the saying "no computer system is 100% secure" always goes through my head in situations like these.
I could send Apple feedback, but I get the feeling that would be like screaming into a void.
@ag_tommy It seems like you're on a different page than @lmilsfsd and I. I don't want to disable iCloud Keychain entirely; I just want to prevent it from sweeping up my 1Password info. But based on what @lmilsfsd is saying, that doesn't seem to be possible at the moment.
0 -
Thanks for the reply. Just to clarify, iCloud Keychain isn't "sweeping up [your] 1Password info", instead 1Password is deliberately storing encrypted account information in the iCloud Keychain as a convenience and data access preservation feature. The information contains an equivalent to the contents of your Emergency Kit: your account password, your email address, and your Secret Key. It does not contain your account password.
It's also important to remember that the Secret Key alone is not enough to access your 1Password account. Someone would need your 1Password account password in addition to the Secret Key to log into your 1Password account and decrypt the data within it.
Apple's iCloud Keychain is very secure. The data stored in the iCloud Keychain is secured using end-to-end encryption which means that no one, including Apple themselves, can see what's being stored there.
If you wish, you can also enable two-factor authentication for your account to add additional security: Turn on two-factor authentication for your 1Password account
-Dave
0
