1PW Safari extension remains unlocked after iPad power cycle

dmitch77
dmitch77
Community Member
edited October 8 in iOS

I discovered a very surprising feature/bug: cycling power on my iPad results in the 1PW extension for Safari coming up unlocked after restart.

  • Unlock or otherwise use the 1PW extension
  • Power off the iPad (I mean actual power down, not reboot)
  • Power up
  • Launch Safari, go to a site needing a login
  • tap on password field. 1PW is already unlocked and allows for auto fill right now. No authentication.

This seems impossible. After a cold start, there should be no way to access 1PW data without explicitly unlocking it.

1Password Version: 8.10.44
Extension Version: 8.10.44.34
OS Version: iPadOS 17.6.1
Browser: Safari

Comments

  • dmitch77
    dmitch77
    Community Member

    BTW the 1PW app does not exhibit this behavior. It's just the Safari extension.

  • Dave_1P
    Dave_1P

    Hello @dmitch77! 👋

    Thank you for reaching out! 1Password for Safari on iOS has an independent lock timer from the 1Password for iOS app which means that the browser extension and the app won't lock at the same time on iOS like they do on other platforms. This was originally due to limitations in iOS however the team is looking into possible improvements that can be made based on new features in iOS.

    You can choose how often 1Password for Safari locks:

    1. Open and unlock 1Password.
    2. Tap the icon for your account or collection at the top left and choose Settings. (If you’re using an iPad, tap your account or collection at the top of the sidebar.)
    3. Tap on Safari Extension.
    4. Choose the desired option for "Reauthorize After".

    That being said, I've passed your feedback along to the team. Let me know if you have any other questions.

    -Dave

    ref: dev/core/core#18122

  • dmitch77
    dmitch77
    Community Member

    Thanks for looking into this. Good to know about the different reauth times for the app and the extension.

    However even with the same reauth times (I.e. longer than it takes to reboot), the app and the extension still behave differently. The app always locks on reboot. The extension doesn't. I can't think of a good reason for this - coming up from a cold start, there is no way my secrets should be available in the clear without my explicit unlocking.

  • Dave_1P
    Dave_1P

    @dmitch77

    Hopefully improvements can be made in the future. For now, changing "Reauthorize After" to be shorter in duration is the best option. I see that you've also emailed in to our support team, if you have any other questions please respond to the email that my colleague sent you.

    To prevent duplication of efforts, I'll close this thread.

    -Dave

    ref: QJH-24468-255

This discussion has been closed.