Questions regarding 1Password 4.5's use of the iOS keychain for Master Password

choorelchoorel Junior Member
edited April 2014 in iOS

I noticed that the new version of 1Password that came out today now has a setting under advanced to "Use iOS keychain" to store the Master Password when the PIN code is enabled. Is this really a good thing? Can someone shed some light on wether this is really something that should be done, as I was under the impression that separate is more secure. Many Thanks.

«1

Comments

  • I too would like some more info about this feature. I thought the master password was not really stored anywhere?
    How/when is it saved in the keychain and how can I get it out again?

    Or am I overreacting a little bit here?

    Thanks

  • There is also an option to use a 4 digit PIN (again). If you choose to use the PIN, then the master password can be stored in the iOS keychain.

  • Congratulations on the new update... it simply looks gorgeous, and the new unlock animation is a beauty to behold :)

    I noticed that PIN to unlock now has a toggle in the advanced options that allows to persist the master key to the iOS keychain. To my understanding, this is to allow PIN login during the specified amount of time, even if the operating system has closed the app in the background before the PIN-login period is over. Is that assumption correct?

    If so, can you please describe what that means security wise. Is the actual master password stored in the keychain, or some kind of token that is a mix between the master password and the PIN? Whatever is stored there, how long is it stored? Forever, or only until the master password "grace period" is over?

    I have a ton of sensitive information in my vault, and if my master password could be retrieved from a stolen phone by using the 4 digit iPhone unlock code on the keychain, then I'd rather pass on that comfort feature.

  • MeganMegan

    Team Member
    edited April 2014

    Hi @choorel‌, @The_caveman‌, Mac User and @melb00m‌,

    Thanks for asking about this!

    1Password 4.5 features a newly designed PIN code which will provide users with a more consistent experience.

    In earlier versions of 1Password 4 for iOS, the lock settings were dependent on 1Password remaining open in the background. When the iOS would quit the app to reclaim memory resources, users would be prompted for their Master Password upon re-opening, regardless what their auto-lock settings were.

    By providing the option to store your Master Password in the iOS keychain, we are able to respect users' PIN code settings, even if the iOS closes 1Password in the background.

    To ensure that users are aware of this new behaviour, the PIN code is not automatically enabled for users who have migrated from an earlier version and will need to be manually enabled.

    Please note that we recommend only using this feature only if you have enabled a device passcode on iOS.

    As a security feature, if you mistype the PIN code once it will clear the iOS keychain and require the Master Password to be typed to access your database.

    If you do not wish to store your Master Password in the iOS keychain, you can disable 'use the iOS keychain' in Settings > Advanced. This will allow you to access 1Password using the PIN code until the iOS closes the app in the background, after which point your Master Password will again be required.

    I hope this helps to explain things, but we're here if you have any further questions!

  • @Megan - does switching the option to store the master password in the iOS keychain to Off also remove the master password from the iOS keychain? When I turned on the PIN code option, it seemed I had no choice but to allow storage of the master password, so it did go there. I'd like to be sure it is removed.

  • MeganMegan

    Team Member

    Hi @hawkmoth‌

    Thanks for the question! Toggling the 'Use the iOS keychain' option in Settings > Advanced to 'OFF' will wipe the Master Password from the keychain. :)

  • xyglyxxyglyx Junior Member

    I would have preferred to be told upon enabling the pin code that my master password would be stored in the iOS keychain. I've now disabled this feature, but what if iOS had backed up my keychain to iCloud in the interim? Then my master password would be in my iCloud data, which is secured with a weaker password than my 1Password data.

  • If I decide to store my master password in the iOS keychain, how is it encrypted in ios7? With my devices hardware key?
    Is it backed up to iCloud? Does it ever leave my iOS device? What exactly is stored eg handed over to iOS? My password in clear text or an encrypted password (for example: encrypted with unlock code)? thanks

  • Here is a credible scientific ressource refering to the security of iOS7 keychain and iCloud. A great service and source for security questions approached scientifically versus so many "opinions" generally found in the Internet (absolutely NOT true for agilebits though!). You don't need to register to download the pdf but simply can see the slide Show at the bottom of the page. My conclusion based on what I read is that I won't use neither keychain nor iCloud for 1Password related matters - but this is a personal decision which everyone can do themselves based on the Information provided in the article. Another absolutely key conclusion is never ever using "Simple iCloud Security Code" which basically most people I know actually do! Advanced security Options are well explained in the article.

    https://viaforensics.com/articles-presentations/icloud-keychain-ios-7-data-protection-passwords-13.html

  • Just found also this YouTube Video the guy presenting the slides at a confernece in Bergen which actually was sponsored also by agilebits. Maybe ist a bit easier to follow this one versus just the slides.

    youtube.com/watch?v=qI8FHIWir0U#t=216

  • edited April 2014

    I would have preferred to be told upon enabling the pin code that my master password would be stored in the iOS keychain.

    I 100% agree and I absolutely don't understand how they could make that the default setting (= passing the probably most important password to the four-digit-secured iCloud chain without asking the user!).

    I disabled the setting and set a new (complex) iCloud Keychain password. Probably I will change 1Password's master password too.

    Thanks, pawo, for the link to viaforensics!

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    These are all excellent questions. Let me try to give an initial explanation here (subject to expansion as I find better ways of explaining this). A full explanation requires some understanding of
    how the QUC works and how the iOS keychain works. So let me start off with a short, approximate, explanation.

    Short (approximate) answer

    In 1Password for iOS 4.5, setting the PIN (or "Quick Unlock Code (QUC" as we were calling it) will optionally set things so that an obfuscated version of your Master Password will be temporarily stored within the iOS keychain. You can turn this off in Settings > Advanced.

    That obfuscated Master Password never leaves your device, even if you have iCloud keychain synching on. It is only stored temporarily in that 1Password (if it has the opportunity) will remove it from the iOS keychain once the Master Password "Request after" time has expired.

    Risks (short version)

    There may be some instances where 1Password does not have the opportunity to remove an expired copy from the iOS keychain. An attacker who gets at your device during this time could recover your Master Password if they can (a) unlock the phone, (b) jailbreaking the device (so that something other than the 1Password app can get at keychain data that belongs to 1Password, and (c) defeating our obfuscation of the Master Password.

    Why are we doing this?

    The PIN (or QUC as we were calling it) was behaving differently differently depending on whether people exited 1Password or fully quit 1Password. This is not a distinction people are really attuned to, and so it was causing confusion and making the QUC behave unreliably with respect to normal expectations.

    Suppose you've set "Request After" to 10 minutes for your Master Password, and you've set your PIN code to "lock on exit". Now suppose you exit 1Password at noon, 12:00, and at 12:01 you fully quit 1Password. (Not just exit but fully quit the application.) Now suppose that you relaunch 1Password at 12:05.

    If you have "Use iOS keychain" set to "On" you will be prompted only for your PIN. 1Password will be able to unlock your data by using the obfuscated version of your Master password stored in the iOS Keychain. If, on the other hand, you had Use iOS keychain set to "Off" (the old behavior) you would need to enter your Master Password if 1Password had been fully quit in the intervening time.

    If instead of relaunching at 12:05, you relaunched 1Password at 12:11, then you will need to enter your Master Password in both cases.

    How the PIN works

    How unlocking works

    Your data is encrypted with a bunch of encryption keys. For simplicity, I will pretend it is one "master key". The master key is derived from your Master Password.

    When your 1Password data is unlocked, the 1Password application has that master key in its memory. When the data is fully locked, 1Password removes that master key from its memory. The only way to get that master key is to process your Master Password.

    The setting for "Request Master Password After N minutes" in Settings > Security is telling 1Password when to throw away that master key.

    Any time you are prompted for your Master Password, 1Password does not have the master key. Any time you are prompted for your PIN (in 1Password 4) 1Password does have the key, and is just granting access to the application itself.

    If 1Password is fully quit, then the it forgets everything that was only in its memory, including the master key.

    PIN then and now

    In 1Password for iOS 4.x where 0 ≤ x < 5 the Quick Unlock Code (QUC) stored nothing. The QUC provided access to the application itself, which still had your data unlocked because the 1Password application still had the master key in its memory. If the application was fully quit, then 1Password would not have the master key when it relaunched and so would

    In 1Password for iOS 4.5 and the Use iOS keychain option set, when you enter your Master Password an obfuscated copy of it will be stored in your iOS keychain with the tightest iOS keychain settings set (kSecAttrAccessibleWhenUnlockedThisDeviceOnly).

    When the "Request after" time has expired, 1Password will remove the keychain item. It will also remove it when you explicitly lock 1Password or enter the wrong PIN. So in normal circumstances this will only be in the keychain when 1Password is supposed to be unlocked anyway.

    iOS Keychain protection

    The iOS (and OS X) keychains are used for storing small secrets on behalf of individual apps. For example, Mail (iOS and OS X) will store your email login passwords in there; likewise iOS apps like the Facebook application will store your Facebook login credentials in the iOS keychain. 1Password uses the iOS keychain for your Dropbox authentication token, which is why you don't have to re-login to Dropbox every time 1Password synchronizes data with it. Your PIN code is also stored within the iOS keychain.

    Some items in the iOS (and OS X) keychain can be designated for synching via iCloud. But items which are not explicitly labelled as such will not synchronize. Nothing that 1Password puts into the iOS keychain will is set for such synching.

    There are lots of different data protection setting that can be set for things stored in the iOS keychain. Some things can only be decrypted when your device is unlocked. Some things are also encrypted using a key that is unique to the physical hardware of the individual chip and so can only ever be decrypted on the particular device itself. 1Password uses both of those restrictions, setting what it stores in the iOS keychain with the attribute kSecAttrAccessibleWhenUnlockedThisDeviceOnly.

    An additional layer of protection is that iOS only lets the "owning" application get access to a particular item. Although technically there is just one iOS keychain database, in effect there is a separate one for each application. Thus an attacker would need to jailbreak a device to get around that protection.

    Additional protections

    1Password attempt to keep the obfuscated Master Password in the iOS keychain for only as long as necessary. 1Password will remove it when you explicitly lock 1Password, when you enter the wrong PIN, and when the Request Master Password time has been reached. If 1Password fully quits prior to the time out and isn't restarted later, then it is possible for this to remain in the iOS keychain longer than desired, but that is where all of the other iOS keychain protections kick in.

    I've mentioned already that 1Password stores only an obfuscated version of the Master Password when using the Use iOS keychain option with your PIN. Security by obscurity is never something to bet the farm on, but it does provide yet an additional hurdle for the attacker. In the interests of obscurity, I will not go into details of how that obfuscation works.

    Stopping for now

    I will probably expand/clean-up/clarify this posting for our documentation at some point, but let me get this version out to you all now.

  • Thanks, @jpgoldberg‌, that's very helpful and reassuring. I think I will go back now and reenable 1Password's relationship with the iOS keychain.

  • Some items in the iOS (and OS X) keychain can be designated for synching via iCloud. But items which are not explicitly labelled as such will not synchronize. Nothing that 1Password puts into the iOS keychain will is set for such synching.

    Thanks a lot @jpgoldberg, for the excellent explanation of what happens locally on the device. As some of the expressed concerns were relating particualrly to iOS keychain synching with iCloud and also the link I had provided was referring to that issue, please let me clarify and confirm my understanding: whatever issues and security considerations around iOS keychain iCloud synching, those are all irrelevant because 1Password will never ever set the QUC or the obfuscated version of the Master Password in the local iOS keychain to be synched with iCloud, right? Thanks.

  • edited April 2014

    Thanks for the detailed info, jpgoldberg. The most significant part (for my concerns) is the statement "That obfuscated Master Password never leaves your device, even if you have iCloud keychain synching on. […] Nothing that 1Password puts into the iOS keychain will is set for such synching."

    That means it should be safe to turn on again "Use iOS keychain", with PIN and 'never requesting the master password' on my iPad that never leaves home.

    However on the iPhone I will not reenable iOS Keychain – at least for the moment. Maybe later, once I've got over the horror caused by spotting the enabled "use keychain" switch ;-)

  • littlebobbytableslittlebobbytables 1Password Alumni

    Can I humbly suggest ensuring that excellent description makes it somewhere on the website to highlight that AgileBits are hardcore about security? So informative!

  • Thanks for the explanation @jpgoldberg‌. I know you guys think these issues through, but it's comforting to have it explained. I do appreciate the option to keep the PIN code accessible even when 1Password closes in the background.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I'm glad that that helped.

    A lot of the "first drafts" of our documentation appear here. So yes, my description will make it into the documentation. Probably in two forms. A short note on what the Use iOS keychain is all about, and the longer, fuller explanation of how things work.

  • Thank you, @jpgoldberg‌ , for clearing things up.

  • @jpgoldberg‌ A superb explanation and most helpful. Thank you.

  • ahankinsahankins
    edited June 2014

    I've been searching for an answer to a small annoyance that I'm continuing to experience with 4.5.X. This post by @jpgoldberg explained perfectly how the iOS keychain is supposed to work but I'm still having an issue with where my Master Password is being requested when I believe it shouldn't.

    I have my security settings set as follows:

    "Use iOS keychain" is on

    Master Password "Request After" is set to never

    "PIN Code" is on & set to request the code after 5 min

    Maybe about once a day or once every other day, my iPhone will request my Master Password. I believe if I'm understanding this correctly, 1Password should not ask me for my Master Password unless I type it in wrong. Even after rebooting the phone.

    Whenever 1Password requests my Master Password, force quitting the app and relaunching will prompt me for the PIN Code as expected. Is this a bug or is this expected behavior?

    Thanks in advance!

    iPhone 5S 7.1.1
    1Password for iOS v 4.5.3

  • I'm having the exact same issue as @ahankins‌.

  • JasperJasper

    Team Member

    Hi guys,

    We're currently investigating a few rare cases where you are wrongly prompted for the Master Password instead of the PIN code. A workaround currently, as mentioned above, is force quitting the app and re-opening it — that should fix the issue. I'm sorry for the trouble! Our developers are working to get this fixed.

    .

  • Thank you @JasperP at least I know I'm not going crazy now. :D

  • MeganMegan

    Team Member

    Hi @ahankins‌

    I'm sorry that you were starting to feel a bit crazy, but I'm glad that @JasperP's statement helped. If you have any further questions, we're here for you! :)

  • Very helpful explanation jpgoldberg...thank you! :)

  • JasperJasper

    Team Member

    On behalf of jpgoldberg, you're welcome! :)

  • benfdcbenfdc Perspective Giving Member

    When one uses the multiple vault feature in 1P/iOS, are the master passwords to secondary vaults stored in the iOS keychain or in the primary vault? If the latter, how are they protected?

    Related: If I establish a connection to a secondary vault on my iPhone, can that be detected by analyzing the primary vault on my Mac?

  • MeganMegan

    Team Member

    Hi @benfdc,

    The Master Passwords for secondary vaults are stored in within the database of the primary vault. they are not stored in the iOS keychain. They will unlock when your primary vault is unlocked.

    If I establish a connection to a secondary vault on my iPhone, can that be detected by analyzing the primary vault on my Mac?

    As far as I know, there is no way for you to discern from the primary vault on your Mac if you have connected to a secondary vault on your iOS device. For a more in-depth response, you might have to wait and see what @jpgoldberg‌ has to say, this is slightly beyond my technical ken. :)

  • benfdcbenfdc Perspective Giving Member

    As far as I know, there is no way for you to discern from the primary vault on your Mac if you have connected to a secondary vault on your iOS device.

    I think that this sort of thing should be transparent to the user. I should be able to manage the information stored in my keychain, and I cannot manage what I cannot see.

This discussion has been closed.