iOS 12 Keychain Storing my 1Password Master Password?

rlh
rlh
Community Member

I set up 1Password 7.2 on iOS 12 today. Launching 1Password gives me a lock screen that asks for my Master Password (assuming I hit "Cancel" when it asks for Touch ID). When I select the input field and the keyboard pops up, the new iOS 12 password autofill suggests mydomain.1password.com and my 1Password account email address (I have a Login item for logging onto the web site stored in my Personal vault containing these credentials). Selecting this pastes my Master Password in and unlocks 1Password.

This does not seem right at all! Granted, it requires my Touch ID before it does the pasting but it leaves me with the concern that items inside 1Password are being stored outside 1Password.

Can someone explain if this is expected behavior and perhaps share what information is being stored on my phone (presumably in the local keychain) that used to be solely contained inside 1Password vaults. And even an explanation of what is getting unlocked when.


1Password Version: iOS 7.1
Extension Version: Not Provided
OS Version: iOS 12.0
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    This does not seem right at all! Granted, it requires my Touch ID before it does the pasting but it leaves me with the concern that items inside 1Password are being stored outside 1Password.

    @rlh: That is not the case. Apple simply offers an API we can use to allow you to access data stored in 1Password with your Master Password through the iOS 12 Password Autofill feature. 1Password still secures the data you store in 1Password by encrypting it with your Master Password (which is of course why you needed to enter it, as you described in your comments, in order to fill information stored in 1Password using Autofill). And you will only have things stored outside of 1Password if you use iCloud Keychain or other software to save it. That hasn't changed.

    It sounds like you may also be curious about how Autofill works with regard to your Master Password. Much as with Touch ID, an obfuscated secret must be stored in the iOS Keychain in order for you to be able to access your 1Password data without entering your Master Password every time. This is stored locally and only available to 1Password, enforced by the Secure Enclave in the device. From Apple's documentation:

    Keychain items can only be shared between apps from the same developer. This is managed by requiring third-party apps to use access groups with a prefix allocated to them through the Apple Developer Program through application groups. The prefix requirement and application group uniqueness are enforced through code signing, Provisioning Profiles, and the Apple Developer Program.

    We use a "this device only" policy to ensure this is stored locally, not in iCloud Keychain,
    which is why entering your Master Password on one device to enable Touch ID doesn't allow you to bypass the Master Password on your other devices; you'll still need to enter it there, even to enable Touch ID on those. Definitely check out Apple's excellent iOS 12 Security white paper for more details on how all of this works.

    Long story short, if you're comfortable with the iOS Keychain being used to enabled Touch ID, you'll probably be okay with the same mechanism being used to allow you to use iOS 12 Password Autofill. Cheers! :)

  • rlh
    rlh
    Community Member

    This does not seem right at all! Granted, it requires my Touch ID before it does the pasting but it leaves me with the concern that items inside 1Password are being stored outside 1Password.

    @rlh: That is not the case. Apple simply offers an API we can use to allow you to access data stored in 1Password with your Master Password through the iOS 12 Password Autofill feature.

    Okay, I re-ran my experiment and am satisfied my Master Password is not being stored outside of 1Password:

    1. Did a cold-boot restart of my iPhone
    2. Entered (6 digit) PIN to unlock the screen
    3. Tapped to run 1Password, greeted by lock screen asking for Master Password.
    4. Tapped on text entry box, keyboard slides up and the "(key_icon) Passwords" button is above the top row of keys.
    5. Tapped the Passwords button and a popup dialog says to choose a password, offering "xxx.1password.com" and my email address.
    6. Tapped that entry and I'm thrown back the the 1Password lock screen.

    So all seems to be well with respect to my Master Password. And even in the scenario where someone steals an unlocked phone out of my hand they would still need my Touch ID fingerprint to get past steps #3 or #6.

    And you will only have things stored outside of 1Password if you use iCloud Keychain or other software to save it. That hasn't changed.

    1Password is the only item enabled for password autofill. So here's what I don't understand--in the scenario above, the iOS password system had the 1password.com domain and my email address already outside of 1Password (and showed it to me!). I assume the implication is that once the phone is unlocked, a thief could see every site and email address I have in my keychain. (Admittedly, they would have to probably guess the sites and then go them in Safari to confirm a match.) Do I have that right? Where is that site/logon ID pair being stored?

    I know this is a slightly paranoid scenario but the thought that everything of value is normally stored behind my Master Password or Touch ID makes me comfortable with only a 6 digit PIN. Now I feel like some of my critical information has moved from inside my tower defense to just barely inside the moat.

  • Ben
    Ben
    edited September 2018

    @rlh

    This guide may help: https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
    Specifically the “User Password Management” section (pp. 73–75).

    I hope that helps!

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @rlh: I don't keep anything really sensitive on my devices, but I still wouldn't be comfortable with a 6 digit PIN. Those are not difficult to brute force, and I'd just rather not have to worry about it. Simply using alphanumeric makes a huge difference, and I'd recommend using at least 10 characters. After all, it only needs to be entered after rebooting the device when you've got Touch ID or Face ID for unlocking. Just my two cents.

  • rlh
    rlh
    Community Member

    @brenty, my brain agrees with everything you say about the PIN. But I get enough Touch ID failures (wet finger, dry finger) that I end up using the PIN some amount of time. And the huge PIN number pad is so much easier to type on in a hurry than a regular keyboard.

    I guess I owe it to myself to redo my risk assessment...

  • :+1: :)

    Ben

  • amolio
    amolio
    Community Member

    I have a related but different question.

    My setup:

    • I do not have any biometric or PIN codes set for 1Password on my iOS device. I solely use the master password to unlock 1Password on my iOS device.

    • I do have 1Password selected in Passwords & Accounts/AutoFill Passwords.

    • When I encounter a login in Safari or in an application, I see above the keyboard [name of the site] — 1Password followed by the login name associated with the site. When I click on that login name, I am presented with the 1Password screen where I am prompted for my master password.

    My questions:

    • Does the fact that [name of site] and login names are available before unlocking with the master password mean that this information is stored in the local iOS keychain? In other words, that my master password is never required for iOS to see the full list of site names and login names so long as the phone is unlocked?

    • Does using AutoFill in the manner that I have described above mean that my master password is being stored in the iOS keychain in the same way that would occur if I enable biometric or PIN codes even when I am not using biometric or PIN codes?

    • Is it the expected behavior that my master password is required every time I use AutoFill regardless of what I have chosen for “Lock on Exit” and “Auto-Lock” in the 1Password iOS app?

    Thank you.

  • @amolio,

    • Does the fact that [name of site] and login names are available before unlocking with the master password mean that this information is stored in the local iOS keychain? In other words, that my master password is never required for iOS to see the full list of site names and login names so long as the phone is unlocked?

    The username and domain names are put into an apple managed store that lives inside the 1Password sandbox. This store doesn't ever leave the device.

    • Does using AutoFill in the manner that I have described above mean that my master password is being stored in the iOS keychain in the same way that would occur if I enable biometric or PIN codes even when I am not using biometric or PIN codes?

    Your master password is not stored in the iOS keychain, this is why you're prompted for your master password every time you fill. If you were using biometric or pin then you would potentially not be prompted to fill.

    • Is it the expected behavior that my master password is required every time I use AutoFill regardless of what I have chosen for “Lock on Exit” and “Auto-Lock” in the 1Password iOS app?

    Expected behavior to be prompted every time you AutoFill when Biometric/Pin unlock is disabled.

  • rlh
    rlh
    Community Member

    The username and domain names are put into an apple managed store that lives inside the 1Password sandbox. This store doesn't ever leave the device.

    Correct me if I'm wrong, but this means that the "username and domain names" are not protected by my Master Password (and Secret Key). They are only being protected by my iPhone PIN/password or Touch ID.

    I get it that this is Apple's design but if my interpretation is correct I need to contemplate if this new "convenience" is worth the (slightly) reduced security.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2018

    They are only being protected by my iPhone PIN/password or Touch ID.

    @rlh: ..which are protected using a secret derived from your Master Password, which you will have to enter any time biometrics are disabled/unavailable. Otherwise you'll be able to use biometrics just like you can to unlock 1Password itself. This is no different, so I'm not sure what we're getting hung up on here. Certainly you can disable biometrics if you're not comfortable using them at all though. As I mentioned earlier:

    Long story short, if you're comfortable with the iOS Keychain being used to enabled Touch ID, you'll probably be okay with the same mechanism being used to allow you to use iOS 12 Password Autofill.

    The security is the same in both cases.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @rlh: Actually, I misunderstood what you were asking I think. I'll see if I can clear this up. Bear with me.

    Apple’s database for Password Autofill lives inside 1Password's encrypted sandbox, but that's handled by the OS; it is not subject to our encryption. Within its encrypted iOS sandbox, 1Password also encrypts its own data, which is done using your Master Password. This is where things get tricky.

    With Password Autofill, indeed, that information (usernames and domains) is not encrypted using the Master Password either directly or indirectly (or a secret derived from it), but done using unique keys for 1Password's sandbox on the device. So again, usernames and domains used for autofill are not encrypted with the Master Password. In fact, they cannot be since, then autofill would not be able to show you anything at all to choose from.

    However, the stuff 1Password encrypts itself using your Master Password, of course, cannot be decrypted without that. So that's where the derived secret comes in. This is stored in the iOS Keychain when you are using biometrics, so that you can unlock using Touch ID or Face ID instead of your Master Password. That's all sort of old news now, but it matters to build on for the new stuff.

    Now, if you're using biometrics and autofill, when you select a username/domain to fill, you're greeted with a prompt which is not from 1Password, but from iOS (“Touch ID to log in to 'github.com'", for example). Authenticating allows the data actually stored in 1Password to fill. So it sort of appears that the password isn't protected by your Master Password in that case. But what's happening is that this Touch ID/Face ID authentication decrypts the derived secret for your Master Password (from when you enabled it for 1Password), which in turn can be used by 1Password to decrypt your data.

    So in the Github example, the “github.com login” prompt from iOS uses your finger/face to decrypt your Master Password derived secret which in turn decrypts your data in 1Password. Hopefully that makes more sense. I think Rudy will follow up here in a bit with something as well. ;)

  • @rlh,

    Hopefully @brenty's summary answers any of the questions you might have with the current implementation, but let us know if you have any follow-up questions.

    I also talked with the team about an advanced feature we're thinking about, where the QuickType credential store wouldn't get populated at all. The result of that is that you would always have to tap the Key/Passwords item in the QuickType bar, followed by a tap on 1Password… after which you would always be met with the 1Password lock screen. You would then pick the credential you wanted to fill into the context.

  • rlh
    rlh
    Community Member

    @brenty wrote:

    With Password Autofill, indeed, that information (usernames and domains) is not encrypted using the Master Password either directly or indirectly (or a secret derived from it), but done using unique keys for 1Password's sandbox on the device. So again, usernames and domains used for autofill are not encrypted with the Master Password. In fact, they cannot be since, then autofill would not be able to show you anything at all to choose from.

    Yes, so my password is safe but (heaven forbid) someone got access to my unlocked phone they'd be able to get usernames to attempt password resets via SMS (I hate sites that allow that without some way to turn it off) or via social engineering.

    (I guess it's time to definitely switch from PIN to password on the iPhone and train myself to never set my phone down without turning it off via the power button!)

    @rudy wrote:

    I also talked with the team about an advanced feature we're thinking about, where the QuickType credential store wouldn't get populated at all. The result of that is that you would always have to tap the Key/Passwords item in the QuickType bar, followed by a tap on 1Password… after which you would always be met with the 1Password lock screen. You would then pick the credential you wanted to fill into the context.

    This! I want this feature! (Thanks for "leaking" it.)

    Everyone, I truly appreciate the 1Password's team continued openness and desire to respond to all customer requests. Thanks!

  • This! I want this feature! (Thanks for "leaking" it.)

    No promises, but thank you for the feedback. :) And thanks for the kind words.

    Ben

This discussion has been closed.