1P allowed me to autofill app with ONLY my iPhone PIN after FaceID failed. Is this normal?

To be clear, I have 1P set to "Lock on Exit" and before I autofilled an app, I locked my phone. Then 1) when I tried to unlock my phone, FaceID wasn't working (on my iPhone), so the iPhone prompted me to use my passcode to unlock. 2) Then when I tried to use 1P to autofill an app, 1P prompted me to use FaceID but my face wasn't recognized, so 1P prompted me to type in my passcode. I have acreenshot that says "FaceID not recognized. Enter iPhone passcode." 3) After typing in my passcode, it autofilled the app and allowed me to login. I NEVER typed in my master password after unlocking my phone. And while I have iCloud Keychain checked in iPhone settings as an AutoFill option along with 1Password, I do not have this password saved to iCloud Keychain. I recreated this twice. Am I missing something? I was able to bypass my master password with a 6-digit passcode.


1Password Version: 7.6.2
Extension Version: Not Provided
OS Version: iOS 13.6.1
Sync Type: Not Provided
Referrer: forum-search:Bypassing master password with iPhone passcode

Comments

  • ag_anaag_ana

    Team Member

    Hi @1PWguy!

    After typing in my passcode, it autofilled the app and allowed me to login. I NEVER typed in my master password after unlocking my phone. And while I have iCloud Keychain checked in iPhone settings as an AutoFill option along with 1Password, I do not have this password saved to iCloud Keychain.

    From what you are writing, I think what you filled was actually coming from iCloud Keychain, not from 1Password. Can you clarify how you know that this password is not saved to iCloud Keychain?

    I have acreenshot that says "FaceID not recognized. Enter iPhone passcode.

    Can you please upload this screenshot here in the forum, if it does not include any personal information? Thank you!


  • Here are my 1P settings. I searched my iCloud Keychain on my iMac to see if it filled my autofilled the app, but the login info is not in my keychain. I will try to recreate with iCloud Keychain turned off

  • ag_anaag_ana

    Team Member

    @1PWguy:

    I will try to recreate with iCloud Keychain turned off

    Sounds good, please let us know what you discover :+1:

    Thank you for the screenshot by the way! I see that your 1Password settings don't mention any PIN, so it's very likely the PIN request came from iOS rather than from 1Password. However, I was referring to the screenshot you mentioned here:

    I have acreenshot that says "FaceID not recognized. Enter iPhone passcode.

    I do not see this message in the screenshot you posted, so I wonder if you were referring to a different screenshot instead. If you could post the one where you see this message, we can let you know if the message is coming from 1Password or from iOS.

  • Clarification, I didn't mean PIN, but passcode.

    Also, I posted 2 screenshots above, so the other one has the message I mentioned.

    Also, confirmed I was able to do it again with iCloud Keychain toggled off. I notice that 1P is suggesting my username first. When I touch it for autofill, it then prompts me to use FaceID. Again, I have it set to lock upon exit. Seems to me, it should be suggesting anything if it is locked, right? See screenshot (I have my username blacked out).

  • *should not be suggesting anything. Sorry typing fast.

  • Behavior is replicated even after restarting my iPhone.

  • Update: This is strange. It will autofill app (even after restart), but if I go to the 1P app itself, 1P if FaceID fails, 1P will not let me login without my master password (as it shouldn't). But within Reddit app, it will let me autofill with my 1P login info. Again, this is with "Lock on Exit" turned on and after restarting my phone and never typing in my 1P master password. I keep deleting and reinstalling Reddit every time I test this.

    So why is 1P autofilling Reddit without typing in my master password when I can't access my login info through the 1P app itself without typing in my master password?

  • Apologies for the multiple messages, but for further troubleshooting info ...
    I have toggled "Lock on Exit" off and back on and then quit 1P app and restarted. Still autofills without asking for master password.

  • BenBen AWS Team

    Team Member

    Hi @1PWguy

    This is expected if using Password Autofill's interface for unlocking, instead of 1Password's (which appears to be the case based on your screenshot). This is outlined along with how to switch to 1Password's interface, here:

    https://support.1password.com/ios-autofill-security/#protect-yourself-when-using-autofill

    I hope that helps!

    Ben

  • Thank you! I had no idea. Is this enabled by default or something? It's likely I granted auto-fill permissions, but certainly would not have done so had I realized my 1P info could be accessed with just my passcode. I just turned it off. I can't believe there's a setting that would enable a passcode to bypass a master password. Can you explain how this works briefly. Like is my master password stored inside an iOS auto-fill code or something?

  • BenBen AWS Team

    Team Member

    iOS's autofill interface is the default on iPhone, with an option to switch to 1Password's interface. I'm going to ask our security team if they can chime in about the implementation details.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file