iOS Vulnerability and 1Password Security

Welcome to the forum, @pdp11! I read that article with interest as well, happy to discuss how it relates to 1Password. Put simply, 1Password is likely different than most of whatever else is on your iOS device. What I mean by that is that we use our own encryption (AES256), which is separate from iOS encryption, to encrypt your data. The keys are secured by your Master Password (and to a lesser degree, your Secret Key). The encryption key is derived anew each time you enter your Master Password into 1Password for iOS, and it is not stored anywhere on your device when 1Password is fully locked.

If you enable biometry (either Face ID or Touch ID), your 1Password data is still protected by your Master Password, but 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your Master Password. The secret is used to unlock 1Password when your fingerprint or face is recognized. The links above have some additional information and tips on how to tighten security on an iOS device, if you're interested, but the bottom line is that you can lock 1Password on your iOS device at any time by tapping Settings > Security > Lock Now in 1Password. This will require your Master Password, not biometry, on next unlock. You can also do this more automatically by choosing Settings > Advanced > Security > Require Master Password After: Device Restart. With this setting enabled, turning off your device will cause 1Password to require your Master Password the next time you open 1Password after restarting the device. Finally, if you don't mind the inconvenience, you can simply disable Touch ID or Face ID altogether in 1Password, which would require your Master Password every time you unlock it. Finally, don't forget to also set "Lock on Exit" and set the auto-lock timeout to a comfortably short period -- from 1 minute to 1 hour.

It's also good to keep in mind -- as that Wired article points out -- that the types of attacks described therein require both physical access to a device as well as specialized smartphone access tools. If your estimation of your own threat profile leads you to conclude you will regularly be a person of interest to people or organizations with the finances and the interest in acquiring such tools and the desire to use them on you specifically, then you might wish to take the additional step and inconvenience of leaving your devices fully powered off when not directly in use, or at least to turn them off prior to any expected encounters with such people. 1Password itself can help you with the use of Travel Mode, which entirely removes any vaults not marked "Safe for Travel" from your device(s). And again, on your devices themselves, tapping Settings > Security > Lock Now will mean your Master Password is required to unlock 1Password the next time it's launched, even if an attacker is able unlock your device itself.

@pdp11 - speaking not for 1Password but just for myself, if I were traveling to some of the countries on the globe where routine electronic surveillance of an invasive nature was known to be common, I might consider taking a "burner" device if I absolutely required one, or simply forgoing devices entirely for the duration of my visit, if that were an option. If you must travel to such places and you also expect to need one or more of your devices, I would take advantage of all the security protections you can - turn on full disk encryption if it is not already, choose a long and strong device password (in addition to your Master Password), tighten the timeout settings in 1Password and/or temporarily disable biometry, and make use of Travel Mode to remove sensitive vaults altogether from your device(s).

@55208wcgk - the Wired article referred only to mobile operating systems/devices, so Windows PCs aren't really in-scope there, though if you'd like to read more in general about 1Password’s security model or about 1Password 7 for Windows, those are good jumping-off points.

As far as Android is concerned, the answer would be "similarly" - on every platform, we are not depending on the OS's own keychain, but rather our own implementation of AES256. If you don't enable biometry, then you will be required to enter your Master Password every time you use 1Password on your Android device. This is arguably the most secure method of using 1Password anywhere, as we do not store your Master Password or secrets equivalent to it anywhere on disk when you do it this way, and the encryption keys necessary to decrypt your 1Password data are required to be derived anew -- by entering your Master Password -- each time you launch 1Password.

When you turn on Biometric Unlock in 1Password for Android, the following is how we keep it secure:

1Password stores an encrypted version of a secret that is equivalent to your Master Password:

1. Random Key. 1Password generates a Random Key that requires authentication. This Random Key is saved in the Android Keystore.
2. Authenticated Key. 1Password prompts to scan your fingerprint, face, or eyes, which it uses to authenticate that Random Key. The Authenticated Key is never stored on your device.
3. Master Key. 1Password uses the Authenticated Key to encrypt a copy of the Master Key. This encrypted Master Key is saved in the sandboxed preferences for 1Password.

There are now two encrypted copies of the Master Key: one encrypted with your Master Password and one encrypted with the Authenticated Key. This makes sure that use of Biometric Unlock is cryptographically enforced:

• Your data can’t be decrypted without the Master Key.
• The Master Key can’t be decrypted without the Authenticated Key.
• The Authenticated Key can’t be generated without authenticating your fingerprint, face, or eyes.