How to protect against compromised iPhone passcode

I do think about this a lot but there’s not much to be done if you reveal your passcode. Security models generally exclude the scenario of unprotected device access. That said, 1Password will only unlock if given your biometric or the master password, both of which the attacker wouldn’t have with a stolen phone. Not much they can do with your email accounts except receive reset tokens - here is where a hardware key may come in handy but even then many accounts offer the ability to reset if you lose that key. One thing to recognize is that credit cards will often protect you from financial fraud in these situations so as long as you don’t keep a debit card on your phone, that should be remedied. Also you can use Screen Time to restrict access to account, passcode and mail account changes behind a different passcode - I do this. Given that 1Password is not accessible, my hope is that I can get to a computing device fast enough after the theft to deactivate email accounts on the iPhone after it is stolen.

Outside of that, if you’re in a situation where you’re under threat to life, please go ahead and reveal your passcode. Most fraud of this kind can be remediated, and your life is more precious.

If you don't set up autofill in the settings app, then you can close that hole in security, I think.

Your 1Password items shouldn't be appearing here! If you imported your passwords from iCloud Keychain, but didn't delete them from Keychain afterwards, that may explain it, but 1Password does not put anything in that list.

Ok, I'm not so sure. Even recently created 1pw items appear in the iOS settings>passwords list. I never click on "save password" iOS prompt so it's not that

Will do - thanks!

I just noticed there is also about 10 items in iOS settings>passwords that all have the website 1password.com, but each item contains a login for various things like instagram, outlook.com etc. all with the website address 1password.com or my.1password.com

It's worth mentioning, though, that if you're already in a situation where someone has threatened you to make you reveal one secret (your iPhone passcode), it's quite plausible they'll also want a second (your 1Password account password). By that point, if someone is that determined, there isn't really anything you can do.

I do think there are features 1Password could offer to reduce vulnerability to this kind of attack or impact of it.

1. Give us an option to disguise the app icon/name so that it appears as something other than 1Password on the home screen / app list.

2. Give us a selective sync option for vaults. If this were an option I would put all my most highly sensitive info/passwords (financial accounts / important email accounts) into a vault which I would elect not to sync to my phone.

3. Give us option to disable secret key access on a per-device basis.

@GreyM1P

1. OK, fair enough.

2. This doesn't really help as it removes the vault from all my devices. I want access to all my vaults on the devices I only use at home (without having to toggle travel mode every time I leave the house).

3. Even if I turn on travel mode, someone who has obtained my 1Password password by threat of violence can get to my secret key from stolen mobile device which they can then use to log into 1Password.com and turn off travel mode to access my most sensitive vaults.

What I really want is the ability to control on a per-device basis whether that device has access to specific vaults and whether it has the ability to setup a new device (i.e. whether or not it can reveal the secret key).

2. Give us a selective sync option for vaults. If this were an option I would put all my most highly sensitive info/passwords (financial accounts / important email accounts) into a vault which I would elect not to sync to my phone.

Can the family feature offer help here? Keep sensitive stuff in a Private vault, and login on the phone with a Shared Vault.

This is going off-topic by the way as the OP was about iPhone passcode exploits

If a thief has my passcode and would have my locked out of all my other devices. Couldn't he just reset face-id on my iPhone, add his on face to face-id and the open my 1Password vault, as I have previously enabled login with face-id in 1Password?

If this is the case, is the only option to prevent it to disable face-id?

@Dave_1P That's a well appreciated feedback! Thank you for your great work and the amazing security design.

@Dave_1P Thanks for passing on suggestion.

This is a big vulnerability! ... With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords! ... This defeats the vault password. If anyone knows how to prevent this, please let us know.

I need to issue a correction. # This is no longer a vulnerability, or never was. I deleted all passwords from iOS settings > passwords and they are gone and don't reappear. Staff confirmed that this should never happen as 1pw doesn't write to iOS Settings > passwords.

So even if a thief has my passcode, he still has to break into 1password app, in order to access my passwords.

Thanks for the assistance.