I am wondering about an unlikely scenario. Let's say I am forced to reveal my iPhone passcode and turnover my iPhone. The unlocked iPhone now has access to all my 1Password stored accounts, and my email accountss allowing the criminal(s) to access my entire life. Seems bad. How would you mitigate against this threat? I thought about a hardware 2FA key, but I don't want to have to use that every time I need to login to a web site. I could not store key passwords (e.g. financial accounts) in 1Password, but that sort of defeats the purpose of a password manager. Anyone else concerned about this? Thanks. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided

I do think about this a lot but there’s not much to be done if you reveal your passcode. Security models generally exclude the scenario of unprotected device access. That said, 1Password will only unlock if given your biometric or the master password, both of which the attacker wouldn’t have with a stolen phone. Not much they can do with your email accounts except receive reset tokens - here is where a hardware key may come in handy but even then many accounts offer the ability to reset if you lose that key. One thing to recognize is that credit cards will often protect you from financial fraud in these situations so as long as you don’t keep a debit card on your phone, that should be remedied. Also you can use Screen Time to restrict access to account, passcode and mail account changes behind a different passcode - I do this. Given that 1Password is not accessible, my hope is that I can get to a computing device fast enough after the theft to deactivate email accounts on the iPhone after it is stolen. Outside of that, if you’re in a situation where you’re under threat to life, please go ahead and reveal your passcode. Most fraud of this kind can be remediated, and your life is more precious.

This is a big vulnerability! They don't need to force you at all. Only observe you type in your passcode, and then steal your phone. With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords! This defeats the vault password. If anyone knows how to prevent this, please let us know. See this article https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a

If you don't set up autofill in the settings app, then you can close that hole in security, I think.

Does anyone know whether a hardware key with apple 2FA prevents reseting Apple ID with just a trusted device?

Hi all. Just wanted to address a couple of points in this thread: Let's say I am forced to reveal my iPhone passcode and turnover my iPhone. The unlocked iPhone now has access to all my 1Password stored accounts Your iPhone passcode cannot unlock 1Password. You need your account password or biometrics (Face ID or Touch ID) to unlock it. It's worth mentioning, though, that if you're already in a situation where someone has threatened you to make you reveal one secret (your iPhone passcode), it's quite plausible they'll also want a second (your 1Password account password). By that point, if someone is that determined, there isn't really anything you can do. With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords! Your 1Password items shouldn't be appearing here! If you imported your passwords from iCloud Keychain, but didn't delete them from Keychain afterwards, that may explain it, but 1Password does not put anything in that list. — Grey

How to protect against compromised iPhone passcode

Former Member
2 years ago
Does anyone know whether a hardware key with apple 2FA prevents reseting Apple ID with just a trusted device?
r3r344r4
Contributor
2 years ago
If you don't set up autofill in the settings app, then you can close that hole in security, I think.
Rene123
New Contributor
2 years ago
This is a big vulnerability! They don't need to force you at all. Only observe you type in your passcode, and then steal your phone.

With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords!

This defeats the vault password. If anyone knows how to prevent this, please let us know.

See this article
https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a
r3r344r4
Contributor
2 years ago
I do think about this a lot but there’s not much to be done if you reveal your passcode. Security models generally exclude the scenario of unprotected device access. That said, 1Password will only unlock if given your biometric or the master password, both of which the attacker wouldn’t have with a stolen phone. Not much they can do with your email accounts except receive reset tokens - here is where a hardware key may come in handy but even then many accounts offer the ability to reset if you lose that key. One thing to recognize is that credit cards will often protect you from financial fraud in these situations so as long as you don’t keep a debit card on your phone, that should be remedied. Also you can use Screen Time to restrict access to account, passcode and mail account changes behind a different passcode - I do this. Given that 1Password is not accessible, my hope is that I can get to a computing device fast enough after the theft to deactivate email accounts on the iPhone after it is stolen.

Outside of that, if you’re in a situation where you’re under threat to life, please go ahead and reveal your passcode. Most fraud of this kind can be remediated, and your life is more precious.

Forum Discussion

How to protect against compromised iPhone passcode

Recent Discussions

Return of 1Password not opening at log on

1P on Android inconsistant

Passkey flow broken on Android

Safari "not finding server"

Share Wi-Fi Credentials via QR code!