Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
How to protect against compromised iPhone passcode
I am wondering about an unlikely scenario. Let's say I am forced to reveal my iPhone passcode and turnover my iPhone. The unlocked iPhone now has access to all my 1Password stored accounts, and my email accountss allowing the criminal(s) to access my entire life. Seems bad.
How would you mitigate against this threat? I thought about a hardware 2FA key, but I don't want to have to use that every time I need to login to a web site.
I could not store key passwords (e.g. financial accounts) in 1Password, but that sort of defeats the purpose of a password manager.
Anyone else concerned about this?
Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
OK, fair enough.
This doesn't really help as it removes the vault from all my devices. I want access to all my vaults on the devices I only use at home (without having to toggle travel mode every time I leave the house).
Even if I turn on travel mode, someone who has obtained my 1Password password by threat of violence can get to my secret key from stolen mobile device which they can then use to log into 1Password.com and turn off travel mode to access my most sensitive vaults.
What I really want is the ability to control on a per-device basis whether that device has access to specific vaults and whether it has the ability to setup a new device (i.e. whether or not it can reveal the secret key).
GreyM1P1Password Team
- Give us an option to disguise the app icon/name so that it appears as something other than 1Password on the home screen / app list.
iOS forbids developers from changing an app's name, so even if the icon was different, you'd still see "1Password" beneath it, especially in the App Library.
- Give us a selective sync option for vaults. If this were an option I would put all my most highly sensitive info/passwords (financial accounts / important email accounts) into a vault which I would elect not to sync to my phone.
Travel Mode might help with this if you're concerned.
- Give us option to disable secret key access on a per-device basis.
Your Secret Key is only used when signing in to a device for the first time, so could you tell me a bit more about what you're suggesting here?
It's worth mentioning, though, that if you're already in a situation where someone has threatened you to make you reveal one secret (your iPhone passcode), it's quite plausible they'll also want a second (your 1Password account password). By that point, if someone is that determined, there isn't really anything you can do.
I do think there are features 1Password could offer to reduce vulnerability to this kind of attack or impact of it.
Give us an option to disguise the app icon/name so that it appears as something other than 1Password on the home screen / app list.
Give us a selective sync option for vaults. If this were an option I would put all my most highly sensitive info/passwords (financial accounts / important email accounts) into a vault which I would elect not to sync to my phone.
Give us option to disable secret key access on a per-device basis.
[#NNP-45619-569]
Will do - thanks!
I just noticed there is also about 10 items in iOS settings>passwords that all have the website 1password.com, but each item contains a login for various things like instagram, outlook.com etc. all with the website address 1password.com or my.1password.com
- GreyM1P
1Password isn't able to write to that list, so something else must be going on. Send us an email at
support+forum@1password.comand you'll receive an auto-reply from 🤖 BitBot. It will contain a conversation number, which looks like[#ABC-12345-123]– post that here and I'll be able to make sure your message goes to the right team and we can look into that with you. I look forward to hearing from you. :) Your 1Password items shouldn't be appearing here! If you imported your passwords from iCloud Keychain, but didn't delete them from Keychain afterwards, that may explain it, but 1Password does not put anything in that list.
Ok, I'm not so sure. Even recently created 1pw items appear in the iOS settings>passwords list. I never click on "save password" iOS prompt so it's not that
Your iPhone passcode cannot unlock 1Password. You need your account password or biometrics (Face ID or Touch ID) to unlock it.
I did not realize this. I thought failed Face ID would always allow iPhone passcode to bypass. If you can't get in to 1Password without master password or FaceID, I don't think there is an issue.
As to be forced to reveal, really I think the compromised pass code (e.g. by inadvertently being captured on camera), followed by an iPhone theft, is what is more likely (though not very likely at all).
- GreyM1P
Hi all.
Just wanted to address a couple of points in this thread:
Let's say I am forced to reveal my iPhone passcode and turnover my iPhone. The unlocked iPhone now has access to all my 1Password stored accounts
Your iPhone passcode cannot unlock 1Password. You need your account password or biometrics (Face ID or Touch ID) to unlock it. It's worth mentioning, though, that if you're already in a situation where someone has threatened you to make you reveal one secret (your iPhone passcode), it's quite plausible they'll also want a second (your 1Password account password).
By that point, if someone is that determined, there isn't really anything you can do.
With the basic phone passcode they can see all 1Password passwords, as they show up under iOS settings>Passwords!
Your 1Password items shouldn't be appearing here! If you imported your passwords from iCloud Keychain, but didn't delete them from Keychain afterwards, that may explain it, but 1Password does not put anything in that list.
— Grey
