Security Feedback: 1Password App Doesn't Require Master Password If iPhone Passcode Is Changed

Thanks for having this discussion. As I understand Dave's link, nimvio is correct but irrelevant. To restate, yes, someone can steal your phone and change the passcode but they still won't be able to use 1P which relies on either knowing the 1P password or using Face ID which 1) cannot be changed without resetting 1P's secret or 2) will fail and fall back to relying on 1P password.

It would be helpful to other 1P customers if that support article could be expanded to explain not just 1P's internal logic but why the logic effectively blocks someone who has stolen the phone from getting access to a 1P vault. Or provide a link to another support article that explains it.

As an aside, I'm reading other articles (example: https://macandegg.com/2023/02/icloud-account-can-be-taken-over-with-only-iphone-passcode/) that recommend NOT using iOS's builtin password manager. It's been years since I've used it but I guess its rules are simpler. For example, it re-uses the phone's passcode so there's no further way to authenticate the user. So glad I use a 3rd party password mgr.

Do I have this all straight?