Security and privacy

About Biometric Unlock security in 1Password for Android

Learn how 1Password protects your data when you use Biometric Unlock.

When you turn on Biometric Unlock, you can unlock 1Password with your fingerprint, face, or eyes. Because you can unlock 1Password so easily, you can use a longer and more secure Master Password than you might otherwise have chosen, and you can use 1Password more often and in more places.

Your biometric data is not stored in 1Password

1Password never scans or stores your fingerprint, face, or eyes. Biometric Unlock is provided by Android, which only allows 1Password to know if your fingerprint, face, or eyes were recognized or not.

Learn more about fingerprint security or how face unlock works on Pixel devices, or check with the manufacturer of your device.

Your Master Password still protects your data

Using Biometric Unlock in 1Password does not replace your Master Password or undermine the security of 1Password. Your data is encrypted with your Master Password, and that remains true even with Biometric Unlock turned on.

Your Master Password is stored securely

When you turn on Biometric Unlock, 1Password stores an encrypted version of a secret that is equivalent to your Master Password:

  1. Random Key. 1Password generates a Random Key that requires authentication. This Random Key is saved in the Android Keystore.
  2. Authenticated Key. 1Password prompts to scan your fingerprint, face, or eyes, which it uses to authenticate that Random Key. The Authenticated Key is never stored on your device.
  3. Master Key. 1Password uses the Authenticated Key to encrypt a copy of the Master Key. This encrypted Master Key is saved in the sandboxed preferences for 1Password.

There are now two encrypted copies of the Master Key: one encrypted with your Master Password and one encrypted with the Authenticated Key. This makes sure that use of Biometric Unlock is cryptographically enforced:

  • Your data can’t be decrypted without the Master Key.
  • The Master Key can’t be decrypted without the Authenticated Key.
  • The Authenticated Key can’t be generated without authenticating your fingerprint, face, or eyes.

Your data is protected if new fingerprints are added

If a new fingerprint, face, or eyes are added to your device, the Random Key in the Android Keystore is invalidated. This means the Authenticated Key can no longer be generated from it.

When 1Password detects that the Authenticated Key can’t be generated, it removes the Random Key from the Android Keystore and turns off Biometric Unlock.

At this point, the only way to unlock 1Password is with your Master Password where you can set up Biometric Unlock again.

Remember your Master Password

The advantages of using Biometric Unlock far outweigh the risks. Just be sure to remember your Master Password. If you use Biometric Unlock frequently, it may be easier to forget your Master Password because you’re not regularly typing it.

Learn more

Published: