Security and privacy

About biometric unlock security in 1Password for Android

Learn how 1Password protects your data when you use biometric unlock.

When you turn on biometric unlock, you can unlock 1Password with your fingerprint, face, or eyes. Because you can unlock 1Password so easily, you can use a longer and more secure 1Password account password than you might otherwise have chosen, and you can use 1Password more often and in more places.

Your biometric data is not stored in 1Password

1Password never scans or stores your fingerprint, face, or eyes. Biometric unlock is provided by Android, which only allows 1Password to know if your fingerprint, face, or eyes were recognized or not.

Learn more about fingerprint security or how face unlock works on Pixel devices, or check with the manufacturer of your device.

Your 1Password account password still protects your data

Using biometric unlock in 1Password does not replace your account password or undermine the security of 1Password. Your data is encrypted with your account password, and that remains true even with biometric unlock turned on.

1Password requires your account password if the amount of time in Settings > Security > “Confirm my account password” has elapsed. If you choose Never, your password will only be required when the device is unable to use biometrics, so you should make sure your password is written down somewhere in case you don’t remember it.

Tip

After you change your account password, or if you have one that’s difficult remember, choose to require the password more often to help you remember it.

Your 1Password account password is stored securely

When you turn on biometric unlock, 1Password stores an encrypted version of a secret that is equivalent to your account password:

  1. Random Key. 1Password generates a Random Key that requires authentication. This Random Key is saved in the Android Keystore.
  2. Authenticated Key. 1Password prompts to scan your fingerprint, face, or eyes, which it uses to authenticate that Random Key. The Authenticated Key is never stored on your device.
  3. Master Key. 1Password uses the Authenticated Key to encrypt a copy of the Master Key. This encrypted Master Key is saved in the sandboxed preferences for 1Password.

There are now two encrypted copies of the Master Key: one encrypted with your account password and one encrypted with the Authenticated Key. This makes sure that use of biometric unlock is cryptographically enforced:

  • Your data can’t be decrypted without the Master Key.
  • The Master Key can’t be decrypted without the Authenticated Key.
  • The Authenticated Key can’t be generated without authenticating your fingerprint, face, or eyes.

Your data is protected if new fingerprints are added

If a new fingerprint, face, or eyes are added to your device, the Random Key in the Android Keystore is invalidated. This means the Authenticated Key can no longer be generated from it.

When 1Password detects that the Authenticated Key can’t be generated, it removes the Random Key from the Android Keystore and turns off biometric unlock.

At this point, the only way to unlock 1Password is with your account password where you can set up biometric unlock again.

Remember your 1Password account password

The advantages of using biometric unlock far outweigh the risks. Just be sure to remember your account password. If you use biometric unlock frequently, it may be easier to forget your password because you’re not regularly typing it.

About using biometric unlock with passkeys

When you use biometric unlock to unlock 1Password with a passkey, your Android device’s passkey provider takes care of unlocking your 1Password app. When you use biometric unlock with a passkey, you have no account password to remember. Because we rely on your device’s passkey provider, adding a new fingerprint, face, or eyes to your device will not turn off biometric unlock.

Learn more

Published: