When you turn on biometric unlock, you can unlock 1Password with your fingerprint, face, or eyes. Because you can unlock 1Password so easily, you can use a longer and more secure 1Password account password than you might otherwise have chosen, and you can use 1Password more often and in more places.
Your biometric data is not stored in 1Password
1Password never scans or stores your fingerprint, face, or eyes. biometric unlock is provided by Android, which only allows 1Password to know if your fingerprint, face, or eyes were recognized or not.
Your 1Password account password still protects your data
Using biometric unlock in 1Password does not replace your account password or undermine the security of 1Password. Your data is encrypted with your account password, and that remains true even with biometric unlock turned on.
Your 1Password account password is stored securely
When you turn on biometric unlock, 1Password stores an encrypted version of a secret that is equivalent to your account password:
- Random Key. 1Password generates a Random Key that requires authentication. This Random Key is saved in the Android Keystore.
- Authenticated Key. 1Password prompts to scan your fingerprint, face, or eyes, which it uses to authenticate that Random Key. The Authenticated Key is never stored on your device.
- Master Key. 1Password uses the Authenticated Key to encrypt a copy of the Master Key. This encrypted Master Key is saved in the sandboxed preferences for 1Password.
There are now two encrypted copies of the Master Key: one encrypted with your account password and one encrypted with the Authenticated Key. This makes sure that use of biometric unlock is cryptographically enforced:
- Your data can’t be decrypted without the Master Key.
- The Master Key can’t be decrypted without the Authenticated Key.
- The Authenticated Key can’t be generated without authenticating your fingerprint, face, or eyes.
Your data is protected if new fingerprints are added
If a new fingerprint, face, or eyes are added to your device, the Random Key in the Android Keystore is invalidated. This means the Authenticated Key can no longer be generated from it.
When 1Password detects that the Authenticated Key can’t be generated, it removes the Random Key from the Android Keystore and turns off biometric unlock.
At this point, the only way to unlock 1Password is with your account password where you can set up biometric unlock again.
Remember your 1Password account password
The advantages of using biometric unlock far outweigh the risks. Just be sure to remember your account password. If you use biometric unlock frequently, it may be easier to forget your password because you’re not regularly typing it.