Security and privacy

About Fingerprint Unlock security in 1Password for Android

Learn how 1Password protects your data when you use Fingerprint Unlock.

When you enable Fingerprint Unlock, you can unlock 1Password with your fingerprint. Because you can unlock 1Password so easily, you can use a longer and more secure Master Password than you might otherwise have chosen, and you can use 1Password more often and in more places.

Your fingerprint is not stored in 1Password

1Password never scans or stores your fingerprint. Fingerprint Unlock is provided by Android, which only allows 1Password to know if your fingerprint was recognized or not.

Learn more about fingerprint security on Pixel and Nexus devices.

Your Master Password still protects your data

Using Fingerprint Unlock in 1Password does not replace your Master Password or undermine the security of 1Password. Your data is encrypted with your Master Password, and that remains true even with Fingerprint Unlock enabled.

Your Master Password is stored securely

When you enable Fingerprint Unlock, 1Password stores an encrypted version of a secret that is equivalent to your Master Password:

  1. Random Key. 1Password generates a random key that requires authentication. This authenticated key is saved in the Android Keystore.
  2. Authenticated Key. 1Password prompts to scan your fingerprint, which it uses to authenticate that random key. The Authenticated Key is never stored on your device.
  3. Master Key. 1Password uses the Authenticated Key to encrypt a copy of the Master Key. This encrypted Master Key is saved in the sandboxed preferences for 1Password.

There are now two encrypted copies of the Master Key: one encrypted with your Master Password and one encrypted with the Authenticated Key. This ensures that use of Fingerprint Unlock is cryptographically enforced:

  • Your data can’t be decrypted without the Master Key.
  • The Master Key can’t be decrypted without the Authenticated Key.
  • The Authenticated Key can’t be generated without authenticating your fingerprint.

Your data is protected if new fingerprints are added

If a new fingerprint is added to your device, the Random Key in the Android Keystore is invalidated. This means the Authenticated Key can no longer be generated from it.

When 1Password detects that the Authenticated Key can’t be generated, it removes the Random Key from the Android Keystore and disables Fingerprint Unlock.

At this point, the only way to unlock 1Password is with your Master Password where you can set up Fingerprint Unlock again.

Remember your Master Password

The advantages of using Fingerprint Unlock far outweigh the risks. Just be sure to remember your Master Password. If you use Fingerprint Unlock frequently, it may be easier to forget your Master Password because you’re not regularly typing it.

Learn more

Published: