When you use system authentication to unlock 1Password, it’s easier to use a longer and more secure account password than you might otherwise have chosen.
Your biometrics are not stored in 1Password
1Password never scans or stores your biometric details. System authentication is provided by Linux, which only tells 1Password if your biometrics are recognized or not.
Your 1Password account password still protects your data
Using system authentication to unlock 1Password does not replace your account password or undermine the security of 1Password. Your data is encrypted with your account password, and that remains true even with system authentication turned on.
1Password requires your account password if the amount of time in Settings > Security > Require password has elapsed. If you choose Never, your password will only be required when the device is unable to use biometrics, so you should make sure your password is written down somewhere in case you don’t remember it.
Tip
After you change your account password, or if you have one that’s difficult remember, choose to require the password more often to help you remember it.
Your 1Password account password is secured by the system authentication service
System authentication uses access control mechanisms built into your Linux user account. It relies on two Linux standards: polkit and PAM (Pluggable Authentication Modules). Together they provide a secure authentication service:
- A polkit action to unlock 1Password is registered in
/usr/share/polkit-1/actions/com.1password.1Password.policy. - A PAM user authentication challenge is presented based on the configuration in
/etc/pam.d/polkit-1or/etc/pam.conf.
When system authentication is turned on, 1Password for Linux creates a secret for each unlocked 1Password account. This secret can be used to unlock the account again if you pass a user authentication challenge.
The secret is not saved to disk and can’t be read by unprivileged processes. It stays in the memory while 1Password is running (including when it runs in the system tray) and is removed from memory when you quit 1Password.
By delegating authentication to PAM, 1Password inherits support for any authentication method used by your Linux user account, including biometric authentication. 1Password does not store or access biometric data or other authentication secrets associated with your Linux user account.
Learn more about PAM configuration files.
Protect yourself when using system authentication to unlock
Follow these tips to stay safe when you use system authentication to unlock:
- Remember your 1Password account password. If you use system authentication to unlock frequently, it may be easier to forget your account password because you’re not regularly typing it.
- If you’re concerned someone may attempt to use your biometrics without your consent, turn off unlock using system authentication. Retrieving your account password from your mind while you sleep is still in the realm of science fiction. However, your biometrics can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, turn off unlock using system authentication.