Your fingerprint is not stored in 1Password
1Password never scans or stores your fingerprint. Touch ID is provided by macOS, which only tells 1Password if your fingerprint was recognized or not.
Learn more about Touch ID advanced security technology .
Your 1Password account password still protects your data
Apple hasn’t designed Touch ID or Auto Unlock as a replacement for the password you use to log in to your Mac. In the same way, using Touch ID or Apple Watch in 1Password doesn’t replace your account password or undermine the security of 1Password. Your data is encrypted with your account password and Secret Key, and that remains true even when you use Touch ID or Apple Watch to unlock.
1Password also requires your account password if you haven’t entered it in 2 weeks.
In 1Password 7 and earlier, you can change how often you're required to enter your account password. Go to Preferences > Security and change the Require Master Password setting.
Your 1Password account password is secured by the Secure Enclave
When you use Touch ID or Apple Watch to unlock, 1Password stores an encrypted secret on disk. This secret is used to decrypt your 1Password data when your fingerprint is recognized, or you approve 1Password on Apple Watch. In 1Password 7 and later, the secret is encrypted using an encryption key stored in the Secure Enclave, which only 1Password can access.
To decrypt the secret, 1Password proves its identity using code signatures, and then it moves the encrypted secret to the Secure Enclave. The secret is decrypted using the encryption key and returned to 1Password to decrypt your data.
This process happens locally, and the encryption key never leaves the Secure Enclave.
1Password removes the encrypted secret from disk when:
- You use Touch ID and your fingerprint isn’t recognized three times in a row
- You haven’t entered your account password in 2 weeks
In 1Password 7 and earlier, the encrypted secret is removed when the amount of time in Preferences > Security > Require Master Password has elapsed.
Protect yourself when using Touch ID or Apple Watch to unlock
Follow these tips to stay safe when you use Touch ID or Apple Watch to unlock:
Remember your 1Password account password. If you use Touch ID or Apple Watch to unlock frequently, it may be easier to forget your account password because you’re not regularly typing it.
If you’re using 1Password 6, don’t share the password you use to log in to your Mac. Someone who knows it can enroll a fingerprint and use it to unlock 1Password 6. 1Password 7 and later automatically require your account password after a new fingerprint is enrolled on your Mac.
If you’re concerned someone may attempt to use your fingerprint or Apple Watch without your consent, turn off unlock using Touch ID and Apple Watch. Retrieving your account password from your mind while you sleep is still in the realm of science fiction. However, your fingerprint or unlocked Apple Watch can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, turn off unlock using Touch ID and Apple Watch.