Security and privacy

About the security of using Touch ID or Apple Watch to unlock 1Password for Mac

Learn how to protect your data when you use Touch ID or Apple Watch to unlock 1Password on your Mac.

When you use Apple Watch or Touch ID to unlock 1Password, it’s easier to use a longer and more secure account password than you might otherwise have chosen.

Your fingerprint is not stored in 1Password

1Password never scans or stores your fingerprint. Touch ID is provided by macOS, which only tells 1Password if your fingerprint was recognized or not.

Learn more about Touch ID advanced security technology  .

Your 1Password account password still protects your data

Apple hasn’t designed Touch ID or Auto Unlock as a replacement for the password you use to log in to your Mac. In the same way, using Touch ID or Apple Watch in 1Password doesn’t replace your account password or undermine the security of 1Password. Your data is encrypted with your account password and Secret Key, and that remains true even when you use Touch ID or Apple Watch to unlock.

1Password requires your account password if the amount of time in Settings > Security > Require password has elapsed. If you choose Never, your password will only be required when the device is unable to use biometrics, so you should make sure your password is written down somewhere in case you don’t remember it.

Tip

After you change your account password, or if you have one that’s difficult remember, choose to require the password more often to help you remember it.

Your 1Password account password is secured by the Secure Enclave

When you use Touch ID or Apple Watch to unlock, 1Password stores an encrypted secret on disk. This secret is used to decrypt your 1Password data when your fingerprint is recognized, or you approve 1Password on Apple Watch. In 1Password 7 and later, the secret is encrypted using an encryption key stored in the Secure Enclave, which only 1Password can access.

To decrypt the secret, 1Password proves its identity using code signatures, and then it moves the encrypted secret to the Secure Enclave. The secret is decrypted using the encryption key and returned to 1Password to decrypt your data.

This process happens locally, and the encryption key never leaves the Secure Enclave.

1Password removes the encrypted secret from disk:

  • When the amount of time in Settings > Security > “Require password” has elapsed
  • When you add or delete a fingerprint from your device

Protect yourself when using Touch ID or Apple Watch to unlock

Follow these tips to stay safe when you use Touch ID or Apple Watch to unlock:

  • Remember your 1Password account password. If you use Touch ID or Apple Watch to unlock frequently, it may be easier to forget your account password because you’re not regularly typing it.

  • If you’re using 1Password 6, don’t share the password you use to log in to your Mac. Someone who knows it can enroll a fingerprint and use it to unlock 1Password 6. 1Password 7 and later automatically require your account password after a new fingerprint is enrolled on your Mac.

  • If you’re concerned someone may attempt to use your fingerprint or Apple Watch without your consent, turn off unlock using Touch ID and Apple Watch. Retrieving your account password from your mind while you sleep is still in the realm of science fiction. However, your fingerprint or unlocked Apple Watch can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, turn off unlock using Touch ID and Apple Watch.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: