Security and privacy

About Touch ID security in 1Password for iOS

Learn how 1Password protects your data when you use Touch ID on your iPhone or iPad.

When you turn on Touch ID on your iPhone or iPad, you can unlock 1Password with your fingerprint. Because you can unlock 1Password so easily, you can use a longer and more secure 1Password account password than you might otherwise have chosen, and you can use 1Password more often and in more places.

Your fingerprint is not stored in 1Password

1Password never scans or stores your fingerprint. Touch ID is provided by iOS, which only tells 1Password if your fingerprint was recognized or not.

Learn more about Touch ID advanced security technology.

Your 1Password account password still protects your data

Apple hasn’t designed Touch ID as a replacement for your device passcode. In the same way, using Touch ID in 1Password doesn’t replace your account password or undermine the security of 1Password. Your data is encrypted with your account password, and that remains true even with Touch ID turned on.

1Password requires your account password if the amount of time in Settings > Security > Require password has elapsed. If you choose Never, your password will only be required when the device is unable to use biometrics, so you should make sure your password is written down somewhere in case you don’t remember it.

Tip

After you change your account password, or if you have one that’s difficult remember, choose to require the password more often to help you remember it.

Your 1Password account password is stored securely

When you turn on Touch ID, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your account password. The secret is used to unlock 1Password when your fingerprint is recognized.

It’s important to understand that the iOS Keychain is not the same thing as iCloud Keychain. Indeed, the secret is stored in a way that makes sure it will never leave your iOS device, not even for backups. 1Password uses the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute to store the secret, which means that:

  • Your device must be unlocked for the secret to be accessible.
  • Your device must have a device passcode set. If you turn off your device passcode, the secret is deleted.
  • The secret cannot be restored to a different device.
  • The secret is not included in iCloud backups.
  • Only 1Password can access the secret.

1Password removes the encrypted secret from the iOS Keychain:

  • When your fingerprint isn’t recognized five times in a row
  • When the amount of time in Settings > Security > “Require password” has elapsed
  • When you add or delete a fingerprint from your device

Protect yourself when using Touch ID

The advantages of using Touch ID far outweigh the risks. Follow these tips to stay safe with Touch ID:

  • Remember your 1Password account password. If you use Touch ID frequently, it may be easier to forget your account password because you’re not regularly typing it.

  • Don’t jailbreak your device. Someone with physical access to your device could theoretically access the secret that 1Password stored in the iOS Keychain. However, that would require unlocking the device, jailbreaking the device (so that something other than 1Password can read the iOS Keychain data that belongs to 1Password), and defeating the obfuscation of the account password. If you jailbreak your device, you are willingly defeating one of the strongest defenses against such an attack.

Learn more

Published: