When you turn on Touch ID on your iPhone or iPad, you can unlock 1Password with your fingerprint. Because you can unlock 1Password so easily, you can use a longer and more secure 1Password account password than you might otherwise have chosen, and you can use 1Password more often and in more places.
Your fingerprint is not stored in 1Password
1Password never scans or stores your fingerprint. Touch ID is provided by iOS, which only tells 1Password if your fingerprint was recognized or not.
Learn more about Touch ID advanced security technology.
Your 1Password account password still protects your data
Apple hasn’t designed Touch ID as a replacement for your device passcode. In the same way, using Touch ID in 1Password doesn’t replace your account password or undermine the security of 1Password. Your data is encrypted with your account password, and that remains true even with Touch ID turned on.
At any time, you can manually lock 1Password to make sure that your account password will be required instead of your fingerprint. In 1Password, tap Settings > Security > Lock Now.
You can also tell 1Password to require your account password after restarting your device or after a specific amount of time. Go to Settings > Advanced > Security and change the Require Master Password setting.
Your 1Password account password is stored securely
When you turn on Touch ID, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your account password. The secret is used to unlock 1Password when your fingerprint is recognized.
It’s important to understand that the iOS Keychain is not the same thing as iCloud Keychain. Indeed, the secret is stored in a way that makes sure it will never leave your iOS device, not even for backups. 1Password uses the
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute to store the secret, which means that:
- Your device must be unlocked for the secret to be accessible.
- Your device must have a device passcode set. If you turn off your device passcode, the secret is deleted.
- The secret cannot be restored to a different device.
- The secret is not included in iCloud backups.
- Only 1Password can access the secret.
If you are using 1Password 4 on iOS 7, the device passcode requirement is not enforced. Be sure to set a passcode for your device.
1Password removes the secret from the iOS Keychain:
- When your fingerprint isn’t recognized three times in a row
- When you tap Settings > Security > Lock Now
- When Require Master Password is set to After Device Restart in Settings > Advanced > Security, and you open 1Password after restarting your device
- When the amount of time in Settings > Advanced > Security > Require Master Password has elapsed and 1Password is open
Protect yourself when using Touch ID
The advantages of using Touch ID far outweigh the risks. Follow these tips to stay safe with Touch ID:
Remember your 1Password account password. If you use Touch ID frequently, it may be easier to forget your account password because you’re not regularly typing it.
Don’t share your device passcode. If you turn on Touch ID in 1Password on your iOS device, it’s important that you guard your device passcode closely. Anyone who knows it can enroll a new fingerprint, and all enrolled fingerprints on the device can be used to unlock 1Password.
If you’re concerned someone may attempt to use your fingerprint without your consent, manually lock 1Password. Retrieving your account password from your mind while you sleep is still in the realm of science fiction. However, your fingerprint can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, you can manually lock 1Password to make sure that your account password will be required instead of your fingerprint. In 1Password, tap Settings > Security > Lock Now.
Don’t jailbreak your device. Someone with physical access to your device could theoretically access the secret that 1Password stored in the iOS Keychain. However, that would require unlocking the device, jailbreaking the device (so that something other than 1Password can read the iOS Keychain data that belongs to 1Password), and defeating the obfuscation of the account password. If you jailbreak your device, you are willingly defeating one of the strongest defenses against such an attack.