When you turn on Touch ID on your iPhone or iPad, you can unlock 1Password with your fingerprint. Because you can unlock 1Password so easily, you can use a longer and more secure 1Password account password than you might otherwise have chosen, and you can use 1Password more often and in more places.
Your fingerprint is not stored in 1Password
1Password never scans or stores your fingerprint. Touch ID is provided by iOS, which only tells 1Password if your fingerprint was recognized or not.
Learn more about Touch ID advanced security technology.
Your 1Password account password still protects your data
Apple hasn’t designed Touch ID as a replacement for your device passcode. In the same way, using Touch ID in 1Password doesn’t replace your account password or undermine the security of 1Password. Your data is encrypted with your account password, and that remains true even with Touch ID turned on.
1Password requires your account password if the amount of time in Settings > Security > Require password has elapsed. If you choose Never, your password will only be required when the device is unable to use biometrics, so you should make sure your password is written down somewhere in case you don’t remember it.
Tip
After you change your account password, or if you have one that’s difficult remember, choose to require the password more often to help you remember it.
Your 1Password account password is stored securely
When you turn on Touch ID, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your account password. The secret is used to unlock 1Password when your fingerprint is recognized.
It’s important to understand that the iOS Keychain is not the same thing as iCloud Keychain. Indeed, the secret is stored in a way that makes sure it will never leave your iOS device, not even for backups. 1Password uses the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
attribute to store the secret, which means that:
- Your device must be unlocked for the secret to be accessible.
- Your device must have a device passcode set. If you turn off your device passcode, the secret is deleted.
- The secret cannot be restored to a different device.
- The secret is not included in iCloud backups.
- Only 1Password can access the secret.
1Password removes the encrypted secret from the iOS Keychain:
- When your fingerprint isn’t recognized five times in a row
- When the amount of time in Settings > Security > “Require password” has elapsed
- When you add or delete a fingerprint from your device
Protect yourself when using Touch ID
The advantages of using Touch ID far outweigh the risks. Follow these tips to stay safe with Touch ID:
Remember your 1Password account password. If you use Touch ID frequently, it may be easier to forget your account password because you’re not regularly typing it.
Don’t jailbreak your device. Someone with physical access to your device could theoretically access the secret that 1Password stored in the iOS Keychain. However, that would require unlocking the device, jailbreaking the device (so that something other than 1Password can read the iOS Keychain data that belongs to 1Password), and defeating the obfuscation of the account password. If you jailbreak your device, you are willingly defeating one of the strongest defenses against such an attack.