Security and privacy

About Touch ID security in 1Password for Mac

Learn how to protect your data when you use Touch ID on your Mac.

When you enable Touch ID on your Mac, you can unlock 1Password with your fingerprint. Because you can unlock 1Password so easily, you can use a longer and more secure Master Password than you might otherwise have chosen.

Protect yourself when using Touch ID

Follow these tips to stay safe with Touch ID:

  • Remember your Master Password. If you use Touch ID frequently, it may be easier to forget your Master Password because you’re not regularly typing it.

  • Don’t share the password you use to log in to your Mac. If you enable Touch ID in 1Password on your Mac, it’s important that you guard the password you use to log in to your Mac closely. Anyone who knows it can unlock 1Password.

  • If you’re concerned someone may attempt to use your fingerprint without your consent, disable Touch ID. Retrieving your Master Password from your mind while you sleep is still in the realm of science fiction. However, your fingerprint can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, disable Touch ID.

Your fingerprint is not stored in 1Password

1Password never scans or stores your fingerprint. Touch ID is provided by macOS, which only tells 1Password if your fingerprint was recognized or not.

Learn more about Touch ID advanced security technology.  

Your Master Password still protects your data

Apple hasn’t designed Touch ID as a replacement for the password you use to log in to your Mac. In the same way, using Touch ID in 1Password doesn’t replace your Master Password or undermine the security of 1Password. Your data is encrypted with your Master Password and Secret Key, and that remains true even with Touch ID enabled.

You can also tell 1Password to require your Master Password after a specific amount of time. Go to Preferences > Security and change the Require Master Password setting.

Your Master Password is stored in the macOS Keychain

When you enable Touch ID, 1Password stores in the macOS Keychain an obfuscated version of a secret that can be used to decrypt your 1Password data. The secret is used to unlock 1Password when your fingerprint is recognized. It is stored using these attributes:

  • kSecAttrSynchronizable – This means that the secret is synced with iCloud Keychain. However, Apple can’t access it. Additionally, it’s combined with a unique code that’s only stored locally by 1Password, so it’s not usable on any other device.
  • kSecAttrAccessibleWhenUnlocked – This means that nothing can access the secret when your Mac is locked.
  • keychainGroupIdentifier = "2BUA8C4S2C.com.agilebits.onepassword" – This means that only 1Password can access the secret unless you enter the password you use to log in to your Mac.

1Password removes the secret from the macOS Keychain:

  • When your fingerprint isn’t recognized three times in a row
  • When the amount of time in Preferences > Security > Require Master Password has elapsed.

Learn more

Published: