When you enable Touch ID on your Mac, you can unlock 1Password with your fingerprint. Because you can unlock 1Password so easily, you can use a longer and more secure Master Password than you might otherwise have chosen.
Protect yourself when using Touch ID
Follow these tips to stay safe with Touch ID:
Remember your Master Password. If you use Touch ID frequently, it may be easier to forget your Master Password because you’re not regularly typing it.
Don’t share the password you use to log in to your Mac. If you enable Touch ID in 1Password on your Mac, it’s important that you guard the password you use to log in to your Mac closely. Anyone who knows it can unlock 1Password.
If you’re concerned someone may attempt to use your fingerprint without your consent, disable Touch ID. Retrieving your Master Password from your mind while you sleep is still in the realm of science fiction. However, your fingerprint can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, disable Touch ID.
Your fingerprint is not stored in 1Password
1Password never scans or stores your fingerprint. Touch ID is provided by macOS, which only tells 1Password if your fingerprint was recognized or not.
Learn more about Touch ID advanced security technology.
Your Master Password still protects your data
Apple hasn’t designed Touch ID as a replacement for the password you use to log in to your Mac. In the same way, using Touch ID in 1Password doesn’t replace your Master Password or undermine the security of 1Password. Your data is encrypted with your Master Password and Secret Key, and that remains true even with Touch ID enabled.
You can also tell 1Password to require your Master Password after a specific amount of time. Go to Preferences > Security and change the Require Master Password setting.
Your Master Password is secured by the Secure Enclave
When you enable Touch ID, 1Password stores an encrypted secret on disk. This secret is used to decrypt your 1Password data when your fingerprint is recognized. The secret is encrypted using an encryption key stored in the Secure Enclave, which only 1Password can access.
To decrypt the secret, 1Password proves its identity using code signatures, and then it moves the encrypted secret to the Secure Enclave. The secret is decrypted using the encryption key and returned to 1Password to decrypt your data.
This process happens locally, and the encryption key never leaves the Secure Enclave.
1Password removes the encrypted secret from disk when:
- Your fingerprint isn’t recognized three times in a row
- The amount of time in Preferences > Security > Require Master Password has elapsed.