Security Issue: Password Autofill Continues to Work after Require Master Password Timeout

amolio
amolio
Community Member

Conditions:

  • Security/Lock on exit: enabled
  • Security/Auto-lock: 1 minute
  • Security/FaceID: enabled
  • Advanced/Security/Require Master Password: 1 day
  • Password auto fill: enabled in iOS

Problem:
With the setup above, I expect that once a day, each day, I will need to enter my master password to access both the 1Password app and before auto fill populates a password in an app or browser because the advanced security option states “In addition to your regular password settings, your Master Password will be required every 1 day or after device restart.”

However, I find this is not the case. While my master password does appear to be required to access the app after a day (e.g., I can’t simply use FaceID), that is not the case with password auto fill: I can continue to use FaceID well past the 24 hour mark. I believe this even survives a device restart. This seems like a serious security issue. Please advise.


1Password Version: 7.3.3
Extension Version: Not Provided
OS Version: IOS 12.3.1
Sync Type: 1Password

«1

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    Face i.d. works with apps if you tell it to remember your user name regardless of 1Password.

  • [Deleted User]
    [Deleted User]
    Community Member

    Face i.d. outside of 1password can also be turned of in the app settings or ios settings for it not to work if you do not like using it.

  • [Deleted User]
    [Deleted User]
    Community Member

    I see what you are trying to say about autofill so not sure maybe it is safari keychain.
    Good luck

  • [Deleted User]
    [Deleted User]
    Community Member

    Go to ios auto fill and try just selecting password and uncheck keychain.

  • [Deleted User]
    [Deleted User]
    Community Member

    After locking my 1Password if I try to use autofil it does pop up and does show the username, but it will not fill in password and ask for master password and so no security issue if that’s what you are seeing.

  • @amolio

    The autofill feature of iOS has its own security and unlocking mechanisms, separate from 1Password's. 1Password provides data to autofill when you've enabled that feature, but the actual experience when using autofill is provided by iOS for the most part. That said, you may be able to achieve the behavior you're looking for by enabling the 1Password > Settings > Advanced > Security > Always show lock screen for autofill setting.

    I hope that helps!

    Ben

  • amolio
    amolio
    Community Member

    I have only selected 1Password under the iOS "AutoFill Passwords" option. I have not enabled and do not use the iOS Keychain for AutoFill.

    I'd like to clarify @Ben's comment: do you mean to say that 1Password hands over all logins and passwords to iOS Autofill and that all security settings in 1Password app are independent and have no bearing on when/how often a master password is required when using iOS Autofill? If so, and only needing FaceID via autofill survives timeouts and restarts, that seems like a weakness.

  • amolio
    amolio
    Community Member

    Also: I just tried setting "Always Show Lock Scree For: Password Autofill" to enabled. It did not require me to enter a master password upon autofilling on a web site (permitted FaceID).

  • @amolio

    Also: I just tried setting "Always Show Lock Scree For: Password Autofill" to enabled. It did not require me to enter a master password upon autofilling on a web site (permitted FaceID).

    Had the Master Password timeout expired when you tried with that option enabled?

    I'd like to clarify @Ben's comment: do you mean to say that 1Password hands over all logins and passwords to iOS Autofill and that all security settings in 1Password app are independent and have no bearing on when/how often a master password is required when using iOS Autofill? If so, and only needing FaceID via autofill survives timeouts and restarts, that seems like a weakness.

    Not quite. This article explains it much better than I can:

    About AutoFill security in 1Password for iOS

    Ben

  • amolio
    amolio
    Community Member

    @Ben

    Re whether the MP timeout had expired...I don’t know, will test and repost.

    Thanks for the link to the how AutoFill security works, will review.

  • Re whether the MP timeout had expired...I don’t know, will test and repost.

    If it hadn't expired then I would expect what you described to be the result (i.e. Face ID works to unlock). :)

    Ben

  • amolio
    amolio
    Community Member

    @Ben

    It appears that the setting you recommended does work as expected. Upon a restart:

    • If “Always Show Lockscreen for Password Autofill” is disabled in 1Password app, then solely FaceID is required to access auto fill on restart (and presumably after timeout period). This one appears to default to whatever time limits iOS imposes (which don’t appear to be user selectable).

    • If “Always Show Lockscreen for Password Autofill” is enabled, a restart forces the user to enter the MP rather than accept FaceID (and presumably will kick in after the user specified time limit in 1Password app).

    Thank you for your assistance.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @amolio: Regrettably, 1Password does not know your personal expectations. Maybe someday. :)

    But can you tell us the exact steps you're taking and what is (or is not) happening as you expect? We may be able to help clarify.

    If it helps, Autofill cannot control 1Password. In order to enable biometrics, you'd need to unlock the main 1Password app using your Master Password first.

  • amolio
    amolio
    Community Member

    @brenty

    Through @Ben's instructions I have learned that iOS Autofill can continue to use biometric access (rather than typed Master Password) even when the Master Password Timeout periods set in 1Password have expired. I understand now that this is not a function of a 1Password bug or design choice, but it is nonetheless inconsistent with what I feel are reasonable expectations based on the verbiage that 1Password is using in its own app under the Advanced/Security menu. Perhaps it would be helpful for 1Password's developers to consider additional text explaining the limitation, either online or (best) in the app. When I read https://support.1password.com/ios-autofill-security/ I don't really see this issue discussed explicitly.

    Regarding your statement "In order to enable biometrics, you'd need to unlock the main 1Password app using your Master Password first" that is true insofar as you clearly have to do this at least once, but my point is that a user could restart her iOS device and, regardless of the choice made in the 1Password app to have the MP timeout after restart and/or some time period not have the MP actually required at such time. Try it yourself...if the "Always Show Lockscreen for Password Autofill" is disabled, and you restart your device, you will be able to access passwords via biometrics without first inputing the master password. You will need the MP to access 1P itself.

  • This is indeed an issue we've discussed at length internally... The difficulty we run up against is the expectations folks who may or may not be familiar with 1Password may be coming in with for the autofill feature of iOS. We don't want to go against the grain of that. The intention is to work within the autofill system, rather than try to work against it. Arguably the 'always show lockscreen' setting is working against it. I had initially made the argument internally that having this setting enabled should be the default, for the exact reasons you've outlined. But after discussion and further consideration I see the point that unless instructed by the user to do so, we should avoid modifying the expected behavior of autofill.

    Autofill itself is still a relatively new feature and so I wouldn't be surprised if further development happens on that side of things, which may also trigger further changes on our side. We'll have to wait and see what comes of it. :) For now I think we're pretty well set on having the 'always show' setting be optional and off by default.

    Ben

    ref: apple-3345

  • [Deleted User]
    [Deleted User]
    Community Member

    I do not understand what show lock screen actually does. I think it is just to show the screen just to reassure that 1password is working.
    Ben you can explain that if you want. Does having it turned on do anything?
    I also don,t not know what amolio is talking about that was not already discussed.
    If I either lock or restart my iPhone ios autofil will not fill in a password with out asking for the master password as far as a browser goes, but like I already said earlier face time will if you have already given permission to an app sign you back in. That’s what face i.d. is for. Their is no security issue here. Am I right about that Ben?

  • Turning the setting on causes Password AutoFill to refer any question regarding unlock state to 1Password. Otherwise Password AutoFill makes its own decisions about lock state.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    Can you explain that again in a different way, I still do not know what you mean?
    Also should I have it on or off.

  • [Deleted User]
    [Deleted User]
    Community Member

    Which is more secure on or off after the explaining please?

  • [Deleted User]
    [Deleted User]
    Community Member

    I am confused about what you mean about unlocked state. In what way can they differ?

  • [Deleted User]
    [Deleted User]
    Community Member

    What I am asking is what decision would their be other than locked or unlocked?

  • [Deleted User]
    [Deleted User]
    Community Member

    Amolio what are you talking about? I do not get your point?

  • [Deleted User]
    [Deleted User]
    Community Member

    I have turned show lock screen on then locked 1Password then tried auto fill on website and it ask for master password as it should.
    I then turned show lock screen back on then locked 1password then tried to auto fill on website and it asked for master password.
    1Password does this correctly when locked.
    So I do not know what Amolio issue is nor do I see any difference in having show on always show on locked screen on or off.

  • [Deleted User]
    [Deleted User]
    Community Member

    If anybody want to explain it better please do.

  • [Deleted User]
    [Deleted User]
    Community Member

    Ben you still here?

  • [Deleted User]
    [Deleted User]
    Community Member
    edited July 2019

    Just waiting.

  • [Deleted User]
    [Deleted User]
    Community Member

    I saw in an older post someone else asked the same question so I do not fell as crazy as I was thinking maybe I was.
    The old post determined that the always show on locked screen in 1Password settings, advanced, security is for those who have a pin enabled and other than that it is purely cosmetic. Right?
    If this is true it should explain that.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited July 2019

    Well guess what Amolio you are correct that restarting the iPhone will allow auto fill to fill in your passwords without the master password, but this is because you did not manually lock your 1Password or had it to time out to never ask for a password.
    Oh and the always show lock screen has nothing to do with auto fill asking for master password enabled or disabled.
    So if you feel you want to prevent that from happening any other option besides never will time out and I suggest 1 hour after 1 hour auto fill will ask for your master password and after you do that try either manually locking 1Password or restart your iPhone and auto fill will ask for your master password before face i.d allows it.

  • @kunder

    This isn't a live chat. It's a message board / forum (think the speed of email, but public). There's no need to post every few minutes. :) Could you please try to avoid posting multiple posts in a row?

    Well guess what Amolio you are correct that restarting the iPhone will allow auto fill to fill in your passwords without the master password, but this is because you did not manually lock your 1Password or had it to time out to never ask for a password.

    This will depend on what you have set for 1Password > Settings > Advanced > Security > Require Master Password.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    Would you cancel and close my profile for me please?

This discussion has been closed.