Clarification on Touch ID + Mac Security
Hello,
According to the touch ID docs, if someone has the local mac password, they can unlock 1Password with touch ID. It doesn't specify why - is it because a user with the local password can un obfuscate the secret in the keychain or because the user can create a new fingerprint and unlock 1password?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OSX High Sierra
Sync Type: Not Provided
Comments
-
Hi, according to the "About Touch ID security in 1Password for iOS" page, the reason to guard your device's passcode closely is:
"Anyone who knows it can enroll a new fingerprint, and all enrolled fingerprints on the device can be used to unlock 1Password."
So, I think the same principle should be also applied to the Mac. :)About the "unobfuscate" or decrypt the secret stored in the keychain part, I also want to hear from the professionals 8-)
By the way, I think this is a good question that worth adding to the 1Password white paper and the support page.
0 -
Welcome to the forum, @mh_nerdwallet! Excellent question. Oh, and for @Donaldd, this isn't really a good candidate for the white paper, since that's concerning the security of 1password.com accounts specifically, not app/platform-specific security.
The answer is "it depends." On what? Well, from the blog post announcing 1Password 7 for Mac:
Also new in 1Password 7, we’ve taken advantage of Apple’s Secure Enclave to protect your Master Password when Touch ID is enabled. This is incredibly cool because the keys used for encryption are protected by the hardware and not accessible to other programs or the operating system.
This is something that wasn't possible in previous versions, which means that if you're still rocking 1Password 6 for Mac, the answer is different because the secret is stored in the System Keychain and not the Secure Enclave. This means that someone with the password to your Mac user account could view the obfuscated secret and -- with enough time and determination -- probably figure out the obfuscation, yes. It's not encryption, so someone dedicated enough could probably do it. The reason we don't mention it is not because it's not a concern, but because if someone already has your Mac user account password, it's pretty much game over already in terms of the damage they can do (like enrolling their own fingerprint and using that to unlock your 1Password data). If you believe someone else has your Mac user account password, I would certainly change your Master Password for 1Password and also turn off Touch ID at least until you can also change your user account password on your Mac.
0 -
Let me actually amend the above for clarity -- in 1Password 7 for Mac, we don't actually store your Master Password itself in the Secure Enclave, in any form. What gets stored in the Secure Enclave (as indicated in the quote I gave, but which I want to make sure I clarify here) is a keypair that encrypts your Master Password, which is generated in and never leaves the Secure Enclave.
Having said that, even in 1Password 7 for Mac -- for now -- a user who has your password for your Mac user account can still do the enroll-a-new-fingerprint trick, and access your data that way. We're looking into ways to disallow this in upcoming releases -- like possibly requiring Master Password entry if a fingerprint is added/removed. But the best advice I can give people is still: use strong passwords, and don't share them! :)
0 -
-
@mh_nerdwallet - you're quite welcome, glad I was able to provide some color commentary. Since you're interested, we actually already have such a feature in place in 1Password for iOS, since it's much more likely for a mobile device to get lost/stolen/shared than it is a laptop. In 1Password for iOS, you must re-authenticate with your Master Password instead of Touch ID, if the biometric store (# of fingerprints) has changed.
0 -
Good to know - thanks @Lars ! I do hope you guys are able to add the biometric change/re-type in password soon for Mac OS so we can give that to our users.
0 -
:) :+1:
0
