iOS12 & Auto-Fill Security : Is it safe?

On 18 September, I read this article:
http://appleinsider.com/articles/18/09/18/inside-ios-12-autofill-gives-password-manager-apps-on-your-iphone-a-big-boost

I found it somewhat confusing and so read the comments to see if other folks were likewise confused.

Among those comments I found this:


"There are dozens of exploits that leverage autofill to siphon off user information. Here is a Quora answer from an AgileBits (maker of 1Password) employee which begins with "If you are using a password manager with automatic auto-fill, switch off that behavior. It is a (mis)feature that is dangerous and is actively being exploited."

https://www.quora.com/Why-doesnt-1Password-autofill-when-a-page-loads-like-LastPass-does-Why-must-I-use-the-shortcut-key/answer/Jeffrey-Goldberg


MY QUESTION:
In iOS 12 > Settings > Passwords & Accounts > AutoFill Passwords I find two options which I may turn on by checking them:
iCloud Keychain (which I have used to store password data for non-sensitive sites like Netflix) and
1Password (which I use for sensitive/financial sites).

Am I best advised/should I NOT check the 1 Password choice?

Many thanks.


1Password Version: 7.2 iOx
Extension Version: Not Provided
OS Version: iOS 12
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    "There are dozens of exploits that leverage autofill to siphon off user information. Here is a Quora answer from an AgileBits (maker of 1Password) employee which begins with "If you are using a password manager with automatic auto-fill, switch off that behavior. It is a (mis)feature that is dangerous and is actively being exploited."

    This does not apply to the Password AutoFill function in iOS 12. Password AutoFill does not automatically auto-fill. It requires user interaction to cause filling to happen.

    Am I best advised/should I NOT check the 1 Password choice?

    We generally recommend checking 1Password, unchecking iCloud Keychain, and storing all credentials in 1Password. :+1:

    Ben

  • Thanks, Ben, for that quick and clear answer. Much appreciated. Bob

  • BenBen AWS Team

    Team Member

    You’re very welcome. :)

    Ben

  • Hi Ben, can I add an additional question here please?

    I am pleased that 1Password and iOS 12 have enabled the convenient autofill feature without compromising security. However, I notice that the autofill suggestion above the keyboard does show my user name without logging in/authenticating first. Is this a security flaw of some kind? How can iOS know what my username is without 1Password opening/being authenticated first? Are these user name/login details cached or otherwise accessible outside of 1Password?

    Many thanks for any response you can give me, I have turned off the autofill feature as a precaution in the meantime.

    Sonny

  • brentybrenty

    Team Member

    I notice that the autofill suggestion above the keyboard does show my user name without logging in/authenticating first. Is this a security flaw of some kind?

    @SonnyWilliamson: No. Unlike passwords, usernames are never considered secret. Email addresses are often used for the same purpose, and both are generally displayed by the site -- as with your username here on your forum post. it would also be really hard for you to even know what account you're selecting without having the username displayed. And it probably isn't even accurate to say "without logging in/authenticating first" since presumably you did that in order to unlock your device. If someone else has the ability to unlock your device, there's a lot more damage they could do than find out that your username for the 1Password support forum is "SonnyWilliamson". That said, you can disable the feature if it's a concern for you. It isn't mandatory. It's a great conveience, and is very secure, but 1Password is still pretty secure and convenient without it. :)

    How can iOS know what my username is without 1Password opening/being authenticated first? Are these user name/login details cached or otherwise accessible outside of 1Password?

    Yes. They're stored in the iOS Keychain when you enable the feature. Otherwise it could not fill them for you. In order to access the passwords though (URL needs to be available to match to the website, and username needs to be available for you to know what you're selecting) they'd need to be decrypted using your Master Password.

    I hope this helps. But be sure to let me know if you have any other questions! :)

  • That's perfect, thank you so much Ben, it answers all my questions. Thank you.

  • brentybrenty

    Team Member

    You're very welcome! Glad Ben and I could help. We're here if you need anything else. :)

  • I have 2 quick questions: Is auto-submit a total goner? Not working on my iOS 12 phone at all.

    And: FaceID is working everywhere on my XS, except in 1Password. Settings seem to suggest it’s integrated, but it’s not happening at all. What’s up with that? Should we just disable FaceID for 1Password?

  • brentybrenty

    Team Member

    @BrianStegner2: Autosubmit is not available on mobile devices. That's not new. What's changed relatively recently is that Autosubmit is no longer available on macOS, and iOS 12 brought us all Password Autofill:

    https://support.1password.com/ios-autofill/

    In either case, you'll need to submit the form by pressing Return or tapping/clicking the "sign in" button or equivalent.

    Regarding Face ID, 1Password doesn't have any control over that; it just asks the OS to authenticate you, and then gets a negative or affirmative response. I'd try disabling Face ID completely, and then setting it up again. That should do the trick.

  • Lousy idea to disable one of the longtime features of the macOS app

  • 1Password was not even attempting to use my FaceID. I tap a username or password field or the 1Password bar and it takes me to the “enter master password” window, every time, even though I’m already logged into the 1Password app on the phone. I finally disabled the FaceID option in 1Password, and now I only have to tap in a 4-digit “pin.” Welcome back to 1995

  • brentybrenty

    Team Member

    Lousy idea to disable one of the longtime features of the macOS app

    @BrianStegner2: Not really. While 1Password will do no harm, a malicious app can by sending keystrokes. So that's something we're in agreement about with Apple. Better to disallow it altogether. It's really easy to press Return to submit a form anyway. :)

    1Password was not even attempting to use my FaceID. I tap a username or password field or the 1Password bar and it takes me to the “enter master password” window, every time, even though I’m already logged into the 1Password app on the phone. I finally disabled the FaceID option in 1Password, and now I only have to tap in a 4-digit “pin.” Welcome back to 1995

    You should try what I suggested: disable Face ID completely in 1Password and iOS Settings, and set it up again. Let me know how it goes.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file