Secure Enclave Details

@Edelheid,

You shouldn't need to do anything more than enable it as you did and it shouldn't conflict with version 6 at all. You should be all-set.

Rick

Thank you @artemsyd!

Hi @nil! You are correct, when you say:

On 1P6 if you had TouchID enabled and an attacker got your local 1Password encrypted data, your macOS keychain and your macOS login password, they could potentially unlock your 1P data.

On IP7 they wouldn’t be able to do it with just those things. They would need physical access to the computer and an authenticated fingerprint.

And to your next question:

And one more question, how are the private keys removed from the Secure Enclave...

For example, I've set it up to require the password once in one day. Does the secure enclave itself remove the keys or does the 1P app have to ask the secure enclave to remove them?

Neither. The Secure Enclave retains the ability to decrypt the key. 1Password just gets rid of the encrypted key.

Similarly, on iOS the keys are removed on reboot. Does the same thing happen on the Mac?

Effectively yes. But it is a different set of keys in this case. There are also layers of keys involving the operating system and the Secure Enclave which I skipped over to keep things simple. Some of the keys that the Secure Enclave needs to decrypt things depend on things derived from the device passcode. Until that is provide to the operating system, there are things that the Secure Enclave cannot decrypt.

I'm not entirely certain how this works on macOS, with multiple users. I suspect that it is similar to full disk encryption. Some user's login passwords can unlock the keys that are used to encrypt the disks. Once provided the keys need to decrypt the disks are kept in system memory until the system is shut down.

I suspect in the future we will when it makes more sense to do so. Right now that is not true for a lot of people.

@acdx: What did you specifically have in mind? You seem to be suggesting that we're overstating the security, when the opposite is true in some cases. I still think it's best that we wait until we've got everything resolved with Apple regarding implementation since it looks like there are some changes in macOS. It's unclear at this time if we need to adjust, Apple needs to, or both -- probably both. My point is that anything we add there now may not be accurate, as this is an ongoing process with Apple. But we're open to suggestions. Should we offer zero information on (macOS) Touch ID security for the time being?

What type of changes are coming and is the Touch ID feature of 1Password 7 currently, and/or in the foreseeable future, using the Secure Enclave on 2018 Macbook Pros with T2?

@acdx: That's what I'm saying: we don't know. There have been issues on Sierra and High Sierra, and it's completely broken on Mohave.

Users need this type of information to be able to determine whether 1Password's implementation of a feature is secure enough for their needs or not.

What information are you looking for that is not in that article?

Also, users need the information that 1Password provides about security to be reliable to maintain trust. I'd imagine this is even more important for corporate customers.

I don't think it's any different for any 1Password users. That's why we've always been open about our security model and data formats.

I've been burned by 1Password in this respect before, when I found out all my metadata was sitting in Dropbox unencrypted, because my vault was in an old less-secure format and I had to upgrade to opvault manually.

Well that's a blast from the past! I'm sorry for the confusion, but "all my metadata" isn't even accurate and we've always been open about our data formats. It sounds like you're referring to overview data not being encrypted in the legacy AgileKeychain format.

1Password was making a variety of security claims on their website, but many of those didn't apply to me, simply because I had migrated from a previous version and hadn't upgraded my vault. These are the kind of "surprises" I, and I'm sure many other users, are trying to avoid.

That simply isn't the case. It isn't easy to find things on the internet going back many years, but here's an archive from the Wayback Machine from 2011 -- more than 7 years ago -- regarding the format. And this information is still available on our website today (under the same "Individual Entry Contents" heading), in a slightly updated format. And this is something we've also discussed openly over the years with customers as well. It is the claims you are making which don't stand up to scrutiny.

I agree that the Touch ID article will need to be updated once things are finalized. But my point is that, currently, the information in the article errs on the side of downplaying the security by assuming that the macOS Keychain is used. If and when Secure Enclave, with its enhanced security, is either in use by default and/or the outstanding efforts with Apple are complete, we will be sure to have that reflected in the article. For now, you should make your decision about whether or not to use Touch ID on your Mac based on the information that is available -- to all of us. I think that's reasonable.

Just the current behaviour of 1Password (= uses Secure Enclave on some systems?), and if there's any possibility that 1Password will silently revert to a less secure implementation if Apple's APIs change, etc. (a signal to security-conscious users to not use the feature).

@acdx: I'm sorry for not being clearer. My assumption was that you'd read this discussion. I think can put this to rest: 1Password 7 currently uses the Secure Enclave for Touch ID on supported Macs. The problem is that it is broken in many cases, meaning that Touch ID is not available. This is not s security risk, but "merely" a royal pain for those affected. 1Password 6 uses the Keychain. Some issues there too, but not with regard to security. Again, it's a usability problem. Touch ID APIs don't have a "fallback" that would result in weaker security; it simply isn't available when something isn't working right, and you'd have to enter your Master Password. Again, I'm sorry that it's confusing. That's part of why I don't think it makes sense to document things that are in flux. Does that help though?

Regarding opvault: I'm not arguing information about the legacy format was not available. My issue is with the fact that the advertised security features of the latest version of 1Password were not available to some users, completely unbeknownst to them. I'm sure you're familiar with the controversy. I found out all of this after I saw plaintext information from my vault in Spotlight and Googled the issue.

I'm not seeing what "claims" or "advertised features" you're referring to. When we talk about 1Password.com memberships, that obviously does not apply to people not using 1Password.com at all. Similarly, with regard to the benefits we talk about with the OPVault format, that does not apply to AgileKeychain. It's like if I complained that Apple advertises the security or convenience of Face ID when not all iPhones (and no Macs or iPads) have that feature. It just isn't applicable.

Look, I'm not interested in fighting about this issue. I'm sure you see my point, and you understand why it's important for security software to be transparent about its behaviour. Lack of obscurity around implementation details of security features is what gives confidence in people in the security industry to recommend your software. I don't think usability/simplicity is mutually exclusive with communicating thoroughly to users what your product is doing and where it's storing its data.

I agree. If there's anything that's still unclear to you, please let us know so we can answer your questions and update documentation to make it clearer where possible. Hopefully we'll be able to get everything sorted out with Apple and their Touch ID APIs in short order and update the website to reflect any changes that end up being necessary. I suspect it won't be long since Mohave will probably be released in less than two months. In the mean time, thanks for your patience, and you feedback on this. :)

@acdx,

1Password 7 only uses the Secure Enclave if you're making use of Touch ID for unlocking 1Password., nothing has changed since the initial 7.0 release.

Sorry for the confusion, @acdx. There were some changes prior to 1Password 7. (I can't recall whether those were between 6 and 7 or were within 6).