Why do I have to unlock 1PW just to enable autofill?

dmitch77
dmitch77
Community Member

I'm trying to understand how iOS interacts with 1PW when autofill is enabled in iOS12. When I first enable 1PW for autofill, I'm prompted to unlock 1PW. Why? What locked data is iOS trying to grab from 1PW? Just account names? The passwords too? I don't feel comfortable typing in my 1PW password without knowing exactly who's asking, and what they are asking for.

In general, I'd like to see some detailed description of how iOS and 1PW interact when using autofill. Who has access to 1PW data, when, for how long, what triggers an unlock request, etc. thanks.


1Password Version: Current as of today
Extension Version: Not Provided
OS Version: IOS 12
Sync Type: Dropbox

Comments

  • dmitch77
    dmitch77
    Community Member

    I don't understand why 1PW needs to "show the user their data" when I turn on autofill.

    What happens if I refuse to authenticate at the time in question? Does autofill still work? Is there any reason for me to authenticate when I enable 1PW with autofill?

    I'm hoping for a user-level description of the whole mechanism; I really shouldn't have to delve into SDK docs to understand a user-facing feature.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dmitch77: No. And it's fairly straightforward: You'll need to enter the Master Password (or biometrics) when prompted, or the data cannot be decrypted, and nothing will happen. That's how 1Password has always worked even before this OS feature, so I do think it's familiar to 1Password users. :)

  • Ben
    Ben
    edited February 2019

    @dmitch77

    To add to what brenty said... From Apple’s iOS 12 security guide (pg 75):

    The credential provider extension must provide a view for choosing credentials, and can optionally provide iOS metadata about saved credentials so they can be offered directly on the QuickType bar. The metadata includes the website of the credential and the associated user name, but not its password. iOS will communicate with the extension to get the password when the user chooses to fill it into an app or a website in Safari. Credential metadata is stored inside the credential provider’s sandbox, and is automatically removed when an app is uninstalled.

    In this case 1Password is the credential provider extension. We do provide data to iOS (username and URL) when this feature is enabled so that 1Password items will appear in the QuickType bar.

    I have filed a request with our documentation team to include this information in our docs, so folks don’t have to go to Apple for the info.

    Ben

    ref: web/support.1password.com#1755

  • dmitch77
    dmitch77
    Community Member

    Got it. Thanks, Ben!

  • You are very welcome. :+1:

    Ben

  • dmitch77
    dmitch77
    Community Member

    One more thing - unlocking 1PW at the time you flip the switch to enable autofill really isn't necessary, and 1PW/autofill still works if you don't unlock at that Time. All that'll happen is that you don't get the item name / user name indication on the keyboard the first time an autofill is possible - you have to hit the "key" icon. If you unlock 1PW at that time, it looks like iOS snarf up all the sites and usernames then. So, actually no, you don't have to unlock the vault when you flip the "enable autofill" switch, and yes, autofill will still work if you don't.

    I guess I was (and still am) uneasy about being prompted to unlock 1PW as soon as I throw the switch, without any info about why I'm being prompted to do so. If the 1PW docs explain this, I'll be OK with that. Thanks again.

  • Thanks for the update and the feedback @dmitch77.

    Ben

This discussion has been closed.