iOS AutoFill integration - what data is available to iOS?

Options
Pez
Pez
Community Member
edited February 2019 in iOS

I use the iOS AutoFill integration and love it. So convenient.

But I am wondering what data iOS has access to when my vault is locked?

Refer to the image below. In this example, I have not entered my master password and my 1Password vault is locked. How does iOS even know I have a login for google.com in my 1Password vault, let alone the specific username?

Thank you!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ben
    Ben
    Options

    Hi @Pez

    When using 1Password with Password AutoFill the domain name (the example.com portion) of the URL as well as the username for each Login item is stored in a database that is accessible to the AutoFill service. This access does not require 1Password to unlock.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

    P.S. As a side note... I've put in a request for our documentation team to create a guide like About Face ID security in 1Password for iOS regarding Password AutoFill.

    ref: web/support.1password.com#1871

  • Pez
    Pez
    Community Member
    Options

    Thanks @Ben - appreciate your response.

    I'm happy enough to keep using this feature, but some extra documentation would be good. I'd love to see a clear list of fields/data that is made available outside of the locked vault, and how/when this can occur.

    When I am entering a secret into my 1Password vault, my default expectation is no data from my secret is available anywhere without my Master Password.

    Exceptions to this rule may be acceptable, such as the usernames in this AutoFill example, but I would like to clearly understand when/how this happens.

    Thank you.

  • Ben
    Ben
    Options

    @Pez

    Hopefully we can put something like that together. Thanks for the feedback!

    Ben

  • Pez
    Pez
    Community Member
    Options

    Hello,

    Has there been any further thought to this documentation?

    I realize this is a feature rather than a data leak. But as a user, I assume everything I enter into my vault is a secret and only unencrypted when I enter my Master Password. Keen to see some documentation on which fields are treated differently than this (as I say above, it may not be a problem, but I would like to know which ones are).

    Thank you.

  • Ben
    Ben
    Options

    @Pez

    Indeed; we created the guide:

    About AutoFill security in 1Password for iOS

    I hope that helps. Should you have any other questions or concerns, please feel free to ask. :)

    Ben

  • Pez
    Pez
    Community Member
    Options

    Thanks very much @Ben - that's great!

    Beyond iOS autofill, are there any other cases where this happens? Eg. are 'usernames' and 'domain names' the only fields ever made available without decrypting with a master password?

  • Ben
    Ben
    Options

    Spotlight search, if enabled, would be another similar case:

    About Spotlight security in 1Password on iPhone and iPad

    Ben

This discussion has been closed.