In this blog post, it shows how we can log into 1Password without a password, and using our biometrics/device. Correct me if I am wrong... So the Passkey for my 1Password account is tired to my iPhone (assuming in the passkey area of my iPhone). With the issue of people having their iPhone stolen and they are locked out, is this a bad idea? If someone gets my iPhone, has my passcode for my iPhone, wouldn't the attacker have access to my 1Password then? I know the work around to protect my iPhone, but not all do this. my iPhone password is also alphanumeric, not just 6 digits. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided

Hello prime! 👋 I'm sorry for missing your post and I'm happy to respond to some of your concerns. Folks will soon be able to unlock their 1Password account with a passkey instead of a Secret Key and account password – this removes the need to remember a strong and unique password. Customers can add trusted devices to sign in to their account using the same passkey. As with account passwords, inside 1Password isn’t a good place to keep the passkey for 1Password. Instead, we’ll rely on solutions – such as iCloud Keychain – provided by platform vendors, to sync and sign in to 1Password itself with passkeys. We're bringing forward this innovation as a way to better protect your data. Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can’t be phished like a traditional password – this makes them resistant to social engineering scams. The attack that you mentioned would require that a malicious actor has access to both your physical device as well as that device's passcode. To help guard against such an attack I recommend that you: Use Face ID or Touch ID to unlock your device when in public so that eavesdroppers can't spy on you entering your device passcode. Set a strong passcode, you don't need to use a simple PIN but can choose a strong custom alphanumeric code: Set a passcode on iPhone - Apple Support (CA) When passkey unlock is introduced for 1Password accounts, it will be an option and not the only way to use 1Password. If your personal threat model requires that you stick with an account password and Secret Key to unlock 1Password then you'll be able to do so. I hope that helps! 🙂 -Dave [edit: Spelling and grammar]

I think that it is very concerning that Apple's implementation of passkeys authentication in iOS falls back to Passcode after a few failed attempts using FaceID / TouchID. While having a complex Passcode and using these biometrics to unlock the iPhone reduces the risk of being a victim through shoulder surfing, it doesn't help when muggers coerce a person to hand over their iPhone and to reveal their Passcode at knifepoint. This is happening nowadays, where muggers use the Passcode to log the victim out of other Apple devices they might have and change their Apple ID password. And now with Passkeys, they can also authenticate into any services which the victim has configured to sign into using Apple passkeys. For that reason, I consider very risky to configure 1Password to be unlocked using Passkeys on iOS. I know this it not mandatory as you wrote, 1P_Dave, but I think that most iOS users are probably not aware of this risk, and 1Password could probably highlight it. Also, Apple really should, in my opinion, give iPhone users the option to specify that they don't want to allow the Passcode to be used to authenticate Passkeys (and also not to allow it to be used to change the Apple ID password). Any thoughts on this, 1P_Dave?

Would be prompted for appleid email (assume they know this and enter it) All the person has to do is open the email app and look for emails sent by Apple. I’m not as worried, my passcode is over 15 characters long and if Face ID fails and I have to put it in, I do it so no one can see me. I’m more worried about my parents, in-laws, kids, and others who just use a 6 digit PIN for their iPhone password after I tell them it’s not a good idea.

Just a minor correction to avoid confusion: the correct word here is "passcode You can configure a passcode to be a custom alphanumeric code. That’s more like a password and you don’t have to reuse it anywhere else.

I was about to email mailto:passwordless@1password.com about this. Glad prime brought it up. I've been following 1Password's passkeys blog/emails since last year, and throughout that time, this issue was not clear to me. I concur with @luisneto's suggestion to 1P_Dave that 1Password should highlight this shortcoming in Apple's security envelope, as it related to securing our vaults. 1P_Dave, is there no way for 1Password to serve as the "hardware" on Apple devices, rather than simply the storage for the passkey? I trust 1Password any day over Apple's "masses over security" approach. I've been telling people to refrain from using passkeys until there's clarification on this, so it's good to know. Apple's glib responses to WSJ articles have been concerning. Their most recent security additions show where their focus lies (with careless rather than responsible users): "Recovery Key," like passwords, can also be changed (and enabled) with the passcode and makes it nearly impossible for theft victims to access their accounts. "Account Recovery Contact," helps people who forget their password and passcode, by allowing them to request a code from a trusted contact. If this is at all unclear to us, the beta-using technophiles on your forums, I think it's unlikely that everyday users will spare 1Password blame when Apple's poor policies get them locked out of their account, and suddenly they lose everything in their 1Password vault also.

Passkey and unlocking 1Password with it (biometrics) in iPhones

22 Replies

CorgiBike
Occasional Contributor
3 years ago
Like prime, I'm less worried for myself than for others. I'm also less concerned about violent theft, as there's only so much I can expect from Apple. A duress/honeypot passcode would be nice, but would confuse the masses. And Apple doesn't like offering options for advanced users.

That said, just for @steven1, theft rings have surveilled victims. So I'd add to your warnings that you should turn in a circle as you enter the passcode, so they can't catch the entire thing.

It's wild to me that Apple doesn't even confirm on your connected Watch when someone within BT range tries to change your password! This could all easily be fixed, but they choose not to. So I'll use 1Password to store my passkeys and use the old method to access 1Password.
prime
Dedicated Contributor
3 years ago

Would be prompted for appleid email (assume they know this and enter it)

All the person has to do is open the email app and look for emails sent by Apple.

I’m not as worried, my passcode is over 15 characters long and if Face ID fails and I have to put it in, I do it so no one can see me.

I’m more worried about my parents, in-laws, kids, and others who just use a 6 digit PIN for their iPhone password after I tell them it’s not a good idea.
Former Member
3 years ago
Hi prime

First, if the thief/assailant has both your phone and device passcode, it is pretty much game over.
* This can happen if the passcode is not long and entered in public and you are shoulder surfed. Hence, I would suggest always to use a very long and tedious alpha-numeric passcode and use FaceID/TouchID for unlock as a general use case. In case your phone gets locked, go to a toilet to enter the passcode. Yes, you need to be paranoid.
* If the assailant forces you to reveal your passcode by threatening bodily harm, gunpoijt, etc., same thing, game over (btw, give it to them).
* Given the promiment space most third pary password managers are likely to be on the home screen, the assailant could even ask you to unlock your password manager. One has to expect they will get savvy too...

So...our defense is limited to making it hard for the grab-and-run type of theft to completely upend your life.

In this regard, the ScreenTime passcode does add enough friction to give you some time to prevent total digital loss (remember in this scenario the thief does not have access to your iPhone passcode, at most an unlocked phone). In this unlocked state before the lock kicks in, ScreenTime passcode does the following:
* It prevents them by default being able to view / remove other devices from your iCloud account
* the reddit thread you mentioned is interesting, in that the thief could choose to change the screentime passcode rather than entering it.
* To do this, the thief would
* Choose change Screen time passcode
* Choose forgot passcode
* Would be prompted for appleid email (assume they know this and enter it)
* would choose forgot appleid password
* be prompted to type in the trusted phone number (I wish Apple allowed us to remove trusted phone #s, but atm you need at least one)
* Hopefully, you are using a # that is not the # on the phone, but say a Google Voice number. However, this too is just a speed bump, but not a restriction, because you probably have GV on the phone too, right? (of course, I do as well)
* Once the thief enters the correct trusted number after digging around looking for the trusted #, they then need to approve the apple id password change on another device or using a hardware security key assuming you have the latter set up (you should).

Hopefully, they don't have access to another device as well and you can rush to put the phone in Lost Mode. So in a nutshell, the reddit thread is not quite correct...you can go through the flow yourself without actually changing the password to test it out.

Its tough, given how much of our digital lives are on our phones...

If you want to add another, paranoid layer, carry two phones, ideally connected to different apple IDs. One would not have 1Password and other sensitive apps or email accounts, but it could have some cards added to apple pay to pay for things. If on a different apple id, you won't get the same iMessages, but you can add this phone to your primary # for WhatsApp. Basically, give this phone to an assailant and provide the passcode too. Hopefully they don't search you for the other phone. Your primary phone could be in your backpack while the 'disposable' one is in your hand. If you do this, you could even just leave the primary phone at home if you are out on the town.

Lots to think about...we should each think of our threat model, guess.
prime
Dedicated Contributor
3 years ago
@steven1 i just read a post on Reddit how this Screen Time passcode can be bypassed and your Apple ID password can still be changed.
https://www.reddit.com/r/ios/comments/13vtehk/psa_tips_for_hardening_your_idevice_against_theft/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=2&utm_term=1
Former Member
3 years ago
Screen Time Passcode

As has been mentioned here and a few other places, an additional layer of 'passcode' can be added to iPhone in the form of the Screen Time Passcode. Enable Screen Time, set a 4 digt passcode, and set restriction to prevent Account Changes and Passcode Changes.

With this enabled, someone would need to additionally enter this 4 digit passcode to change your iCloud password, even if they have your iPhone and iPhone passcode.

Yes, it is only 4 digits, but it is enforced by the secure enclave, with increasing timeouts for wrong entry. I like to leave it with intentionally entering the wrong passcode, thus triggering the first timeout of 1 minute before retrying (after 6 failed attempts). Each successive incorrect entry with increase the timeout, but of course, at any time you can enter the correct Screen Time passcode to make the restricted changes.

I wish we could enter longer passcodes for Screen Time, but 4-digits it is for now, and may buy you enough time to reset your iCloud Password and remove the device from another trusted device, before the thieves completely lock you out.

Hope this helps.
bugwhat
Super Contributor
3 years ago
Was gonna comment, but changed my mine.
CorgiBike
Occasional Contributor
3 years ago
I was about to email mailto:passwordless@1password.com about this. Glad prime brought it up. I've been following 1Password's passkeys blog/emails since last year, and throughout that time, this issue was not clear to me. I concur with @luisneto's suggestion to 1P_Dave that 1Password should highlight this shortcoming in Apple's security envelope, as it related to securing our vaults.

1P_Dave, is there no way for 1Password to serve as the "hardware" on Apple devices, rather than simply the storage for the passkey? I trust 1Password any day over Apple's "masses over security" approach.

I've been telling people to refrain from using passkeys until there's clarification on this, so it's good to know. Apple's glib responses to WSJ articles have been concerning. Their most recent security additions show where their focus lies (with careless rather than responsible users):

"Recovery Key," like passwords, can also be changed (and enabled) with the passcode and makes it nearly impossible for theft victims to access their accounts.

"Account Recovery Contact," helps people who forget their password and passcode, by allowing them to request a code from a trusted contact.

If this is at all unclear to us, the beta-using technophiles on your forums, I think it's unlikely that everyday users will spare 1Password blame when Apple's poor policies get them locked out of their account, and suddenly they lose everything in their 1Password vault also.
Pleonasm
Dedicated Contributor
3 years ago
bugwhat, based on reading this thread, it appears that the use of a hardware key is unsuccessful in preventing a malicious person from taking control of your Apple account, if that person is in possession of your iPhone and its passcode.
prime
Dedicated Contributor
3 years ago
@luisneto

Just a minor correction to avoid confusion: the correct word here is "passcode" 🙂
Indeed, we all know that we shouldn't be using the same password across services, so that if a password is leaked, the attacker can't get into other services/apps.
And yet, unfortunately, nowadays the iPhone Passcode is like a password reused in various places.

To me, passcode is all digits/numbers only. I have alphanumeric, 15ish character long passcode on my phone, so this is why I said password.
Former Member
3 years ago

You can configure a passcode to be a custom alphanumeric code.

That’s more like a password
I know, but the correct term is still "Passcode" and we should use it to avoid confusion (with the 1Password password, for example).

and you don’t have to reuse it anywhere else.
It looks like I didn't quite get my point across in my analogy. It's not about reusing the Passcode intentionally.
It's about the fact that authentication of Apple passkeys on iOS fall back to the passcode and because of that, the passcode is like a password that, besides unlocking your iPhone, is also reused across all your services for which you have passkeys configured.