About Touch ID Security in 1Password for Mac
When you enable Touch ID, 1Password stores in the macOS Keychain an obfuscated version of a secret that can be used to decrypt your 1Password data. The secret is used to unlock 1Password when your fingerprint is recognized. It is stored using these attributes:
kSecAttrSynchronizable
— This means that the secret is synced with iCloud Keychain. However, Apple can’t access it. Additionally, it’s combined with a unique code that’s only stored locally by 1Password, so it’s not usable on any other device.kSecAttrAccessibleWhenUnlocked
— This means that nothing can access the secret when your Mac is locked.keychainGroupIdentifier = "2BUA8C4S2C.com.agilebits.onepassword"
— This means that only 1Password can access the secret unless you enter the password you use to log in to your Mac.1Password removes the secret from the macOS Keychain when the amount of time in Preferences > Security > Require Master Password has elapsed.
This is new in 1Password 6.5. It sounds pretty much like the situation on iOS, but due to the differences between the operating systems it does not seem as useful to me. On iOS, Touch ID is a killer feature. You trade a bit of security for a lot of convenience. The secret is stored in the device keychain, which is hard to access because iOS is so locked down, and in return you can avoid having to type your long master password using a tiny glass keyboard. On the Mac, it’s easier to access the keychain, and it’s probably backed up to other hard drives or cloud services. As to convenience: you’re typing on a full-size keyboard, and 1Password already had a way to remember your password in RAM. (Unlike on iOS, the 1Password helper app can keep running in the background for as long as you want.) So how much is this really gaining you? None of this is to say that Touch ID is a bad feature—but, rather, that the context in which it appears can make a big difference.
Previously: 1Password 5: Touch ID and Safari/App Extensions.