Password managers are spotty on Android and iOS in general, and 1Password isn’t above that issue. I’d estimate somewhere around 10 to 15 percent of the fields I encounter on mobile just don’t register with 1Password, sending me out to the app to copy my password over manually. This is more of an issue with how apps categorize different fields and expose them to other apps running, and less of a 1Password-specific problem.
1Password at least attempts to get around this with linked apps. As you start signing into apps using entries in your vault, 1Password will connect your login to whatever app you’re logging into. That doesn’t eliminate autofill problems on mobile, but it helps in the cases where 1Password is looking for a specific URL to autofill, and the mobile app isn’t operating with that URL.
Outside of autofill, using 1Password on Android and iOS is a breeze. You can enter your account password each time you unlock your account if you want, but 1Password supports biometric authentication on Android and iOS, including Face ID support. After a certain amount of time has passed (you can change the amount of time in the settings), 1Password will ask you to re-enter your account password. Thankfully, if you don’t want to use biometrics, you can set up a PIN or passcode, as well.
Quick access is important because 1Password is extremely limited on mobile, and that’s a good thing. Even switching to another app or locking your phone will also lock your account, and if you swipe through your list of open apps, you’ll only see the 1Password login screen.
You’re free to change these settings, from the amount of time you need to re-enter your account password to when 1Password should clear your keyboard history. The defaults work well, but if you can’t be bothered, you can turn these extra security measures off.
Unique Security
1Password may function similarly to other password managers, but its security design is unique. The company has a white paper you can read through for all the gory details, and it maintains a list of certifications and recent penetration testing. The core of 1Password’s security, however, is a zero-knowledge approach. It’s designed in such a way that, even if 1Password wanted to, it has no means to decrypt the contents of your vault.
This works due to what 1Password calls two-secret key derivation, or 2SKD. It takes your account password and a secret key that’s generated on your device when you first sign up for 1Password, and uses them to derive a key encryption key (KEK). Also on your device, 1Password generates a public-private key pair. Your private key is encrypted with the KEK, while your public key is shared.
There are several layers of nested encryption beyond this, but what’s important is that 1Password doesn’t have a copy of your private key, nor a copy of your account password that’s necessary to derive the KEK. And when you authenticate, everything happens locally on your device, including encryption and decryption. Your KEK, master password, and private key never leave your device.
