Temporarily removing Desktop App Integration
Comments
-
I just got the auto-update and saw the removal of the DAI feature, and wanted to voice my frustration at the change. As a developer myself I 100% understand the motivations and the pain of long-running diverging versions/features, but I still request that you reconsider the decision.
Given the length of time that this very valuable feature has been around, I would assume that many users are actively using it and are now left with unsatisfactory options for the next few months. The companion extension is not a usable alternative to 1Password X, and Safari is not a viable option compared to Chrome (maybe that'll change with Big Sur, but that's a ways off too). And my master password is very long (even though it is memorable) and I don't enjoy typing it out.
As an alternative - is there going to be some alpha build of the replacement feature available soon that we could begin testing? I'd be OK dealing with new rough edges if it helps get the feature into the full production version sooner.
What about some simple workarounds in the meanwhile? Using KeyChain plus automator to autofill the master password based on a keyboard shortcut or something? Not sure if that's possible, and I'd guess there's some security pitfall to doing it...
0 -
For everyone who is stating they will version freeze as @Ben mentioned 1Password is a security product, the threat landscape is constantly changing and it's generally ill advised to have anything security related (or any software in general) to sit on an holder version. I loved the feature but I wouldn't want a vulnerability to sit unpatched on my password manager so that I can retain a feature.
@tagleader I can't speak for them but this would make sense as one of the reasons why 1password would decide to remove this feature rather than not maintain it, this makes sense in some software but is a terrible approach for a security product.
It's a beta feature and we risk these features being buggy or removed. @cryptochrome Apple do pull features from their beta software if they aren' ready and will appear back in a later dot version.
0 -
I too am frustrated by this decision - I am a heavy user of 1Password both for business and personal uses and have been responsible for onboarding two organizations onto 1Password for Business, many of whom use DAI for TouchID. Especially when working with less technical business users, we have found that DAI/TouchID, even though beta, has been a security benefit for our org, as it ensures users are more likely to use 1Password.
I am a massive fan of 1Password as a company and as a product, but this particular decision feels like a departure from 1Password's typical customer focus. The failure of this beta's solution being the final solution makes sense, as does the extra time and effort it would take to maintain this temporary beta solution while developing the final DAI (languages, toolchains, and all that), but is not that effort worth it considering it supports some of your most active and influential customers?
Speaking personally, I would much rather have the final DAI solution delivered later rather than sacrifice the current DAI in the meantime. I generally would have expected 1Password to only remove DAI if either (1) a better solution existed today or (2) a security issue necessitated its removal. It does not sound like either are true in this case.
Also while I appreciate you trying to find an alternative with the "switch to Safari" suggestion, that really isn't viable, especially for business customers that may already be embedded in a particular browser ecosystem.
0 -
I'm glad that you guys are working on a new version of TouchID integration. However, I'm disappointed that the current version won't be available in the meantime. Luckily, I caught the update in time and didn't install it, so I'll be running the current beta without updating until the new version of integration comes out. Luckily I haven't had any bugs with it, so unless there's some security issue I'll just stick with 7.7.BETA-4
0 -
Echoing @jacobwgillespie x1000. Spot on!
0 -
It's awful to see that function goes away just after I wake up. Though it's in beta, every of us here have already been used to this seamless integration. I can't figure out why you would retract this important function even if you are developing something new to replace. Please seriously consider adding it back until the new function has come in place.
0 -
I spent about half an hour trying to figure out why the DAI wasn't working (having previously been a Dashlane user where the Chrome extension would randomly break all the time, I just immediately assumed something was wrong), only to then discover that it's been removed. This is an extremely disappointing decision, as it dramatically changes the workflow I'm used to. Hearing that it will start working on Windows (and Linux) in the future is nice (DAI is definitely something I wish was available on Windows, and currently I find using 1Password much much clunkier there than on macOS), but that doesn't really help in the here and now.
0 -
Sort of. Previously, if you were in a field and pressed the down arrow key, while 1Password was locked, it would automatically show the unlock prompt (either the password box or the TouchID prompt if that was on the computer). Then, a few weeks ago, it changed a bit. On the first press of the down arrow key it would show a small box with a blue button that said something to the effect of "Unlock 1Password". On the second press of the down arrow key it seemed to basically press that button for you (an unlock prompt would appear, as noted above). So it basically went from requiring a single press of the down arrow key to requiring two presses of the down arrow key. Now, as you noted, it just gives the message " Please unlock 1Password from the toolbar icon" and that's it.
When DAI is disabled, you must unlock 1Password X via the popup that opens when you open the extension on the top right corner of your browser. That's how it has always behaved without DAI, and that's a security oriented decision. We can't show the Master Password field on the page itself because malicious websites would be able to imitate that window and phish your Master Password. But when DAI is enabled, then the unlock button is right there on the page and it will trigger your Touch ID which websites can't do.
You can call the popup by either clicking the 1Password X icon on the top right corner of your browser, or by simply pressing the keyboard shortcut CMD+SHIFT+X which won't require any clicks at all. :)
0 -
Thank you guys for all the feedback! We appreciate each and every one of you for caring and loving Desktop App Integration so much, and completely understand how disruptive it was to remove it.
We do apologize for the inconvenience, and if there was any other simpler way to go about this, we would definitely choose that way, but we assure you this was a calculated necessary decision, and we'll do our best to bring this feature back, better than ever.
Thank you for your support and patience on the matter! If there's anything we can help you with in the meantime, or if you just want to voice your opinion in a more private manner, feel free to write to us at support+extensions@1password.com and we'll gladly listen and help as necessary.
0 -
I read too late about the removal of DAI in the release notes and it was gone. I carefully read your statements throughout this thread, but I also can't understand how you can make a decision to remove one of the most loved features and not having a replacement for a really long time. I'm really bummed there won't be a comparable solution for months.
How can I revert back to the last version to use DAI till the "end of the year"?
0 -
I too want to add my frustration at losing this feature. I am pleased it's not been scrapped and will be returning and I very very much look forward to it coming back. I would hope that the 1PW team would post development progress in this topic to keep those of us who loved that feature updated with it's progress. You state that you don;t comment on future features but i'd class this as an existing feature considering us users have been using it for quite some time already.
For me, I use 1Password a lot on my work machine which unfortunately doesn't have Touch ID like my personal MacBook does. What I benefitted from a lot was the "Unlock 1Password" button that was in the popup when you clicked the icon inside a text field. Now I just get a line of text asking me to unlock from the toolbar icon. Surely this is a feature that could be brought back sooner rather than later? It was such an amazing UX improvement and I'm gutted it's gone!
Neil
0 -
Sorry about that @stacecom. It's a fair question. I think to answer it we have to look at the purpose of having public beta versions available to begin with. The primary purpose is to help us spot bugs before we ship changes to everyone using 1Password.
So ... which bugs are we supposed to spot if that feature is gone and not yet replaced? The alternative suggestions such as: "create an easier password", "increase the lock time", etc. do not look very serious (for, as you call yourself, "a security company").
Unless the latest version was containing some critical security issue, the least you could do would be to offer for the time being a way to restore the touch id version... Super frustrating in the meantime
0 -
I think if you continue reading that same post you're quoting from I explained my thought process:
While Desktop App Integration was helpful to a good number of people even in its pre-release state... it definitely wasn't bug free and ready to be included in a stable release. There is a fair bit of troubleshooting that goes on in order to make it work right. If we were still working toward the goal of releasing Desktop App Integration as a feature, with the current implementation, that troubleshooting would be worth while. It helps us identify where pain points are so that we can correct them. But that isn't the situation. As Dave mentioned the intention is for this feature to be "reborn." Whatever bugs are there are going to be irrelevant, and so finding and working through them is counterproductive at this point. As they're not going to be fixed, continuing to stumble over them in the coming months doesn't add value. Our resources would be better spent working on the new solution.
(emphasis added)
I understand this isn't the result folks wanted here. We put a lot of time and effort into Desktop App Integration, as it was, so it hurt us to scrap it as well. But we're refocusing and putting renewed efforts into building a better system that'll be healthier for the product in the long run.
Ben
0 -
What I benefitted from a lot was the "Unlock 1Password" button that was in the popup when you clicked the icon inside a text field. Now I just get a line of text asking me to unlock from the toolbar icon. Surely this is a feature that could be brought back sooner rather than later? It was such an amazing UX improvement and I'm gutted it's gone!
That may be possible. I'll chat with development and see if there is a more near-term change we can make in that regard. Thank you for the feedback!
Ben
0 -
I'm very sorry for the situation. We cannot recommend freezing your system on an old version, but I promise we'll be working hard to build the new system.
Ben
0 -
Rolling back to the previous Mac beta is super easy as we distribute those directly. It's just a hop skip and a jump to our app-updates server where you can grab any version you like.
The challenge is the extension itself. 1Password X is hosted on the Chrome Web Store and all updates are handled by Chrome. Unfortunately we have no ability to link to previous releases there.
++dave;
0 -
-
Rolling back the Mac client to the previous Beta release seems to accomplish nothing wrt to DAI being disabled (I did test it). Without the 1Pass-X extension rollback capability, I don't see any advantage of rolling back the Mac client, and it would potentially expose to missing a security update in the future (mentioned in the thread earlier)
How is the Firefox extension handled? Is there a way to download/install it separately?
In the past, they were ways to run old versions of extensions on Firefox. I don't know if those still exist.
Chrome tracking policies (the Google knows all) seems to be a security risk already IMHO, so I converted back to Firefox several months ago - although I have to use Chrome at times to read sites that demand me allow ads.
0 -
I could figure it out. crx2chrome keeps a snapshot of the extension. I found the previous version here: https://www.crx4chrome.com/crx/210889/
Steps:
1- Download the CRX
2- Remove the current extension from Chrome
3- Add the CRX
4- Unfortunately, restarting Chrome will update the extension automatically because it's not unpacked, but there is a workaround.
5- Head to extensions folder and copy paste the folder to your desktop (in Mac, it's under ~/Library/Application Support/Google/Chrome/Default)
6- Then in Developer Mode, click Load Unpacked and select the folder on your desktop.
7- Restart your computer (important or it's not going to work)After restarting my computer, my touch Id works again :-)
NB: if 1Password team provides the source code of the extension as a zip or so, steps 1 to 5 could be skipped.
0 -
I appreciate where you're coming from @Neil89 but I cannot in good conscience recommend anyone enable Developer Mode and load unpacked extensions. It's an incredible security risk as there's no code signature or any validation there whatsoever.
I obviously cannot stop you or anyone else from doing exactly that but I would implore folks to be extremely careful here. These are your most important secrets we're talking about after all.
++dave;
0 -
Although I'm obviously disappointed by the removal of this feature, I'm going to play devil's advocate and support AgileBits' decision (which I understand especially since I'm a developer too).
I'm assuming the fact to use a "non-production-ready" beta version. I hope the new feature will come back soon.
0 -
Thanks for the support @Byscripts!
We appreciate it and will do our best to release the new integration as soon as possible.0 -
WTF is wrong with you guys? This is an absolutely horrible business decision that is anti-customer and anti-security.
You literally have your support representatives (of a password security company) within this thread recommending to users to downgrade their password security because of this decision?
"you can change your Master Password to a memorable password, which would make it quite easy to type in"
I have been a very outspoken advocate of 1Password. Converted my entire company AND MANY OTHERS over to your product. TouchID unlock was probably the SINGLE biggest selling point.
The companion app workaround posted earlier in this thread doesn't work. It doesn't even stay visible in my Chrome extensions after deleting all other ones, rebooting, etc.
Honestly if you don't fix this soon I promise you will be losing many customers. I am responsible for at least a dozen companies moving over to 1password and about 100 home users.
Either release a product that will last until you fix this with the current integration, create a proper workaround, or watch this place slowly burn to the ground.
Seriously pathetic.
0 -
@calicyclist
If you converted your "entire company" and "a least a dozen companies" over to a SECURITY product based on a BETA feature, then YOUR reputation deserves to be burned to the ground. Not AgileBits. Besides, I don't think I've seen any support representatives here recommend downgrading. In fact, just three comments up from your over the top post was a team member explicitly saying NOT to rollback. Memorable passwords can still be long, involve characters, and provide strong security.0 -
I converted people over to a product that I had tested and validated from a security perspective. Ease of use should always be included in any sort of security recommendation to end users. 1Password removing a feature from their product without any warning is seriously messed up,
I quoted the team member who is recommending weaker passwords. Which memorable passwords are.
You are a clearly a 1Password shill. Maybe even a bot. If you have something of value to add please go ahead. Otherwise, get lost.
0 -
Let’s keep threats and personal attacks out of here. I am very disappointed to lose this feature for the next several months as well, and feel it is the wrong approach from a customer perspective, but there’s no need for this kind of negativity.
Reiterating my previous question: will we be able to alpha test the reimplementation of Touch ID and if so when might that happen?
0 -
Hey @calicyclist ,
We definitely feel your (and everyone else's) pain here, removing DAI was a hard decision we had to make in order to move forward, otherwise DAI would have stayed in beta forever and would not allow us to rebuild it like we plan to. Once it is re-released properly, not only Mac users will be able to enjoy it - but everyone, which is an even bigger selling point for users of all platforms :)
As for the memorable password - if you make up your own memorable password, depending on its length, it might not be as secure as a random password. But if you use our password generator to create a memorable password, the entropy and randomness of words will ensure the password is just as strong as a random password. As long as you use a password generator that was built for randomness and strong entropy, and you're not making up your own "sentence" as a memorable password, you will be just as safe and secure.
We do hope you can bear with us a little while longer until the new version of DAI is released, we promise to not disappoint you :)
@cherrydrpepper Thanks for trying to calm things down here, much appreciated!
More details will be released as development progresses, so make sure to keep an eye out here for announcements and news. For now I don't have anything else to share on the matter, but it is great to hear people are willing to test our development builds and help us out! Thank you so much. :+1:0 -
@calicyclist A memorable password most certainly does not need to be an insecure password, in fact it's pretty much the opposite, https://xkcd.com/936/. People are terrible at remembering convoluted passwords involving special characters and numbers, but 4 words. however unrelated they are, is pretty easy for a person to remember, and pretty much impossible for a computer to crack, both via brute force, and via dictionary attack, even if you assume only lowecase alphabetic characters and spaces are allowed.
@ag_yaron I stand by my statement above, but inevitably, such passwords take much longer to enter, and without the Touch ID or Apple Watch integration I feel encouraged to disable the locking mechanism in the browser extension, lowering my vault security substantially. I'm pretty good at locking my workstation when I leave it, but I'm only human...
This really was a terrible decision, I can't stress this enough, it will inevitably do one of two things:
1. sabotage your relationship with power users (at least in the short term, perhaps we'll forget eventually)
2. force a stressful schedule onto the development team responsible for re-engineering the DAI code to work cross-platform or whatever the reason wasPersonally I would have probably just frozen the beta code until the new stable code was ready, unless a security issue crops up in the beta DAI code I guess, but you've not said anything to that effect so far.
I'm a software developer myself so I definitely understand the need to be able to ship new beta code, I just can't imagine it was worth it to remove such an extremely useful feature.
0