1Password Apple Watch Unlock and Desktop Macs [Secure Enclave Required]
Comments
-
To clarify, 1Password data is encrypted using the Master Password, and therefore it is mathematically required to decrypt it. So the only ways to "unlock" 1Password are for the Master Password to be entered by the user, or for a cryptographic equivalent to be stored in order for that to be used in lieu of the user providing it each time. Keychain data is stored on disk and available system-wide, while storing the Master Password equivalent in the Secure Enclave ensures that it can only be retrieved by the OS upon the user authenticating using a registered device or biometrics. That isn't possible on a Mac without the T1 or T2 security chip, or Apple Silicon, as there is no Secure Enclave otherwise.
As a security company, storing the Master Password (or its equivalent) on disk is not something we're willing to do, as that would make it possible for anyone with access to the device to also decrypt 1Password's data. It's certainly the case that someone with access to the machine can do a lot of bad things, so operational security is also of the utmost importance, but this is a very basic principle that we follow in order to avoid a device compromise necessarily resulting in 1Password user data being compromised as well, without the user doing anything (entering their Master Password into a malicious app or website, accessing sensitive data with an attacker "watching", etc.)
Prior to 1Password for Mac version 7.7, everyone without Touch ID on their Mac would necessarily have to enter their Master Password to unlock 1Password any time it was locked. But with the release of version 7.7 all Macs with a Secure Enclave can use Unlock with Apple Watch in many cases to access 1Password as well. While not available to all users, it's an option that's available to many more people that was possible previously; and it's likely that, much like any other new device with new OS/hardware features, any new Macs we use in the future will support this feature, so that's something to look forward to, even if it's not something we can all benefit from yet right now -- the work is already done, and I'm looking forward to getting an Apple Silicon Mac myself someday, if not in the near future. :)
0 -
This content has been removed.