1Password 8 Password Multiple Password Vault Unlock
So in 1PW7, I was able to unlock all my accounts with one password. However, it looks like in 1PW8, I need to unlock each account separately. We have quite a few vaults that we share with clients and unlocking each one is hassle. Can we get the 1PW7 behavior back so that we don't need to enter dozens of passwords to unlock all of our accounts?
1Password Version: 1Password for Mac 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.4
Comments
-
The option is not presently available. Several users have asked for this feature to return. I'll bring up your use case to the team.
ref: IDEA-I-866
0 -
+1 This prompted an immediate downgrade to 1PW7 for me as well, as well as strongly discouraging my team/friends/family from upgrading. Multiple passwords defeats the purpose of, well, one password.
0 -
You can unlock all of your accounts using one account password by ensuring that all of your 1Password accounts use the same password. You can read more here: How to use multiple accounts
Alternatively, enabling Touch ID or Apple Watch unlock for 1Password 8 will also allow you to unlock all of your accounts at once.
I hope that helps. 😊
0 -
Ordinarily you're correct, password reuse is a bad practice. However, 1Password accounts work differently than your other accounts. Our Principle Security Architect wrote a detailed explanation here: Two accounts - now needs two different passwords every time you login? — 1Password Support Community
Let me know if that helps. 🙂
0 -
Hi @wavesound:
1Password 7 and 1Password 8 have different design choices. 1Password 8 on iOS will follow the behavior introduced in the 1Password 8 desktop apps, where only the accounts with that specific account password will unlock.
As Dave mentioned above, our recommendation continues to be that each individual uses the same account password for any 1Password accounts they may use. Touch ID or Apple Watch unlock will unlock all accounts that have been previously unlocked with their account password.
Jack
0 -
@Jack.P_1P The official workaround is to reuse my password?!?!
Tools like 1Password are intended to make the torturous hell of password management more usable and less miserable. This makes 1Password less usable and more miserable for those of us that must use multiple accounts and loved 1Password because of this seamless integration. There are ways to implement this functionality in a secure manner using OS enclaves, tokenization a single implemented in a trusted "primary" account, etc. 1Password already trusts the Touch ID framework using the "com.1password.core-biometric-unlock" item in the KeyChain on macOS to unlock multiple vaults...
As a customer, this feels like this design decision made more out of expedience than care for the customer's workflow. Like the lack of a backup import feature, it really makes 1Password 8 seem like it was developed around a deadline-driven product-cycle rather than a careful understanding of how customers use the software. As a customer it seems like 1Password's team chose to frame this loss of capability as a "security" feature to justify shipping an incomplete product.
0 -
Hey @wavesound:
The official workaround is to reuse my password?!?!
Yes. To elaborate on why that's okay with 1Password accounts and not others: 1Password accounts are also protected by your Secret Key (as well as the fact that not even a hashed version of your account password never leaves your devices). Discovery of your account password, while definitely less than ideal, would not necessarily provide someone with access to your 1Password data. They would either need one of your devices, or your Secret Key as well.
To be clear, this is a deliberate design decision we made. As alluded to in the post Dave linked to, there are some hidden "gotchas" in the previous implementation of a "primary" account. If I use
password123as my account password for my personal 1Password account (which to be clear, I don't), and work enforces an account password policy, should my significantly weaker account password for my personal account be able to unlock my work 1Password account? With 1Password 7, if I had added my personal account to the app first, and then later joined an organization that was enforcing a password policy, my weaker account password would be able to unlock my work 1Password account, defeating the password policy my work was requiring.If I have three different 1Password accounts, each with their own account password, the password I use to unlock 1Password 7 would depend on which order I added the 1Password account to that specific device. 1Password 8's method of unlocking accounts makes it very clear which password unlocks what account(s), as well as ensures any policies around passwords are followed. If I entered
password123to unlock 1Password 8, I would only unlock my personal information, and it wouldn't be until I entered my stronger work account password would my work details be available.I personally have 3 1Password accounts I sign into on a regular basis, and all three of them (my family account, individual account, and my work account) have used the same account password from before the 1Password 8 apps were even a thing.
Windows Hello, Touch ID, Face ID, and Apple Watch unlock will continue to unlock each 1Password account that has been unlocked with an account password, even if they're different. If you'd prefer to use different account passwords, unlocking them each once, and then using the biometry options available on that specific version of 1Password 8 would be your best bet.
Jack
0 -
It is very annoying and I guess I will change all my 1Password account passwords to be the same since that is the workaround.
However, the fact that I periodically get logged out on one account and not the other is annoying. There are times when I am trying to fill a login prompt and it says there are no passwords for that site. That is when I have to launch the full 1 Password to find that one of my accounts is logged out.
The way it worked with 1 Password 7 was great. This feature has to be revisited to make it work like that again.
0 -
However, the fact that I periodically get logged out on one account and not the other is annoying. There are times when I am trying to fill a login prompt and it says there are no passwords for that site. That is when I have to launch the full 1 Password to find that one of my accounts is logged out.
I have not had that happen while using the same account password for all accounts, or using Touch ID, Windows Hello, etc. Since you're planning on making that change, I don't anticipate this will continue. If it does, please start a new thread (or email us at support@1password.com) so we can troubleshoot.
Ben
0 -
@Jack.P_1P I appreciate the response, but it just focuses on policy rather than addressing real and practical threats to the password manager.
Windows Hello, Touch ID, Face ID, and Apple Watch unlock will continue to unlock each 1Password account that has been unlocked with an account password, even if they're different. If you'd prefer to use different account passwords, unlocking them each once, and then using the biometry options available on that specific version of 1Password 8 would be your best bet.
This is the crux of the issue. It seems clear that 1Password has not been following the legal and practical developments around biometrics. Biometrics access can be compelled whereas revealing passwords cannot under recent US case law.
https://www.nacdl.org/Content/Compelled-Decryption-Primer
https://news.bloomberglaw.com/us-law-week/compelled-biometric-access-legal-under-4th-5th-amendments
https://arstechnica.com/tech-policy/2019/11/police-cant-force-child-porn-suspect-to-reveal-his-password-court-rules/
https://www.techdirt.com/2022/07/21/fbi-successfully-forced-a-criminal-suspect-to-unlock-his-wickr-account-with-his-face/
https://www.biometricupdate.com/201912/federal-state-court-rulings-on-whether-biometrics-protected-by-fifth-amendment-get-murkyWe can't use biometrics with several of our customers since biometric components can never be changed/modified since they are physically traits of the user that can always unlock all accounts over a period of up to two weeks when users could be legally compelled.
Aside from the legal issues, thieves that mug users on the street are frequently forcing users to look at or use their fingerprint to unlock devices.
https://www.thetimes.co.uk/article/mugged-for-my-phone-then-locked-out-of-my-life-92kpv50x7
https://abc7chicago.com/chicago-robbery-south-loop-downtown-cellphone/1506428/
https://goalz.online/thieves-forcing-victims-to-unlock-phones-before-transferring-thousands-of-pounds-in-digital-currency/
https://bobsullivan.net/gotchas/forced-to-venmo-at-gunpoint-smartphone-crime-gets-more-violent-more-tech-y/A quick access PIN/Token would give your customers options to address both of these issues and was previously implemented in 1Password 7 for iOS with a single failure lockout.
If an intrinsic unchangeable physical trait is acceptable, then I can't see why a single-attempt/single failure lockout PIN as implemented in 1Password 7 for iOS would not also be acceptable to unlock all vaults over the two week period that you specified.
0 -
It looks like you deleted my last reply in this thread. Could you elaborate why?
0
