Idea for 1Password API
This idea has been brought up before, but here is my take on how an API for 1Password would work, allowing other apps to get access to your credentials.
- Each app has a token, registered with AgileBits, which identifies its requests for access.
- When the app requests access to your 1Password credentials, 1Password pops up. It lets you choose to only grant access to some of your stored credentials. It might also ask you to enter your master password, to prevent clickjacking.
- In the future, when the app asks for your credentials, 1Password only gives it the ones you authorised it to have access to.
- You can change the credentials it has access to or revoke access to that app at any time.
Optionally, 1Password could have a "super secure mode". In super secure mode, not only must the app pass a token to request credentials, but that token must be signed by the AgileBits server, and each signature can only be used once. That way, if the app's token is compromised, the developers can revoke it and it will immediately stop working on all clients with super secure mode enabled.
This is just an idea I had, let me know if there are any ambiguities or design flaws.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @markspolakovs,
Thanks for writing in.
This would be possible with the 1Password.com service but right now, we're still focused on improving the service for everyone on all platforms before we start to extend outward to cover this type of use case.
We do want to have an API like this for 1Password.com service but as it allows folks into your data, we have to be absolutely sure about how this works and that will take a long time. It might be the case we can't be sure and thus, we won't support it. Right now, this is not something that's high on our list since we already have a lot of stuff on our list to finish first.
When the app requests access to your 1Password credentials, 1Password pops up. It lets you choose to only grant access to some of your stored credentials. It might also ask you to enter your master password, to prevent clickjacking.
We most likely would take the step of creating an isolated vault and its own encryption key to have its own items that you can review anytime. In other words, a tiny app vault for each app on your list. Having access to that vault's key would not expose it to other vaults you own.
It might also ask you to enter your master password, to prevent clickjacking.
It will be mandated each time for sure.
In the future, when the app asks for your credentials, 1Password only gives it the ones you authorised it to have access to.
Not only that, 1Password will be performing an enhanced code signature check to make sure it is the right process signed by the company, like how we protect our 1Password extensions in your web browsers.
0