Feature suggestion: Unlock 1password on Mac using Apple Watch

fengi

Hi there!

You guys probably know the feature of unlocking the account on Mac OSX with Apple Watch, right?

Would that be technically possible to do the same for 1password - to unlock the app (instead of typing in the password)? Can Apple Watch be used this way by developers, or is it an API restricted to Apple?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OSX 10.13.3
Sync Type: Not Provided

Lars

Welcome to the forum, @fengi! Thanks for the question. It's an excellent idea, and frankly I wish we could do it in a secure way, too -- because that would be awesome. Unfortunately, for now at least, the short answer is: no. The slightly longer answer is that Apple doesn't make those watch-unlock APIs available to developers. for now, ONLY Apple uses it, and ONLY to unlock your Mac, via their proprietary API. All "3rd-party" ways that we could come up with to circumvent the lack of having access to the official, secure way to do it (via Apple's APIs) have involved us storing your Master Password somewhere on your either your Mac or your Apple Watch in some form, and that's just not something we're going to do, for security reasons. So, unless Apple makes the unlock-with-watch APIs available (as they have done with other APIs like Touch ID and Face ID), we're probably not going to be able to do it securely, which means we won't be doing it at all.

fengi

Thank you for a detailed answer.

It's all clear and good to see you really care about security (by not doing this until Apple makes that available).

I hope this API will be available for use by 3rd party apps one day - that would be a really cool feature ;-)

Lars

@fengi - yup, I agree: it would be cool. Hopefully, this is something we can manage in the future. Thanks for sharing your wishes with us! :)

reubendaniels

I would greatly welcome this feature - especially for those of us using Macs without Touch ID e.g. iMac.

Lars

Welcome to the forum, @reubendaniels! I have two - my main rig at home is a 27" iMac 5K -- which has no Touch ID -- and a current model MacBook Air, for when I'm on the road, which does have Touch ID. And I agree, the time-savings is significant, especially if one has a long and complex Master Password, as I do. When you spend all your time in front of the computer all day long as I do, and you have to repeatedly unlock, it adds up. So it's not that we're opposed to this feature at all. What we're hesitant about is trying to come up with a hack-y way to do it in the absence of a secure way via the manufacturer's own secure APIs. That's just not the kind of thing we're interested in spending any developer time trying to do, at this point. But we do keep an eye on things, because the landscape is always changing and what's not possible today (given our requirements for security) may very well be tomorrow.

jvaleski

yes please!!!

Lars

:) :+1:

vintall

I too had asked about this feature quite a while ago @Lars. Thank you for your detailed answer...which makes good sense. We really don't want to introduce anything that compromises security. I work in clam-shell mode with my laptop all day with an external monitor, and like you, have a really long password. It does get tiresome to keep typing it in all day long, but on the bright side, I probably won't be forgetting it anytime soon...LOL.

Lars

@vintall - yep. I'd love it if Apple made these APIs available to us, but that's purely something we'd have to take a wait-and-see approach on.

It does get tiresome to keep typing it in all day long, but on the bright side, I probably won't be forgetting it anytime soon

Indeed, it is this very combination of muscle and mental memory that is reinforced and strengthened by regular repetition (and can atrophy through disuse, like from biometrics or watch-unlock).

iqthink

This might exactly what 1Password needs!
https://9to5mac.com/2019/04/18/apple-watch-mac-password/

ag_ana

Thank you for sharing this @iqthink! That does indeed look interesting :)

Lars

@iqthink - yeah, we noticed that one with interest as well - OK, also maybe a little drool ;) - still not sure what this may mean since no one's actually seen it yet (at least, no one here has), but we'll be keeping a close and hopeful eye on it. Thanks for noticing!

iqthink

Awesome. Look forward to testing or helping in any way. I’ve been using 1Password for 7+ years and recommend to everyone I know.

Lars

:) :+1:

Dickytall

Hi guys, any update on this feature? Is it looking promising?

Lars

@Dickytall - nothing to report as of now, but we'll keep you posted. You'd see something like that first in the beta channel, so keep an eye on release notes for updates, and join us on the beta if you're interested by clicking "Include beta builds" in 1Password's Preferences > Updates. And who knows? We've got a few folks out at WWDC this week, and you never know what Apple might have up their sleeve. :)

cdferenzi

Any update on this considering the new macOS Catalina details released on Monday?

switters

Yes, on the Catalina page it looks to me like Apple is now allowing third-party apps to use the Watch to unlock them?

rudy

@cdferenzi and @switters,

@lars' response just above yours is what we have to say at this time.

appleianer

Hi 1 Password user,
regarding unlocking iMac's or MacBook Pro's with Apple Watch and 1Password I have no solution either. My MacBook Pro doesn't have a Touch ID function either 😌

I solved this for myself with a Siri shortcut and a Keyboard Maestro macOS keychain macro. You can see exactly how this works in this forum post.

https://forum.keyboardmaestro.com/t/use-siri-shortcut-from-iphone-to-unlock-your-mac-or-use-other-macros-as-well/13360

Of course I can also call the Siri shortcut via the Apple Watch and unlock the Mac's.
The only disadvantage is that it sometimes takes a few seconds, but I have the security that no one can watch me entering the admin password 😉

Lars

@appleianer - interesting! I'm not a KM expert myself (though I do use it), but it looks to me as if this only works to unlock your Mac's user account, not 1Password itself? Correct me if I read that wrong. The reason we haven't had any such setup of our own for 1Password previously is that it would require us to store the Master Password somewhere, however temporarily, and we're just not willing to do that, for security reasons. We're still interested in seeing how/whether we can make use of Apple's newly-available APIs to do this in a secure way, but again -- nothing to announce on that score just now. Thanks for taking the time to share your KM workflow! :)

appleianer

Please excuse the misunderstanding @Lars. I had accidentally read only Unlock Mac, but not that it only refers to unlocking the 1Password Mini with the master password.
This would also be possible with my shown workflow via Keyboard Maestro, if the master password would be stored in the macOS keychain.

However, I don't do that either, but always enter it manually. But what I created with Keyboard Maestro is an autofill login for apps on the Mac.

The video is in German, but the process should be understandable.

https://www.youtube.com/watch?v=BHaVE9PSE2A

Unfortunately, since the update to version 7.3 there is a problem with the Autofill login after manually entering the master password for a locked 1P Mini (Applescript) but I have already contacted the support today.

Lars

@appleianer - no worries! :)

This would also be possible with my shown workflow via Keyboard Maestro, if the master password would be stored in the macOS keychain.

However, I don't do that either, but always enter it manually.

Yup, this is our thinking: your Master Password should live only in your head, not anywhere in your computer memory.

danielcompton

macOS 10.15 introduces kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

You can see an example of this in action at https://github.com/biscuitehh/pam-watchid.

AGAlumB

We'd like to do something like that, but 1Password's security is based on encryption, not merely policy. Put another way, 1Password for Mac needs the Master Password to unlock. Simply having kLAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch does not provide that.

telephoneman

Hi guys, on macOS Catalina its possible to unlock/confirm several security relevant features by just double click on Apple Watch. For those people without TouchID on MacBook: Would it be possible to unlock 1Password vault with that Apple Watch double click?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

ag_ana

Hi @telephoneman!

This is not something that we have at the moment, but thank you for your feedback!

mattti

Hi brenty
Just a question for my understanding: What is the difference between authenticating using TouchID vs. authenticating using Apple Watch?
Thanks!

gilbitron

This is a feature I'd love to see. The worst thing about going from an MBP to a Mac mini is losing Touch ID to quickly unlock 1Password.

cjs226

+1