Feature suggestion: Unlock 1password on Mac using Apple Watch

24

Comments

  • ag_anaag_ana

    Team Member

    Thank you both for your feedback :)

  • BenBen AWS Team

    Team Member

    @mattti

    You can read about how Touch ID is used with 1Password for Mac here:

    About Touch ID security in 1Password for Mac

    As far as I'm aware there isn't a similar mechanism available for securely storing and retrieving secrets from Apple Watch.

    Ben

  • It seems that if mac doesn't have the T1/T2 chip, the features that can be quickly unlocked in other ways can never be achieved. :'(

  • +1, have a Mac Pro here, would love to do watch to confirm unlock after the initial password unlock on computer boot

  • +1 on this! Would be a wonderful feature for both clamshell mode but also older laptops without TouchID.

  • Ah, so it looks like this doesn't provide a Secure Enclave unlock but just merely a policy based check. Damn :(

  • BenBen AWS Team

    Team Member

    @wojo That's exactly my understanding.

    Ben

  • Hello!

    In macOS Catalina I can unlock password protected areas using my Apple Watch. Will this be working with 1Password as well in future? It would be great to have another option to unlock 1Password without the need to type in the complete password each and every time!


    1Password Version: 1Password 7 Version 7.3.2 (70302003) Mac App Store
    Extension Version: 7.3.2 Safari
    OS Version: 10.15
    Sync Type: 1Pasword.com

  • ag_anaag_ana

    Team Member

    Hi @Appfel!

    We currently don't have plans for this, thank you very much for taking time out of your day to to share this feedback! We appreciate every idea that could make 1Password even better.

    I can see how this could be useful to you, so while I cannot make any promises, I can tell you that I have shared your feedback internally :)

    Once again, thank you and have a wonderful day!

  • Thanks a lot :)

  • ag_anaag_ana

    Team Member

    You are welcome :)

  • I strongly recommend to implement this feature. It would be beneficial for those who are using old MacBook, which don't have a Touch ID. They could not have to type the master passcode again and again when reopen the lip.

  • @Jin7 or actually just the newest desktop hardware. I own the newest iMac, which does not have TouchID or something like that. At least a pin function would be nice...

  • jaylindelljaylindell Junior Member
    edited October 2019

    Ditto Appfel and Jin7's suggestion. I had hoped this feature might be available before now; figured it might be hard to implement. But with my move to Catalina this week, I was pleasantly surprised by watch prompts to double-click the side button to grant access to various system frameworks. I have a 2016 MBP and would love to see 1P watch authentication implemented.

    Keep up the great work, my Agile Bits friends!

  • ag_anaag_ana

    Team Member

    Thank you all for sharing your thoughts :)

  • I'll put down my vote for this feature as well! It's sounds extremely useful! I think I read somewhere a 1P dev saying they're looking into this.

  • BenBen AWS Team

    Team Member

    Catalina does indeed have a framework by which authentication can be passed from the Apple Watch to a Mac. But 1Password doesn't use authentication in that sense. It uses encryption. Your data is encrypted by your Master Password. Your Mac needs your Master Password in order to decrypt your data. As far as I'm aware there is still no framework to securely store such secrets on the watch and then securely transmit them to a Mac.

    Ben

  • Maybe this is a bit far fetched, but as an idea to see if this works, can you allow entry of the master password from the iCloud Keychain? I know it is an additional risk to store the master password somewhere- but it might proof it’s use and validate the value for us as users?

  • BenBen AWS Team

    Team Member

    Thanks for the suggestion @keesromkes. :)

    Ben

  • I would even consider having to type it once a day or week (like with Touch ID) if that’s needed - just a thought :-)

  • BenBen AWS Team

    Team Member

    Good to know. :)

    Ben

  • @Ben I could be wrong, but isn't SecAccessControlCreateFlags.kSecAccessControlWatch (https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolwatch?language=objc) the flag to set to allow storing a key in the Secure Enclave that can be retrieved via Watch authentication?

    I was looking at https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave#2930473 and you can get from there to https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/3042482-watch .

  • BenBen AWS Team

    Team Member

    Hi @gibfahn

    Thanks for those links. I'll be happy to share them with our development team.

    Ben

  • I'd love to have this feature. From development perspective, this is a point I'd like to see an answer on: If 1Password needs my master password to unlock my vault, how is it possible that all of my vaults (with different passwords) are accessible after I enter the master password from my main vault? I believe that 1P team knows what they're doing, but this seems like the other vaults aren't encrypted at all and it's just security by obscurity.

    Also, macOS itself does the thing that it requires login password to be entered once after reboot, but after that it can be unlocked with the Watch. Maybe a similar method could be used by 1P?

    Thank you!

  • BenBen AWS Team

    Team Member

    @OndrejMirtes

    1Password's multiple vault feature was designed so that you still only have to remember one password, no matter how many vaults you create. Your primary vault holds the encryption keys for all of your secondary vaults. This means that unlocking your primary vault will give you quick and easy access to all of your data, regardless of which vault it is stored in.

    Ben

  • ag_anaag_ana

    Team Member

    :+1::)

  • @brenty 1Password on Mac already unlocks with biometrics on the Macbook Pro, so how is adding watch different? Especially given the API is called *AuthenticationWithBiometricsOrWatch? In any case, thanks for a great product!

  • BenBen AWS Team

    Team Member

    @paulcolton

    The analogy is really poor if dissected but, ... I'll liken it to the fact that unlocking your front door with your house keys can't unlock your Mac. We're talking about apples and oranges.

    That said, this may be technically feasible on Touch ID capable Macs. We're looking into that. I can't promise that it'll be possible, or even if it is that we'll be doing it, but it is something we're investigating.

    Ben

  • @Ben I understand. That's too bad for the Mac, but I suspect TouchID/FaceID will come soon. Thanks!

This discussion has been closed.