Feature suggestion: Unlock 1password on Mac using Apple Watch
Comments
-
:+1: :)
Ben
0 -
As you maybe all know, the "apple watch unlock thing" got bigger on the mac books. It's now possible to double tap the button on your apple watch for some authentications on the mac book. (https://wccftech.com/how-to/approve-with-apple-watch-macos-catalina/)
Maybe the API is still closed for Apple's internal Apps, but maybe you can have a second look on that. At the end, I just want to give a +1 on this feature request :chuffed: :+1:
0 -
Welcome to the forum, @mrbutcher! Yep, it's something we're continuing to evaluate. Due to the nature of what it is we do, we've got considerably higher security requirements than some other apps might have for something like this. We've nothing to announce, but we're certainly monitoring new capabilities from Apple with an eye toward what we might be able to securely provide to our own users. Thanks.
0 -
This API is open. I already use it for SUDO - https://github.com/biscuitehh/pam-watchid
0 -
Your Master Password was used to encrypt your data; therefore it is necessary to decrypt it. We're not going to save it to disk to enable such a feature. If in the future there's a way to use the Secure Enclave instead (like we do for Touch ID) then we may add a feature like this to 1Password.
0 -
Hello,
I have already noticed in another application that it is possible to authorize the login to the app with Apple Watch. Maybe this is only possible with Catalina. But at least it worked there. Can you please check the feature again?0 -
Given that it's been a month and a half, I'm curious if there's been any further evaluation of @gibfahn 's API suggestions. It would be great to know if they were a dead-end or if it looks possible to implement with that. If it's not possible I know not to get my hopes up and can go bug apple instead, but if it /is/ possible then we know who to pester for this important feature. 😛
0 -
@psifertex: The problem still remains that, unlike most use cases (or rather, completely opposite from them), 1Password's security is based on encryption, so the Master Password is mathematically necessary to decrypt the data. So you either need to enter it, or it needs to be gotten some other way. Transferring it from one device to another and/or storing it for later use is problematic for security reasons, as I'm sure you can imagine. :)
0 -
If in the future there's a way to use the Secure Enclave instead (like we do for Touch ID) then we may add a feature like this to 1Password.
I believe the existing API to use the watch to retrieve decryption keys from the Secure Enclave, the same way Touch ID is currently used in 1Password, is the one I linked to in https://discussions.agilebits.com/discussion/comment/530308/#Comment_530308 . I would guess it's just a case of adding
watch
toSecAccessControlCreateFlags
(in addition to what you currently use, probablyapplicationPassword
andbiometryCurrentSet
)@brenty do you know if this is possible? It shouldn't require transferring between devices or storing for later use, it's just telling macOS that a connected watch can be used to authenticate key retrieval in addition to TouchID and the master password (which 1Password already uses).
0 -
I believe the existing API to use the watch to retrieve decryption keys from the Secure Enclave, the same way Touch ID is currently used in 1Password, is the one I linked to in https://discussions.agilebits.com/discussion/comment/530308/#Comment_530308 . I would guess it's just a case of adding watch to SecAccessControlCreateFlags (in addition to what you currently use, probably applicationPassword and biometryCurrentSet)
@gibfahn: Well...for starters, relatively few Macs have a Secure Enclave. And even then the Master Password (or cryptographic equivalent) has to get there somehow. So, possible perhaps, but challenging as far as security, development, and usability. Hopefully we'll be able to do something like that in the future though. :)
But here's what I was talking about earlier (emphasis added):
do you know if this is possible? It shouldn't require transferring between devices or storing for later use, it's just telling macOS that a connected watch can be used to authenticate key retrieval in addition to TouchID and the master password (which 1Password already uses).
1Password cannot decrypt your data just by you proving who you are -- authenticating; it needs your Master Password. Yes, you can authenticate using the watch, and some apps do this. But they don't need to decrypt anything; 1Password does, and therefore needs the Master Password do accomplish that. Just wanted to clarify.
0 -
relatively few Macs have a Secure Enclave
AIUI all macs with Touch ID have the secure enclave right? So it would work on the same set of devices (and all new devices, including iMac Pros, Mac Minis, and Mac Pros that don't have TouchID but do have the T2 chip and thus the secure enclave, list here https://support.apple.com/en-us/HT208862).
1Password cannot decrypt your data just by you proving who you are -- authenticating; it needs your Master Password.
Maybe I'm misunderstanding something about how TouchID authentication with 1Password works today. I thought from https://support.1password.com/touch-id-security-mac/#your-master-password-is-secured-by-the-secure-enclave that your 1Password data was encrypted with a key which was stored in the Secure Enclave, and the only way to get macOS to give you that key was to authenticate to the secure enclave with either your master password or TouchID, both of which were registered using the macOS SDKs as authentication methods to retrieve the decryption key from the Secure Enclave. If that were the case it would be a matter of registering the watch as an authentication method in the same way that TouchID is currently registered.
0 -
AIUI all macs with Touch ID have the secure enclave right? So it would work on the same set of devices (and all new devices, including iMac Pros, Mac Minis, and Mac Pros that don't have TouchID but do have the T2 chip and thus the secure enclave, list here https://support.apple.com/en-us/HT208862).
@gibfahn: Yep. As far as install base, limited almost exclusively to devices that have Touch ID anyway, which limits its usefulness.
Maybe I'm misunderstanding something about how TouchID authentication with 1Password works today. I thought from https://support.1password.com/touch-id-security-mac/#your-master-password-is-secured-by-the-secure-enclave that your 1Password data was encrypted with a key which was stored in the Secure Enclave, and the only way to get macOS to give you that key was to authenticate to the secure enclave with either your master password or TouchID, both of which were registered using the macOS SDKs as authentication methods to retrieve the decryption key from the Secure Enclave. If that were the case it would be a matter of registering the watch as an authentication method in the same way that TouchID is currently registered.
So...you're on the right track, but again, authentication gets you nothing with 1Password. If you have and try to use Touch ID to unlock 1Password before you've entered your Master Password so that its equivalent can be stored in the Secure Enclave for unlocking afterward...nothing will happen, because the Master Password is needed to decrypt the data. No authentication technologies will do any good without that. So, as far as the proposal to use an Apple Watch to unlock 1Password for Mac, you'd first need to unlock 1Password for Mac by entering your Master Password anyway. At that point you can just use Touch ID. But say you want to use your watch instead. Then how long does that last, and how is it managed? How does the watch know to offer the option -- and when not to? How does the Mac know which to use?
As I mentioned above, it's a whole bunch of security and usability challenges rolled into one. And the more we talk about the reality of it only being feasible on a subset of Macs which already have a biometric option integrated, I question the usefulness of the feature and how reasonable it would be to put all of the work in as a result -- cool factor notwithstanding. Most people requesting this feature over time have because they do not have Touch ID as an option; those that already do tend to use that. Regardless, it's not going to happen tonight. But good food for thought. Cheers! :)
0 -
authentication gets you nothing with 1Password
Sorry, I'm talking about authentication to the Secure Enclave, not to 1Password.
If you have and try to use Touch ID to unlock 1Password before you've entered your Master Password so that its equivalent can be stored in the Secure Enclave for unlocking afterward...nothing will happen, because the Master Password is needed to decrypt the data.
Yeah, my request isn't for the first time you unlock, when you have to enter the password, but for subsequent ones where you can already use TouchID.
At that point you can just use Touch ID. But say you want to use your watch instead. Then how long does that last, and how is it managed? How does the watch know to offer the option -- and when not to? How does the Mac know which to use?
Doesn't macOS handle this for you? Today if I use an app that uses these APIs, e.g. the lock button in System Preferences, the popup appears and I get a popup on my watch too:
If you take off the watch (then it locks immediately) and then click the lock button, the popup doesn't appear on the watch.
Most people requesting this feature over time have because they do not have Touch ID as an option; those that already do tend to use that.
Yeah fair enough, I have a newer Mac Mini that has T2 but no Touch ID, so I guess I'm in the minority (along with iMac Pro users, who are probably an even tinier minority). Lots of people use their Macbook in clamshell mode with an external display though, so it would also benefit them.
0 -
macOS can't handle all of that for us because this feature is designed with authentication in mind, not encryption. Hence this discussion. Otherwise we'd already be using it, essentially "for free". Maybe someday. ;)
0 -
+1
0 -
:) :+1:
0 -
+1 for me as well, although I expect I am also in the minority with a Touch Bar MacBook connected to a monitor when stationary.
That said, I appreciate the thoughtfulness that the 1Password team puts into designing the security architecture of this product. I would not want to sacrifice security for convenience and I'm happy that the team designs with that in mind!
0 -
I'd very much like to see this feature added.
0 -
I too would like to see this very much. I recently started using my MacBook in what's called "clamshell mode", i.e. the lid closed and the laptop connected to an external monitor. Obviously then Touch ID isn't available 🙂
As for many here, my master password is fairly long and cumbersome to type, so having this be able to unlock via Apple Watch would be a great improvement for my day-to-day usage of 1Password.@brenty I believe you are mistaken and there might be a mix up between two different security mechanism that macOS offers. The concerns you are voicing about the feature being designed merely for authentication are indeed valid for the LocalAuthentication framework. It would not work for 1Password.
However, what @gibfahn brought up - and what I agree with - is that there is an option to indeed get watch support "for free" with the APIs that 1Password is already using today for Touch ID support. This is being done today by leveraging the Secure Enclave](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave) which allows to specify a set of so calledSecAccessControlCreateFlags
for access control wherewatch
is another option in addition to the Touch ID-related ones that are being used right now: https://developer.apple.com/documentation/security/secaccesscontrolcreateflagsI can perfectly understand if this currently isn't a priority for the team (even though I hope that might change 🙂) but I'd like the confusion about this not being technically possible to be cleared up.
0 -
Count me in for this feature, when you can please.....
0 -
Thanks for the extra research on this Lukas, hopefully the developers can chime in and let us know if it is indeed an option -- seems to be!
0 -
This would be huge for us and our employees since many of us use "clamshell mode" with the laptop lid closed and Touch ID isn't available. I fully understand why you'd have to enter the Master Password first, to enable decryption, but using the Apple Watch in lieu of Touch ID from there on out would be fantastic.
0 -
+1 -- I use a laptop in clamshell and a Mac Pro, so this would be immediately useful. Since Catalina, I have started using my watch to authorize most apps/system functions. Way more convenient, especially after a recent wrist surgery.
0 -
+1 from me too!
0 -
Thanks for everyone's input here, appreciated. :)
0 -
+1
0 -
Like many others at AgileBits I too would love to be able to unlock my 1Password vault with my watch on my new Mac Mini. Reading this thread not only showed me why that's not possible given Apple's current APIs, but also how patient and determined your customer support is. Bravo.
0 -
Would love this feature! Also a "clamshell" user (:
0 -
Another vote for this feature! =D
0