Feature suggestion: Unlock 1password on Mac using Apple Watch

24

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you both for your feedback :)

  • @mattti

    You can read about how Touch ID is used with 1Password for Mac here:

    About Touch ID security in 1Password for Mac

    As far as I'm aware there isn't a similar mechanism available for securely storing and retrieving secrets from Apple Watch.

    Ben

  • zxftag
    zxftag
    Community Member

    It seems that if mac doesn't have the T1/T2 chip, the features that can be quickly unlocked in other ways can never be achieved. :'(

  • scootklein
    scootklein
    Community Member

    +1, have a Mac Pro here, would love to do watch to confirm unlock after the initial password unlock on computer boot

  • wojo
    wojo
    Community Member

    +1 on this! Would be a wonderful feature for both clamshell mode but also older laptops without TouchID.

  • wojo
    wojo
    Community Member

    Ah, so it looks like this doesn't provide a Secure Enclave unlock but just merely a policy based check. Damn :(

  • @wojo That's exactly my understanding.

    Ben

  • Appfel
    Appfel
    Community Member

    Hello!

    In macOS Catalina I can unlock password protected areas using my Apple Watch. Will this be working with 1Password as well in future? It would be great to have another option to unlock 1Password without the need to type in the complete password each and every time!


    1Password Version: 1Password 7 Version 7.3.2 (70302003) Mac App Store
    Extension Version: 7.3.2 Safari
    OS Version: 10.15
    Sync Type: 1Pasword.com

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Appfel!

    We currently don't have plans for this, thank you very much for taking time out of your day to to share this feedback! We appreciate every idea that could make 1Password even better.

    I can see how this could be useful to you, so while I cannot make any promises, I can tell you that I have shared your feedback internally :)

    Once again, thank you and have a wonderful day!

  • Appfel
    Appfel
    Community Member

    Thanks a lot :)

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome :)

  • Jin7
    Jin7
    Community Member

    I strongly recommend to implement this feature. It would be beneficial for those who are using old MacBook, which don't have a Touch ID. They could not have to type the master passcode again and again when reopen the lip.

  • Appfel
    Appfel
    Community Member

    @Jin7 or actually just the newest desktop hardware. I own the newest iMac, which does not have TouchID or something like that. At least a pin function would be nice...

  • jaylindell
    jaylindell
    Community Member
    edited October 2019

    Ditto Appfel and Jin7's suggestion. I had hoped this feature might be available before now; figured it might be hard to implement. But with my move to Catalina this week, I was pleasantly surprised by watch prompts to double-click the side button to grant access to various system frameworks. I have a 2016 MBP and would love to see 1P watch authentication implemented.

    Keep up the great work, my Agile Bits friends!

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you all for sharing your thoughts :)

  • Gevor
    Gevor
    Community Member

    I'll put down my vote for this feature as well! It's sounds extremely useful! I think I read somewhere a 1P dev saying they're looking into this.

  • Catalina does indeed have a framework by which authentication can be passed from the Apple Watch to a Mac. But 1Password doesn't use authentication in that sense. It uses encryption. Your data is encrypted by your Master Password. Your Mac needs your Master Password in order to decrypt your data. As far as I'm aware there is still no framework to securely store such secrets on the watch and then securely transmit them to a Mac.

    Ben

  • keesromkes
    keesromkes
    Community Member

    Maybe this is a bit far fetched, but as an idea to see if this works, can you allow entry of the master password from the iCloud Keychain? I know it is an additional risk to store the master password somewhere- but it might proof it’s use and validate the value for us as users?

  • Thanks for the suggestion @keesromkes. :)

    Ben

  • keesromkes
    keesromkes
    Community Member

    I would even consider having to type it once a day or week (like with Touch ID) if that’s needed - just a thought :-)

  • Good to know. :)

    Ben

  • gibfahn
    gibfahn
    Community Member

    @Ben I could be wrong, but isn't SecAccessControlCreateFlags.kSecAccessControlWatch (https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolwatch?language=objc) the flag to set to allow storing a key in the Secure Enclave that can be retrieved via Watch authentication?

    I was looking at https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave#2930473 and you can get from there to https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/3042482-watch .

  • Hi @gibfahn

    Thanks for those links. I'll be happy to share them with our development team.

    Ben

  • OndrejMirtes
    OndrejMirtes
    Community Member

    I'd love to have this feature. From development perspective, this is a point I'd like to see an answer on: If 1Password needs my master password to unlock my vault, how is it possible that all of my vaults (with different passwords) are accessible after I enter the master password from my main vault? I believe that 1P team knows what they're doing, but this seems like the other vaults aren't encrypted at all and it's just security by obscurity.

    Also, macOS itself does the thing that it requires login password to be entered once after reboot, but after that it can be unlocked with the Watch. Maybe a similar method could be used by 1P?

    Thank you!

  • @OndrejMirtes

    1Password's multiple vault feature was designed so that you still only have to remember one password, no matter how many vaults you create. Your primary vault holds the encryption keys for all of your secondary vaults. This means that unlocking your primary vault will give you quick and easy access to all of your data, regardless of which vault it is stored in.

    Ben

  • ag_ana
    ag_ana
    1Password Alumni

    :+1: :)

  • paulcolton
    paulcolton
    Community Member

    @brenty 1Password on Mac already unlocks with biometrics on the Macbook Pro, so how is adding watch different? Especially given the API is called *AuthenticationWithBiometricsOrWatch? In any case, thanks for a great product!

  • @paulcolton

    The analogy is really poor if dissected but, ... I'll liken it to the fact that unlocking your front door with your house keys can't unlock your Mac. We're talking about apples and oranges.

    That said, this may be technically feasible on Touch ID capable Macs. We're looking into that. I can't promise that it'll be possible, or even if it is that we'll be doing it, but it is something we're investigating.

    Ben

  • paulcolton
    paulcolton
    Community Member

    @Ben I understand. That's too bad for the Mac, but I suspect TouchID/FaceID will come soon. Thanks!

This discussion has been closed.