Usability Digest May 2024: Autosave, Sharing, and Sign-in Experience

As a new user trialling 1Password over the past two weeks, I find it has one of the worst user experiences of virtually all software I've ever used. There are just an enormous number of things that don't make sense about the way the Chrome extension, browser app and desktop app interact with each other.

The arrangement of settings-type features is different between all three, causing a new user to have to constantly try to remember which area a feature was seen in.

The Chrome extension can be set not to lock for hours, yet the browser session times out quickly anyway, requiring a password to be opened again, and this serves no security purpose because the password can be auto-filled with one click from the Chrome extension which is still active anyway - so the timing out is nothing but a pointless disruption to the user.

The desktop app has features the browser app doesn't have. Yet the desktop app's presence interferes with multi-account use on the same computer, so the only tolerable approach is to get rid of the desktop app anyway. You can't log into two 1Password accounts on the one desktop app, and there's not even a way to switch between accounts. And if you have the desktop app, it interferes with any attempt to be logged into a different account in the Chrome extension.

The Chrome extension doesn't even have a "log out" or "switch account" feature, which means switching the account that's active in the extension requires removing the extension and reinstalling it again. And it installs with the wrong 1Password account active if the first of two Chrome profiles you opened is associated with a different account - even if that Chrome profile is now closed, and even if the desktop app has been "quit". While some of this activity is simply a feature of how Chrome works, it wouldn't be a problem if 1Password simply chose to be conventional instead of anti-conventional regarding how switching accounts works on nearly all other web software.

And the process of registering a physical security key such as a Yubikey is significantly worse than anything mentioned above.

On registering a Yubikey security key, 1Password provides a pop-up relating to registering a passkey, not a security key - and while this is confusing enough in itself, it's made worse for people like me who have read that passkeys can be stored on a Yubikey, causing them to surmise that if 1Password refers to a passkey in the process of registering a security key, it must just be part of the way that a Yubikey security key works, and 1Password must have simply chosen to use that terminology instead of "security key". The whole set of terminology for these things in the industry is poor (since a physical security key could so easily be more clearly distinguished by using the word "physical" each time, yet somehow the industry generally prefers not to do that) - but that's no excuse for 1Password's poor design decisions.

Never mind that the series of pop-ups, which don't match 1Password's instructions about how to register a security key, appear on top of each other and hide some of 1Passwords instructions that are waiting for a response - that's just secondary. The mind-blowingly stupid and more serious thing is that 1Password then continues to show that the named key has been successfuly registered, even though the physical security key intending to be registered has not been registered. And, of course, the reason it does that is that it has registered a passkey, not a security key.

So the user receives confirmation that a key has been registered and then proceeds to find that 1Password immediately rejects the physical security key that they believe has just been registered.

And since this is the first key of any type that the user has attempted to register, the user doesn't have any opportunity to register any other kind of backup key that would prevent the immediate impression that they have been locked out of their account forever, immediately after spending the equivalent of 3 whole days updating, configuring and tagging several hundred login credentials and software serial numbers.

And the presence of an unrecognisable physical security key in a USB drive is enough for 1Password to prompt continuous Windows Security pop-up warning messages that cannot be stopped, making the entire web browser unusable until the security key is removed. This, of course, is breathtakingly stupid in itself.

Further, 1Password claims that the physical security key is required only when setting up a new device, yet this is not the case, and after figuring out for myself how to set up the security key based on online complaints from users at least three years ago which clearly 1Password has still not addressed, I've been asked to verify with the security key on numerous other seemingly random occasions, for no stated reason.

These are by no means all of the poor user experiences I've had within only the few most intensive days of trying to configure 1Password for my use case, but to cap it off, I registered here for a community account and verified it based on the email sent to me, only to find that 1Password gave me an authentication error upon my first attempt to log in, using the password copied directly into 1Password upon registering.

There's just no end to the disruptions, and virtually no other company has ever made me more angry that such user experience designers as those at 1Password could operate with seemingly so little awareness of the train wreck they've created.