Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Feature Request: Better security for MFA codes in records...
I posted this at 1Password at home, but I actually think this would be well suited for at home users or at work. So I post here as well - - Currently, storing both a password and its corresponding Multi-Factor Authentication (MFA/TOTP) seed within the same 1Password item creates a "single point of failure." If a device or 1Password session is left unlocked, an unauthorized user gains immediate access to both factors. I am requesting a feature that allows administrators (or individual users) to require a secondary validation (such as re-entering the Master Password, using Biometrics, or confirming a 1Password-level MFA prompt) before 1Password will reveal or autofill specific TOTP codes. The Problem While storing MFA codes in 1Password is incredibly convenient, it inherently violates the core principle of MFA (combining something you know with something you have). If an attacker gains access to the 1Password vault, the security benefit of MFA is effectively neutralized for that account. Proposed Solution Introduce a Step-Up Authentication / Conditional Access policy specifically for MFA fields. MFA Vault Lock: When a user attempts to copy, view, or autofill a TOTP code, 1Password should challenge the user for authentication. Customizable TTL (Time-to-Live): Users or admins should be able to configure how often this challenge occurs. Options could include: Every time the MFA code is accessed. Once per session / Once a day. After X minutes of inactivity. Administrative Control (1Password Business): Enforce this via Policies in the Admin Console, allowing organizations to mandate that all stored MFA codes require a secondary check, mitigating the risk of compromised employee endpoints. Use Case Example An employee opens a shared vault to log into a critical infrastructure tool. 1Password autofills the username and password normally. When the employee clicks the MFA field to copy the token, a biometrics prompt (Touch ID/Face ID) or a 1Password MFA prompt appears. Once validated, the token is revealed/filled, and the validation remains active for the next 8 hours (or whatever limit the admin set). Benefits Enhanced Security: Preserves the integrity of two-factor authentication even when stored in a single password manager. Enterprise Compliance: Helps businesses meet strict compliance frameworks (like SOC2 or ISO 27001) that frown upon storing passwords and MFA tokens together without isolating controls. User Flexibility: Maintains the convenience of 1Password's autofill while adding a vital speedbump for sensitive data.
How to customize the suggested item name in the auto-save prompt?
Hello. When a user saves a new login on our site (e.g. app.acme.io), the "Save in 1Password" prompt defaults to a name derived from the domain so we get "Acme" instead of "acme.io". It doesn't match our brand. We've already done what compatible-website-design recommends: brand-name <title>, application-name, apple-mobile-web-app-title, og:site_name, manifest.webmanifest (name / short_name), correct autocomplete attributes. None of these influence the suggested name. Questions: Is there a client-side mechanism (meta tag, well-known endpoint, JSON-LD…) we're missing to declare our brand name for the auto-save prompt? If not, what's the official process to submit a domain + brand name + logo to 1password Rich Icons / website database? Thanks.
Feature Request - Step Up Auth Geo-restrictions
We are starting to have more users working overseas temporarily from locations outside our usual allow list. We'd like a middle ground option to allow these locations but only with an additional authentication factor, or allow them for a small number of users.
Quick Access Touch ID Mini-Blockade on MacBook Used In Desktop Mode
I have a paid 1Password subscription on another computer other than this forum account. I have a feature request to fix a 1Password user-experience inconsistency: 1. The Good Part first: First, let me introduce how I use 1password. Sometimes I enter the master password, but I also have let it use my biometric (Touch ID). Compare the bottom-right corner of these two screenshots: When using with MacBook open, Touch ID logo button shows: When using with MacBook closed (External Monitor), Touch ID logo button disappears: If I open/close MacBook, the bottom-right-corner button changes correctly when I open/close/open/close MacBook. Good, you did it properly in use case #1. This is great, because I can often open MacBook, do the TouchID thing, and close MacBook. I can even initiate by external keyboard (<TAB><TAB><ENTER> to select the TouchID dialog-button, before reaching my thumb over). This is without needing to use a mouse or touchscreen, if it's inconvenient to fully reach over to view my MacBook set aside during external KVM use. I can even use Touch ID without peeking at the MacBook (open lid only by 1-2" only to use Touch ID, tab, tab, enter on my external keyboard, then slip thumb briefly onto the touch ID). So this even works even if I can't currently see the MacBook screen because MacBook is oddly to the side and only slightly opened briefly only for TouchID use. (Due to desktop config with external display/accessories) So I am satisfied with this mode of operation -- It is convenient to Touch ID briefly even with my MacBook mostly closed. The problem arises with Quick Access (use case #2 below): 2. Problem #2: Quick Access Becomes Slow / Browser Autofill Inconvenient If I try to use either (A) Quick Access hotkey while in an external monitor use... or (B) try to use Browser Autofill. suddenly it's less convenient. This dialog appears: Since I'd rather not enter a long password every single time, I open the MacBook slightly, but it doesn't let me use Touch ID if the window is open before I re-open my MacBook (external monitor mode). Does not let me use Touch ID, even though Touch ID is enabled I have to manually re-close the 1Password dialog, then re-open it again in order to use Touch ID! How to reproduce: Use a closed Macbook in desktop mode (Connect to external monitor, keyboard, mouse. ) Use MacBook normally, while using external monitor/keyboard/mouse Now activate 1Password either via either Quick Access or Browser Autofill (same problem) It prompts you for 1password password Open your MacBook lid, intending to access the Touch ID Try to use Touch ID Try to get the dialog to let me use Touch ID It won't work You have to close the 1Password Quick Access dialog, and reopen it, to force it to let me use Touch ID. It's not necessary with the non-Quick-Access window (as seen in Item #1 near top), but necessary with the misnomer of a Quick Access window? And slows down Browser Autofill too. It unexpectedly turns the normal "Open 1Password" faster than "Open Quick Access" or "Autofill", because of this inconsistency during this use. Unlike the main 1Password login (which correctly detects laptop lid open/close properly), the other dialog (Quick Access / Browser Autofill) doesn't detect MacBook lid close/open events. Attention: 1Password Developer Team May someone at 1Password fix this "MacBook being used in desktop mode" usability inconsistency (#1 vs #2)? Bringing #2 into parity with #1, fixing the "Quick" in "Quick Access", and making browser autofill more convenient again.
System Down due to Expired Client Secret
I'm in desperate need of some support here. Our Notion alert that the client secret for our 1Password Entra ID SSO was expiring did not alert like it should have and we are now all locked out. There seems to be no way to bypass and use the emergency kit to update the integration in 1Password. I have opened a support ticket, but it isn't moving fast enough. Is there a way for Administrators to bypass SSO and get back in using the emergency kits that I'm missing?
Remote Linux machine opens GUI
Setup: Linux Machine that I directly connect to when in the office. Has 1Password installed. Works great. ~/.ssh/config file has ``` Host * IdentityAgent ~/.1password/agent.sock ``` Windows Machine that I directly connect to when in the office or working remotely. Has 1Password installed. Works great. C:/Users/Me/.ssh/config file has ``` Host mypc User me HostName mypc.local ForwareAgent yes ``` The OpenSSH Authentication Agent service has been Disabled and Stopped so that my computer is listening to `\\.\pipe\openssh-ssh-agent` Issue: When sshing into the Linux machine from the Windows machine, git does not work. `git pull` when sshed will open the GUI on my Linux machine (I have watched both screens to test this) I want my WINDOWS machine to open its GUI for me to log in. There's no point to remote in if I can't use the Windows 1Password.
