2 factor and password [only TOTP is displayed on Watch when present]

GoalieedGoalieed
edited March 2016 in Apple Watch

I have two factor on my google password and my Microsoft password , but it won't also show the primary password on the watch so I can't log-in without pulling out the phone. Is there a way both will display?

Comments

  • brentybrenty

    Team Member

    @Goalieed: Sorry for the confusion! When a Login item has a TOTP, only this is sent to the Watch. For security, not all information is sent there for each item, and for TOTP especially it's useful to keep it separated from the other login credentials for use as a second factor. This way even if someone gains access to your Watch, they won't have all of the information needed to access your account. Also, the idea is that if you've already got the login on your iPhone, you can easily login there and then quickly get the code off your Watch if needed. It's something we can re-evaluate in the future, so be sure to let us know more about how you use it yourself! :)

  • I'd like to talk a bit more about my use case as I feel having both on the watch should be an option. I have to work on a corporate computer system and having our smartphones out is considered unprofessional and discoraged. If I want to check my personal email (Google), right now I use a painfully simple password with my two factor so I can remember what it is, since I can't look up that password on the watch with the two factor on.

    The watch is secure as it only unlocks with a fingerprint or my secret pin. My phone or a pin, and auto locks when removed from skin contact. It's secure enough for Apple Pay.

    Please consider making it an option to display both? Also, can you update the watch app for watchOS2 allowing it to be used without a constant connection to the iPhone?

  • AleenAleen 1Password Alumni

    Hi @Goalieed!

    Thanks for helping us understand how you'd like to use Login items on your Apple Watch! I passed on your feedback to our development team :)

    As far as WatchOS 2 is concerned, it's on our list of things to work on. We'll let everyone know as soon as it's ready :)

    ref: OPI-2660

  • I want to second @Goalieed 's comments. Prior to using 1Password, I have been using the Google Authenticator app for my TOTP needs. I was excited to learn that 1Password has an Apple Watch app, but I do not see the use of displaying only the TOTP. My 1Password-generated password is too complicated for me to remember, so if I am logging into a new device, I need to be able to see both. If I have to log into the iPhone app to retrieve my password, the TOTP is also right there, so it defeats the purpose of the Watch app, no?

  • Agree with kylenorton87

  • brentybrenty

    Team Member
    edited February 2016

    If I have to log into the iPhone app to retrieve my password, the TOTP is also right there, so it defeats the purpose of the Watch app, no?

    @kylenorton87, @Goalieed: Not really. Definitely check out my earlier post for some clarification. TOTP in particular is really meant to be used as a second factor separate from the login itself (which is why you'll often have something like this in a separate app or sent in a message or phone call). :sunglasses:

    Honestly I'm not sure it occurred to us that anyone would want to (or be physically capable of) simultaneously reading full login credentials off of their wrist and typing them (one-handed?) but you never know with the internet! ;)

    Of course, I'm half joking, but we're exploring putting more data on the Watch over time as the platform matures and we all get a better sense of the risks and benefits involved — rather than starting with everything important being kept in a place where it cannot be secured using your Master Password, by default. I think you can appreciate a cautious approach, even if you wish it worked differently.

    So while we envisioned people using 1Password for iOS (for example) to fill the actual username and password to login to a website, and then grabbing the short TOTP code off of their Watch when prompted (rather than having to switch apps or navigate through various screens on an iPhone), obviously the use case isn't the same for everyone, so we'll consider other alternatives that will make it easier without cluttering the tiny screen. Thanks for taking the time to let us know how you'd like to use it! :)

  • The ID's where I use two-factor really is not a concern with someone physically looking over my shoulder to get my password, it's more a concern that if I use a sketchy computer (i.e., in a hotel) where I get key-logged they won't be able to break in due to the two factor. For all my IDs two factor is option but I'd hate to turn it off and become vulnerable.

    Do you own/use an Apple Watch? I'm thinking not as the joy of the watch is NOT taking the phone out of one pocket/purse/belt lip to complete tasks like notifications, text messaging/ small snipers of data, and so on. Having to pull the phone out is the exact opposite of the way that watch is designed to function.

  • brentybrenty

    Team Member

    @Goalieed: I do have an Apple Watch...and frankly the joy for me is not reading my insanely long generated passwords off of its tiny screen. To each his own, I guess! :lol:

  • JPEwingJPEwing Junior Member

    @brenty: I am in agreement with the other two users above. With respect to your last comment, that would mean that logins WITHOUT a TOTP that have “insanely long generated passwords” that show up on the watch screen as is would have no place, and that the only reason to use 1Password on Apple Watch would be to look at the TOTPs. That would be awful. I concur with the others that the reason to have the watch app is so that you don’t have to pull out the phone. My use case is logging in on computers that are not mine (e.g. a work computer), so you need to enter the login information by typing anyway rather than automatically inputting the information with 1Password as I would on my personal devices. Having to use 2 devices to get that information negates the use of the Apple Watch entirely. You need to have the full username, password, and TOTP on the watch to be useful. If you’re worried about too much information on the screen at once (which I think you could still do), you could always have the user scroll down to see the TOTP if necessary. As far as the practical value of typing them in, I can still view the screen and type with two hands without any difficulty. I really hope this can be added as a feature in an upcoming version of the Apple Watch app. You could always offer a preference in the settings to display all or just the TOTP for those who are so inclined…

  • brentybrenty

    Team Member

    @JPEwing: Indeed, t's clear that different people will use it differently. Thanks for letting us know your workflow so we can take it into account as we develop future versions! :)

  • No new on this yet? I'm with other users that don't see the point of showing only the TOTP when the whole objective of my Apple Watch is don't get my iPhone out of my pocket.
    Thanks, hope you really get this option. ;)

  • brentybrenty

    Team Member

    No new on this yet? I'm with other users that don't see the point of showing only the TOTP when the whole objective of my Apple Watch is don't get my iPhone out of my pocket. Thanks, hope you really get this option. ;)

    @Morcegolas: Nothing to announce yet! It still baffles me personally a bit, since for me the biggest draw of 1Password is not having to type login credentials in manually, but we'd like to make what's displayed on the Watch in general more flexible in the future. :)

  • @brenty I understand you, and I also use 1password in that way, but many times I use other people computers and I don't know my 1password generated password for gmail, so I don't get the point having 1password on my watch only showing TOTP, when I don't know what my password is. If I have to open 1password on my iPhone, there I see all the information, so I don't see the point of using 1password on my watch ;)

    Hope I made my self more clear now, but I don't add anything new to what @Goalieed said, really love 1password, I bought it early when it was paid in iOS, and I just registered in the forum to expose my opinion, because I don't get it why don't you give to the users this option in the settings for example, why is taking too long to implement this, as in my view and probably a loot more people like me, this is a life saver! ;)

    Thanks!

  • brentybrenty

    Team Member

    I understand completely. I'm just always fascinated by how many different ways we all find to utilize 1Password in our daily lives. Thanks for your support and kind words. We don't have a new version of the Apple Watch app to announce yet, but we're excited by the possibilities. :chuffed:

  • AmarandAmarand
    edited June 2016

    Sorry for leaving a comment on a six month old post. However, I'd just like to add my two-cents:

    I'm a security guy, and reading the first comment made by brenty, I totally get the benefit of keeping your usernames, passwords and TOTP separate - to a point.

    1) I control my iPhone and Apple Watch, both physically. If someone steals my phone and has access to my fingerprint and/or PIN, I'm pretty much hosed anyway. Prior to buying the TOTP/Pro features for my Apple Watch, I was using Google Authenticator for most of my OTP needs. Completely not secure, and on the same device (my phone) as my 1Password. My Apple Watch is actually -more- secure because I simply can't lose it, and I have Auto Lock enabled when it's removed from my wrist. I would feel (again, as a professional security guy) completely and 100% safe having my username, password and TOTP showing up on my Watch, because anyone shoulder surfing would literally have less than 30 seconds to piggy-back on that connection. I have situational awareness and would try not to let that happen. But with TOTP being time-based, anyone looking over my shoulder has a very limited time to act, indeed. And that includes typing in my 16-20 digit completely random password PLUS my username, AND the TOTP. Not going to happen:

    https://xkcd.com/538/

    2) I feel that after looking at item 1 above, with my phone PIN-locked, my Apple Watch also locked (as is my vault), and my own situational awareness, it should be my choice if I want to enable both of my "factors" to be displayed on my watch. When I'm volunteering, they don't like me to have my phone out, but my watch? No one would notice that, or at least it's not as conspicuous.

    3) Regardless, if I have to sign into a system, and I have to pull out my phone to get the username and password out of 1Password, and THEN use the TOTP on my Watch, I am simply going to use TOTP on the phone, which completely negates (100%) the need to have TOTP on my Watch.

    4) Lastly, if the AgileBits team is saying "Well, most people just say 'Remember Me' in an authentication token in the local browser...so TOTP is all you'd need to sign into most places the second and subsequent times until the authentication token became invalid" or "Just use 1Password to enter your username and password, then use TOTP." True, those are true, when it's my own computer with 1Password installed. I sometimes use computers that I don't control, that I can't load 1Password on, and sometimes I don't want to pull my phone out. Also, the authentication token is a lot easier to hijack than my iPhone/Watch is. I think it's more secure, especially when I'm on a computer I don't control 100%, to enter the username, password and not have an authentication token stored ("Remember me"), then use TOTP. I do that all the time, and I feel somewhat comfortable taking the extra time signing in manually each time, knowing the token isn't stored where someone else could take it after I'm done.

    Intuitively (and Apple products are supposed to be about things being intuitive), I expected there to be a scroll-down or swipe-right on the Watch app to view the username and password on the Watch entry when TOTP is enabled. In fact, most of the services I use ask for username first, then password, then OTP. So I would imagine that displaying those three items in that order (limited real estate on the Watch, I know) would be ideal.

    So perhaps for any item that has TOTP enabled, you offer the choice (either for the whole shebang, or on a per-item basis? Like when you click Add to Apple Watch it asks "Do you want to transfer just the TOTP or credentials as well?" Could also be an Advanced system setting to make all items with TOTP transfer both credentials and TOTP to the Watch without asking - I'd enable that myself.

    So, to summarize:

    TOTP support is SUPER COOL - both on the iPhone (useful) and on the Apple Watch (completely negated by the iPhone, which is sitting right there within range of my Apple Watch otherwise the Apple Watch 1Password app fails miserably). I hope to get rid of the Google Authenticator app on my iPhone, and use 1Password's TOTP for all of my OTP services.

    However, I do think it'd be great to have the option to (always?) sync either just the TOTP or both. I would even be cool with having a BIG WARNING pop-up that says "Hey, so, this is reducing your security a little, having them both on your Watch...kinda...." However you wanted to word it. It's a risk - but one I'm willing to accept and mitigate by taking a second to look around. It's the exact same risk I'd be incurring (on a much bigger screen) having TOTP enabled on my phone. Right?

    Anyway...sorry for the lecture. It seemed like in the beginning of this thread, it sounded like 1Password was against this feature. I just wanted to show that it might be a worthwhile optional feature to allow folks to enable after understanding the potential risks.

    Thanks!

    (Edit: Wow, I used "phone" interchangeably with "watch" a few times. Sorry for the confusion. I think it's clearer now.)

  • brentybrenty

    Team Member

    @Amarand: I wanted to highlight some of the great observations you made here:

    My Apple Watch is actually -more- secure because I simply can't lose it, and I have Auto Lock enabled when it's removed from my wrist. I would feel (again, as a professional security guy) completely and 100% safe having my username, password and TOTP showing up on my Watch, because anyone shoulder surfing would literally have less than 30 seconds to piggy-back on that connection.

    My concern is that not everyone has Auto Lock or a PIN code of any kind enabled. Obviously in your use (and mine as well) the risks are almost non-existent. But you and I perhaps aren't representative of the rest of the user base. ;)

    When I'm volunteering, they don't like me to have my phone out, but my watch? No one would notice that, or at least it's not as conspicuous.

    Nice! That's a use for Apple Watch that's become more and more apparent to me as well in using it. A big reason we limited what the app can do from the outset is because it wasn't clear what the use cases would be for most people, but I think we've all got a better sense of that now. :chuffed:

    Regardless, if I have to sign into a system, and I have to pull out my phone to get the username and password out of 1Password, and THEN use the TOTP on my Watch, I am simply going to use TOTP on the phone, which completely negates (100%) the need to have TOTP on my Watch.

    That's an excellent point. And while the sites I use most with TOTP (Google Apps) need only the code most of the time, you're right that this isn't the case for many sites -- and many use cases, as you've described. That probably sounds like I'm contradicting myself a bit, but 6 months is a long time...especially when it comes to technology! ;)

    Intuitively (and Apple products are supposed to be about things being intuitive), I expected there to be a scroll-down or swipe-right on the Watch app to view the username and password on the Watch entry when TOTP is enabled. In fact, most of the services I use ask for username first, then password, then OTP. So I would imagine that displaying those three items in that order (limited real estate on the Watch, I know) would be ideal.

    I'm going to be honest here since Apple is pointing this out themselves now that they're publicly promoting watchOS 3: watchOS 1 & 2 apps are freaking slow. I love the swipe idea in theory, but the apps I have on my Watch which do support gestures like that are painful to use. I'm optimistic that watchOS 3 will make ideas like that not only feasible, but awesome.

    So perhaps for any item that has TOTP enabled, you offer the choice (either for the whole shebang, or on a per-item basis? Like when you click Add to Apple Watch it asks "Do you want to transfer just the TOTP or credentials as well?" Could also be an Advanced system setting to make all items with TOTP transfer both credentials and TOTP to the Watch without asking - I'd enable that myself.

    Indeed. I'm not sure how far we can take it without it becoming unwieldy to manage Apple Watch data, but we definitely want to make it more flexible in general, and TOTP is a prime candidate.

    TOTP support is SUPER COOL - both on the iPhone (useful) and on the Apple Watch (completely negated by the iPhone, which is sitting right there within range of my Apple Watch otherwise the Apple Watch 1Password app fails miserably). I hope to get rid of the Google Authenticator app on my iPhone, and use 1Password's TOTP for all of my OTP services.
    Anyway...sorry for the lecture. It seemed like in the beginning of this thread, it sounded like 1Password was against this feature. I just wanted to show that it might be a worthwhile optional feature to allow folks to enable after understanding the potential risks.

    Hey, it was a good lecture! :glasses:

    But in all seriousness, I think we're in agreement here. I love having 1Password on my Apple Watch, but it has limited utility currently. That's by design, because it's much easier for everyone if we take small steps to make sure we don't go too far instead of having to pull a feature. The biggest caveat is that not everyone may be as security-conscious as you, so we need to consider the extremes and everything in between and see what's not only usable but understandable. With all of the new stuff coming out of Apple this week for developers and in the months to come for users, we'll have a lot more to work with to take the feedback from you and others and make our Apple Watches even more useful. :)

This discussion has been closed.