Feature suggestion: Unlock 1password on Mac using Apple Watch

13

Comments

  • :+1: :)

    Ben

  • mrbutcher
    mrbutcher
    Community Member

    As you maybe all know, the "apple watch unlock thing" got bigger on the mac books. It's now possible to double tap the button on your apple watch for some authentications on the mac book. (https://wccftech.com/how-to/approve-with-apple-watch-macos-catalina/)

    Maybe the API is still closed for Apple's internal Apps, but maybe you can have a second look on that. At the end, I just want to give a +1 on this feature request :chuffed: :+1:

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @mrbutcher! Yep, it's something we're continuing to evaluate. Due to the nature of what it is we do, we've got considerably higher security requirements than some other apps might have for something like this. We've nothing to announce, but we're certainly monitoring new capabilities from Apple with an eye toward what we might be able to securely provide to our own users. Thanks.

  • kecinzer
    kecinzer
    Community Member

    This API is open. I already use it for SUDO - https://github.com/biscuitehh/pam-watchid

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2019

    Your Master Password was used to encrypt your data; therefore it is necessary to decrypt it. We're not going to save it to disk to enable such a feature. If in the future there's a way to use the Secure Enclave instead (like we do for Touch ID) then we may add a feature like this to 1Password.

  • DanielHe
    DanielHe
    Community Member

    Hello,
    I have already noticed in another application that it is possible to authorize the login to the app with Apple Watch. Maybe this is only possible with Catalina. But at least it worked there. Can you please check the feature again?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Everything I mentioned here and here still applies to 1Password. For most apps, security is an afterthought, if thought of at all. But if we can find a way to offer this feature while still satisfying 1Password's security requirements, that will be great. :)

  • psifertex
    psifertex
    Community Member

    Given that it's been a month and a half, I'm curious if there's been any further evaluation of @gibfahn 's API suggestions. It would be great to know if they were a dead-end or if it looks possible to implement with that. If it's not possible I know not to get my hopes up and can go bug apple instead, but if it /is/ possible then we know who to pester for this important feature. 😛

  • AGAlumB
    AGAlumB
    1Password Alumni

    @psifertex: The problem still remains that, unlike most use cases (or rather, completely opposite from them), 1Password's security is based on encryption, so the Master Password is mathematically necessary to decrypt the data. So you either need to enter it, or it needs to be gotten some other way. Transferring it from one device to another and/or storing it for later use is problematic for security reasons, as I'm sure you can imagine. :)

  • gibfahn
    gibfahn
    Community Member

    If in the future there's a way to use the Secure Enclave instead (like we do for Touch ID) then we may add a feature like this to 1Password.

    I believe the existing API to use the watch to retrieve decryption keys from the Secure Enclave, the same way Touch ID is currently used in 1Password, is the one I linked to in https://discussions.agilebits.com/discussion/comment/530308/#Comment_530308 . I would guess it's just a case of adding watch to SecAccessControlCreateFlags (in addition to what you currently use, probably applicationPassword and biometryCurrentSet)

    @brenty do you know if this is possible? It shouldn't require transferring between devices or storing for later use, it's just telling macOS that a connected watch can be used to authenticate key retrieval in addition to TouchID and the master password (which 1Password already uses).

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited December 2019

    I believe the existing API to use the watch to retrieve decryption keys from the Secure Enclave, the same way Touch ID is currently used in 1Password, is the one I linked to in https://discussions.agilebits.com/discussion/comment/530308/#Comment_530308 . I would guess it's just a case of adding watch to SecAccessControlCreateFlags (in addition to what you currently use, probably applicationPassword and biometryCurrentSet)

    @gibfahn: Well...for starters, relatively few Macs have a Secure Enclave. And even then the Master Password (or cryptographic equivalent) has to get there somehow. So, possible perhaps, but challenging as far as security, development, and usability. Hopefully we'll be able to do something like that in the future though. :)

    But here's what I was talking about earlier (emphasis added):

    do you know if this is possible? It shouldn't require transferring between devices or storing for later use, it's just telling macOS that a connected watch can be used to authenticate key retrieval in addition to TouchID and the master password (which 1Password already uses).

    1Password cannot decrypt your data just by you proving who you are -- authenticating; it needs your Master Password. Yes, you can authenticate using the watch, and some apps do this. But they don't need to decrypt anything; 1Password does, and therefore needs the Master Password do accomplish that. Just wanted to clarify.

  • gibfahn
    gibfahn
    Community Member

    @brenty

    relatively few Macs have a Secure Enclave

    AIUI all macs with Touch ID have the secure enclave right? So it would work on the same set of devices (and all new devices, including iMac Pros, Mac Minis, and Mac Pros that don't have TouchID but do have the T2 chip and thus the secure enclave, list here https://support.apple.com/en-us/HT208862).

    1Password cannot decrypt your data just by you proving who you are -- authenticating; it needs your Master Password.

    Maybe I'm misunderstanding something about how TouchID authentication with 1Password works today. I thought from https://support.1password.com/touch-id-security-mac/#your-master-password-is-secured-by-the-secure-enclave that your 1Password data was encrypted with a key which was stored in the Secure Enclave, and the only way to get macOS to give you that key was to authenticate to the secure enclave with either your master password or TouchID, both of which were registered using the macOS SDKs as authentication methods to retrieve the decryption key from the Secure Enclave. If that were the case it would be a matter of registering the watch as an authentication method in the same way that TouchID is currently registered.

  • AGAlumB
    AGAlumB
    1Password Alumni

    AIUI all macs with Touch ID have the secure enclave right? So it would work on the same set of devices (and all new devices, including iMac Pros, Mac Minis, and Mac Pros that don't have TouchID but do have the T2 chip and thus the secure enclave, list here https://support.apple.com/en-us/HT208862).

    @gibfahn: Yep. As far as install base, limited almost exclusively to devices that have Touch ID anyway, which limits its usefulness.

    Maybe I'm misunderstanding something about how TouchID authentication with 1Password works today. I thought from https://support.1password.com/touch-id-security-mac/#your-master-password-is-secured-by-the-secure-enclave that your 1Password data was encrypted with a key which was stored in the Secure Enclave, and the only way to get macOS to give you that key was to authenticate to the secure enclave with either your master password or TouchID, both of which were registered using the macOS SDKs as authentication methods to retrieve the decryption key from the Secure Enclave. If that were the case it would be a matter of registering the watch as an authentication method in the same way that TouchID is currently registered.

    So...you're on the right track, but again, authentication gets you nothing with 1Password. If you have and try to use Touch ID to unlock 1Password before you've entered your Master Password so that its equivalent can be stored in the Secure Enclave for unlocking afterward...nothing will happen, because the Master Password is needed to decrypt the data. No authentication technologies will do any good without that. So, as far as the proposal to use an Apple Watch to unlock 1Password for Mac, you'd first need to unlock 1Password for Mac by entering your Master Password anyway. At that point you can just use Touch ID. But say you want to use your watch instead. Then how long does that last, and how is it managed? How does the watch know to offer the option -- and when not to? How does the Mac know which to use?

    As I mentioned above, it's a whole bunch of security and usability challenges rolled into one. And the more we talk about the reality of it only being feasible on a subset of Macs which already have a biometric option integrated, I question the usefulness of the feature and how reasonable it would be to put all of the work in as a result -- cool factor notwithstanding. Most people requesting this feature over time have because they do not have Touch ID as an option; those that already do tend to use that. Regardless, it's not going to happen tonight. But good food for thought. Cheers! :)

  • gibfahn
    gibfahn
    Community Member

    authentication gets you nothing with 1Password

    Sorry, I'm talking about authentication to the Secure Enclave, not to 1Password.

    If you have and try to use Touch ID to unlock 1Password before you've entered your Master Password so that its equivalent can be stored in the Secure Enclave for unlocking afterward...nothing will happen, because the Master Password is needed to decrypt the data.

    Yeah, my request isn't for the first time you unlock, when you have to enter the password, but for subsequent ones where you can already use TouchID.

    At that point you can just use Touch ID. But say you want to use your watch instead. Then how long does that last, and how is it managed? How does the watch know to offer the option -- and when not to? How does the Mac know which to use?

    Doesn't macOS handle this for you? Today if I use an app that uses these APIs, e.g. the lock button in System Preferences, the popup appears and I get a popup on my watch too:

    If you take off the watch (then it locks immediately) and then click the lock button, the popup doesn't appear on the watch.

    Most people requesting this feature over time have because they do not have Touch ID as an option; those that already do tend to use that.

    Yeah fair enough, I have a newer Mac Mini that has T2 but no Touch ID, so I guess I'm in the minority (along with iMac Pro users, who are probably an even tinier minority). Lots of people use their Macbook in clamshell mode with an external display though, so it would also benefit them.

  • AGAlumB
    AGAlumB
    1Password Alumni

    macOS can't handle all of that for us because this feature is designed with authentication in mind, not encryption. Hence this discussion. Otherwise we'd already be using it, essentially "for free". Maybe someday. ;)

  • evaleffef
    evaleffef
    Community Member

    +1

  • Lars
    Lars
    1Password Alumni

    :) :+1:

  • jon_bartelson
    jon_bartelson
    Community Member

    +1 for me as well, although I expect I am also in the minority with a Touch Bar MacBook connected to a monitor when stationary.

    That said, I appreciate the thoughtfulness that the 1Password team puts into designing the security architecture of this product. I would not want to sacrifice security for convenience and I'm happy that the team designs with that in mind!

  • p07r0457
    p07r0457
    Community Member

    I'd very much like to see this feature added.

  • Lukas S.
    Lukas S.
    Community Member
    edited April 2020

    I too would like to see this very much. I recently started using my MacBook in what's called "clamshell mode", i.e. the lid closed and the laptop connected to an external monitor. Obviously then Touch ID isn't available 🙂
    As for many here, my master password is fairly long and cumbersome to type, so having this be able to unlock via Apple Watch would be a great improvement for my day-to-day usage of 1Password.

    @brenty I believe you are mistaken and there might be a mix up between two different security mechanism that macOS offers. The concerns you are voicing about the feature being designed merely for authentication are indeed valid for the LocalAuthentication framework. It would not work for 1Password.
    However, what @gibfahn brought up - and what I agree with - is that there is an option to indeed get watch support "for free" with the APIs that 1Password is already using today for Touch ID support. This is being done today by leveraging the Secure Enclave](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave) which allows to specify a set of so called SecAccessControlCreateFlags for access control where watch is another option in addition to the Touch ID-related ones that are being used right now: https://developer.apple.com/documentation/security/secaccesscontrolcreateflags

    I can perfectly understand if this currently isn't a priority for the team (even though I hope that might change 🙂) but I'd like the confusion about this not being technically possible to be cleared up.

  • michaelvila
    michaelvila
    Community Member

    Count me in for this feature, when you can please.....

  • wojo
    wojo
    Community Member

    Thanks for the extra research on this Lukas, hopefully the developers can chime in and let us know if it is indeed an option -- seems to be!

  • Don MacAskill
    Don MacAskill
    Community Member

    This would be huge for us and our employees since many of us use "clamshell mode" with the laptop lid closed and Touch ID isn't available. I fully understand why you'd have to enter the Master Password first, to enable decryption, but using the Apple Watch in lieu of Touch ID from there on out would be fantastic.

  • Sean_G
    Sean_G
    Community Member

    +1 -- I use a laptop in clamshell and a Mac Pro, so this would be immediately useful. Since Catalina, I have started using my watch to authorize most apps/system functions. Way more convenient, especially after a recent wrist surgery.

  • james1lytle
    james1lytle
    Community Member

    +1 from me too!

  • Lars
    Lars
    1Password Alumni

    Thanks for everyone's input here, appreciated. :)

  • deke
    deke
    Community Member

    +1

  • tpaine
    tpaine
    Community Member

    Like many others at AgileBits I too would love to be able to unlock my 1Password vault with my watch on my new Mac Mini. Reading this thread not only showed me why that's not possible given Apple's current APIs, but also how patient and determined your customer support is. Bravo.

  • mhanke
    mhanke
    Community Member

    Would love this feature! Also a "clamshell" user (:

  • emmdubbleyou
    emmdubbleyou
    Community Member

    Another vote for this feature! =D

This discussion has been closed.