Apple Watch Beta Security Issue [1Password for Apple Watch no longer requires an additional PIN]

jarose
jarose
Community Member
edited November 2016 in iOS

I am testing the beta that allows 1password for individuals on the Apple Watch. Security issue. I am able to access any passwords I send to my Apple Watch without ever entering a password on the watch.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jarose: Thanks for reaching out! Can you elaborate on this?

    I am able to access any passwords I send to my Apple Watch without ever entering a password on the watch.

    I have a passcode on my Apple Watch itself which needs to be entered to access anything, and a PIN code for 1Password on my Apple Watch which needs to be entered the first time I access it. Are you experiencing something different?

    However, keep in mind that watchOS handles app memory, so 1Password will not be launched from scratch (and therefore require the PIN) unless it is removed from memory first. But you can force press the screen to lock it yourself. Let me know what you find!

  • jarose
    jarose
    Community Member

    I have to put my Apple Watch pin in when I put it on my wrist, but 1password doesn't not currently prompt me for a pin, nor can i force touch it to lock. Of note, there is also no option to set a pin in the app on my iPhone anymore.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jarose: Ah, sorry for the confusion there! This is totally my fault. Since you didn't post in the iOS beta category of the forum, I missed that you were using the beta. I've moved this discussion there so the development team won't miss it.

    The PIN feature in 1Password for Apple Watch was removed in version 6.5.BETA-37, as mentioned in the release notes:

    The 1Password Apple Watch app no longer has its own PIN code. {OPI-3813}

    I can imagine you're wondering "Why?" This is because 1Password for Apple Watch no longer works at all without a device PIN set on the Apple Watch, which is used to secure the data watchOS stores in its Keychain. This change was made earlier in 6.5.BETA-32:

    Apple Watch app now requires Apple Watch PIN code to be set. {OPI-3760}

    I hope that clears things up wit the new behaviour. Be sure to let us know if you have any other questions!

  • jarose
    jarose
    Community Member

    Thanks. I need to read the beta release notes better. I read about watch passwords being stored in the iOS keychain, but missed that the watch's password would secure them. Couldn't figure out why I seemed to be the only one with this issue, which turns out to be a non-issue.

  • @jarose,

    No problem, you definitely did the right thing in bringing it to our attention. We'd certainly rather find that its a non-issue than ship something we didn't intend to.

    Thanks again!

    Rudy

  • Russellkling
    Russellkling
    Community Member

    I'm on the beta program for 1Password I didn't know you were testing the Apple Watch. Are you testing the app on the Watch or are you working on the Apple Watch unlocking 1Password when you launch it like it does with macOS Sierra?, that would be cool if you can do this, it's so convenient having the on my laptop.

  • Russellkling
    Russellkling
    Community Member

    Do you have to turn on each login on the iOS app to add that login to the watch? Any plans on having the Watch unlock the macOS Serra desktop?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited December 2016

    I'm on the beta program for 1Password I didn't know you were testing the Apple Watch. Are you testing the app on the Watch or are you working on the Apple Watch unlocking 1Password when you launch it like it does with macOS Sierra?, that would be cool if you can do this, it's so convenient having the on my laptop.

    @Russellkling: Always read the release notes TestFlight! There are often surprises in there...and sometimes they are even good ones — though not always, because it's a beta. :lol:

    Currently we're testing the new 1Password app for Apple Watch, which we're building to take advantage of the additional speed and flexibility that newer watchOS releases support.

    Do you have to turn on each login on the iOS app to add that login to the watch?

    Supported items will have an Add to Apple Watch option when you view their details. Just tap that and they will be "tagged" (literally) to be displayed in 1Password on your Apple Watch.

    Any plans on having the Watch unlock the macOS Serra desktop?

    We don't currently have any plans for that, but if it's something we can do securely I know many of us here at AgileBits would absolutely love to have that ourselves! I see that you've already dropped into the existing discussion on that topic, but in case you missed it you may be interested in my earlier post on the subject. Cheers! :)

This discussion has been closed.