Just in time for the weekend, 1Password 4.1 for iOS has hit the App Store. This is such a great update that we had to categorize all the changelog items under headings so you can keep track of them all. True story.

Some of the best additions are in the all-new tab-slinging, form-filling Web Mode. We redesigned the Action Menu to use the spiffy new icon view in iOS 6, which means we can fit more options like sharing the current webpage on Twitter or Facebook. In addition to emailing, printing, or opening the page in Safari, you can now copy the current page’s URL to your clipboard. A performance nip here, a bug tuck there, and Web Mode is even better.

You can now search in iPad in portrait orientation, change the font for displaying passwords, and view attachments in Secure Notes that you added with a desktop version of 1Password. There is support for the new 1Password USB Sync feature we’re working on to provide a local sync option for users who miss Wi-Fi sync (it’s in private beta testing right now). There are plenty of bug fixes to go around, too.

Something for the power users

Probably the coolest new feature in 1Password for iOS 4.1 is support for URL schemes. This means you can do some pretty awesome stuff, like automatically opening the current webpage from Safari, Chrome, or another iOS browser in 1Password’s Web Mode for form filling and Login-ing goodness. All you have to do is tap in the URL bar, add ‘op’ to the very beginning, and tap Go/Return to make the switch.

Things get a bit more interesting with our new support for a “onepassword://search/search_text” URL scheme to open 1Password and automatically search for the text in your clipboard. This means you can use a utility like Launch Center Pro to create a shortcut to search 1Password for the contents of your clipboard, and Federico Viticci at MacStories has already penned some great examples with which you can tinker.

But you know what’s cooler than offering URL support in your app? Having someone else’s app already support your URL scheme before you’ve even released it! Our new URL schemes can also be used by other apps, and as far as I know, Riposte is the first. It’s an upcoming App.net client that baked support for the 1Password URL scheme (but only if 1Password is installed) into its built-in browser and even the App.net login screen!

When you view a link someone shared in Riposte’s browser, you can tap the action arrow and slide to the left to find the 1Password login option. Tap it, and 1Password will open and automatically search for the current webpage’s URL to help you find and copy your Login’s password more quickly.

How cool is that? It’s wonderful to see Riposte adopt 1Password’s URL scheme and we would love to hear from more developers who want to do it.

That about wraps up our huge 1Password 4.1 for iOS update, we hope you love it! As always, let us know what you think and be sure to leave a review in the App Store!

The response to 1Password 4 for iOS has been fantastic, and we can’t thank everyone enough! While reviewing all the great feedback and requests, we heard loud and clear that direct syncing between iOS and Mac is important for many people, and we plan to do something about it.

1Password 3 provided direct syncing between Mac and iOS via Wi-Fi syncing, and while it was great in it’s day, it was never perfect. Between the need for manual syncing and networking issues, it did not provide a great user experience. Over the years, our team fell in love with the ease of Dropbox and stopped using Wi-Fi sync altogether. Since none of us used it, and in light of the feature’s problematic nature for many of our users, we decided not to include Wi-Fi syncing when we rewrote 1Password 4 from the ground up.

When we released 1Password 4 for iOS, many people wrote in to explain that direct syncing was critical to their workflow. Some need it because of work rules, some because of regional restrictions that prevent access to sync solutions like Dropbox. Others simply prefer to keep all their data locally without depending on the cloud.

If you’re one of the people who requires the ability to sync directly, rest assured that we’ve heard from you that this is critical to your needs.

We’ve started on a new way to sync data directly over USB and it is already in private beta testing. We’re pretty excited about this because almost all of the support issues caused by Wi-Fi syncing were related to weird network configurations. By syncing directly over USB, we can avoid all those issues. Hopefully, we will never have to ask a customer to reboot their router again

We don’t have an ETA on when USB syncing will be available, but beta testing results so far have been promising. If you rely on direct syncing, please stick with 1Password 3 for a little while longer until the USB sync solution is completed.

We’ll post more information about USB syncing soon. Stay tuned!

Yes, it’s easy for us to say the new 1Password for iOS is awesome; it’s our baby! And sure, there are plenty of second opinions stacking up. Now we have our first award!

iMore has announced its 2012 Editors Choice Awards, calling it for everything from devices, to apps, to stories, and even accessories. A lot of great stuff made their list, and we were super excited to see 1Password named iPad Utility of the Year! Thanks to Rene Ritchie and the iMore staff for such kind words!

If you still haven’t picked up iMore’s iPad Utility of the Year, or what we would call An All-Around Awesome Password and Identity Manager for iPhone and iPad, now is the perfect time to do it because 1Password for iOS is still on sale for over 50% off! But run, don’t walk—when 2012 ends in a couple days, so does our sale!

The reviews are in… and in, and in, and in! After over a year of hard work, 1Password 4 for iOS is now in the App Store and, in the words of Macworld, “practically flawless.”

Plus, until the end of 2012, it’s on sale for just $7.99 as a universal app for both iPhone and iPad—that’s over 50% off! Of course, we could give you over 20 reasons to love the new 1Password for iOS, but we’ll let the press have their say:

• Matthew Panzarino of The Next Web, who did a great interview with our co-founder, Dave Teare, for the release: “This really is the best version of 1Password yet.”
• Jeff Gamet of The Mac Observer: “1Password 4 is simply a must have app for every iPhone and iPad owner that’s moved beyond keeping passwords on a Post-It note — which should be you.”
• Federico Viticci of MacStories: “With a cleaner, more powerful, and consistent experience, 1Password 4 is a great update.”
• Geoffrey Goetz of GigaOM: “AgileBits has taken user feedback to heart and really enhanced an already great product.”
• Glenn Fleishman of TidBITS: “I find 1Password 4 a substantial improvement.”
• Christine Chan of AppAdvice: “If you haven’t experienced 1Password yet, then there’s no better time than now.”

I could go on, and on, and on, but I think you get the point. We love 1Password 4 for iOS, the press loves it, and we truly believe you’ll love it too, especially since it’s still over 50% off through the end of 2012!

In my discussion of Dropbox’s new two-step authentication, I skimped on the cryptography. Because we had to move quickly, I wanted to focus at the time just on our recommendations, so I told a few fibs about how the way the six digit codes “get” to your phone. Now I want to explain how it really works.

Not only that, but I will sneak in a little introduction to Message Authentication Codes (MAC), which plays a major role in our newest version of the 1Password data format. This topic is also worth revisiting because our new release, 1Password4 for iOS, works well with Dropbox’s two-step verification.

Speaking of, let’s start with Dropbox’s two-step authentication system. I did try to warn readers that I was being less than forthcoming about the full truth when I suggested that a six digit code is sent from Dropbox (or Google) to your phone:

There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies.

Even my word “protocol” could be confusing, as it might imply some network activity. The magic of the system is that anything using this type of Time-based One Time Password (TOPT) tool will compute the same six digit code at a particular time with the initial set-up secret. Dropbox’s login system will calculate the six digit code on its own; and a tool that you use, such as Google Authenticator, will also calculate the six digit code on its own. No network connection is needed after the first time setup.  In my example below, I’ll use Google Authenticator, but it isn’t the only TOPT tool out there.

Initial set up

When you first set up something like the Google Authenticator you scan in a QR code. It might look something like this:

The code contains a label that will typically be “Dropbox:your-email@example.com”, and it contains a secret that is randomly generated and unique for each account. The secret might look like “MQZDKZRZGBRWMMZXMI4TCMZUMYYDKYTC”. Putting this inside of a QR code just saves you a lot of typing. If you don’t have a camera that can be used to scan the code, there is even a link for getting the information that you should type in. Scanning this in is the only time that information will be transmitted (in this case, transmitted via your phone’s camera) from Dropbox to Google Authenticator.

Google Authenticator on your phone will keep a copy of the secret, and so will the Dropbox servers. That shared secret allows both Google Authenticator and Dropbox to calculate the same six digit codes when needed.

Counting on time

When you log into Dropbox with your username and password you will then be prompted for the six digit code if you have enabled two-step verification. You will then open Google Authenticator on your phone and you will see six digits. Those six digits are computed from a combination of the the shared secret and the current time. The current time is the number of seconds since the first instant of 1970. It is rounded down to the nearest half minute. This is why the number changes every thirty seconds.

When you enter the six digit code during Dropbox’s login process, Dropbox will perform the same calculation. It has a copy of the secret that was first shared, and it too knows the current time. If what you enter matches what it has calculated, you’re in.

Your phone will not need any network connection as long as its clock is reasonably accurate. Fun fact: your phone actually makes minor adjustments to its clock pretty much every time it connects to any kind of network that allows it to check a time server on the internet. Today, most networked computers and devices know the current time to within less than one 10th of a second.

Because the code depends on both the time and on the shared secret, we end up with a different code during each 30 second period. This makes it a one time password.

Beyond the end of the world (January 19, 2038)

Replica of the Aztec sun stone. This has nothing to to with Unix or Mayan time keeping.

The number of seconds since the very beginning of 1970, known as Unix time, is often maintained in a single variable in the computer’s operating system. When Unix was first designed, this number was stored in 32 bit variable. That means that the number could range from 0 to 2³². Zero corresponds to the midnight January 1, 1970 (UTC). So what time does 2³² correspond to? That will be 3:14:07 (UTC) on January 19, 2038. Bad things will happen then to computers that still are still using 32 bit integers to store Unix time.

So will Google Authenticator stop working in 2038? No, it should be fine. Even though iOS devices – based on 32-bit ARM chips – do just use 32 bit “long” integers, Google Authentication doesn’t rely on that. It uses NSDate to get Unix time on iOS.

Indeed, the actual standard defining the TOPT states:

The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038.

Another wrinkle in time

Unix Time really is the number of seconds since the very beginning of 1970, but that number ignores leap seconds. Leap seconds are added (or subtracted) on occasion to account for the fact that the speed of the Earth’s rotation can change slightly due to earthquakes, other seismic activity, and even tidal activity (not only do I get to talk about a calendar system reaching its end and resetting, I get to talk about earthquakes and tidal waves in the same post!). A leap second was added at the end of June 2012, so noon (leap second adjusted) on July 1 was actually only 86399 seconds later (by Unix time) than June 30 instead of 86400 seconds later as you would normally get between two days.

The TOPT standard requires the use of Unix time, which is defined to ignore leap seconds. This way, everyone who follows the standard will be using the same clock and calendar. Also, keep in mind that Unix time isn’t just for Unix-based operating system like OS X, iOS, and Android. Windows has a similarly defined FILETIME, which differs in its start time and that it counts in nanoseconds instead of seconds, but it can be converted to Unix time easily enough for use in the TOPT protocol.

Time to meet MAC

Earlier, I said that the code, or one time password, is computed from the secret key and the time, but not just any old computation will do. For the system to work securely, we need the computation to meet some requirements which include:

1. It must be easy to calculate the code from the key and the time, but it must be completely unfeasible to calculate the key from the code and the time.
2. It must be unfeasible to predict without knowledge of the key what the code will be at some particular time even if you have observed what the code is at many other times.
3. The calculation will always give the same result if given the same key and time (it is a function).

These look similar to some of the requirements we wanted for a good cryptographic hash function. And a cryptographic hash function will play a central role in how this is all done.

This also looks as if we are using a shared secret key to create a digital signature on the time. Digital signatures also involve hash functions. But “digital signature” isn’t really the right term here because those are based off of public/private key systems. With TOTP, we have a shared secret.

In place of a digital signature, we have a Message Authentication Code (MAC). This is not to be confused with “MAC” of “MAC address” that you see as hardware addresses for networking equipment, and certainly not to be confused with “Mac” (Apple’s family of computers) or “mac” (the mackintosh raincoat). Maybe this will help keep things clear:

One of the ways to use a cryptographic hash to create a MAC is the HMAC. You will hear more about HMAC in the not-so-distant future.

Keeping time, time, time

One consequence of this sort of system is that it makes the computers’ knowledge of the time part of the security system. This isn’t anything new; this requirement has been part of the Kerberos system for decades. Indeed, one of my first roles in system administration was keeping clocks in sync with each other, specifically for Kerberos.

Unfortunately, this means that if someone can tamper with the time signals a computer receives from outside, then they can do damage to other aspects of security. We need systems to verify that the messages they get about the time are authentic, but the less-than-ideal state of secure time synchronization could be the subject for a new series of rant posts. Fortunately, I’ll spare you.

It is also not clear at this point what forms of time travel this or other security protocols can resist. I believe that there is a research paper in this question somewhere for an adventurous student and a flexible professor.

Six digits from 160 bits

Let’s now put all of these pieces together. Dropbox and Google Authenticator each have the shared secret from when you set up your two-step verification. And each know the correct time at the moment. So when each calculate the HMAC of the current time, using the shared secret as a key, they will calculate the same number. If they use SHA-1 for the hash function (as they do in the current system) the number that they calculate will 160 bits long, or roughly 48 digits. The final step is to compute a 6 digit number from that 160 bit number. But let’s save time and skip those final details.

Time for closing remarks

Dropbox’s two-step authentication is a great thing, and 1Password for iOS now works more smoothly with it. But it does the most good for people who are using weak or re-used passwords to log into Dropbox. Thankfully, 1Password users don’t really need to worry about that problem.

The scene: you’re creating a new password for a Login or another app on your device.

The protagonist: you.

The antagonist: tapping too many times to create a password, copy it to the clipboard, and paste it somewhere else.

The solution: our new Copy to Clipboard option in 1Password for iOS!

Whenever you create a new password now, it will automatically be copied to your clipboard, ready and waiting to be pasted into a tab in the all-new Web Mode browser or another app. You can tap the “show password recipe” option while using the Strong Password Generator to see the “Copy to clipboard” option, among others, or even disable it. But the story’s not done, yet.

We wanted to ensure your new passwords don’t sit forever in your clipboard where you may accidentally paste them into a message or a tweet hours or days later. To solve this challenge, we gave 1Password for iOS a “clear clipboard” option (Settings > Security) for anything you copy out of 1Password for iOS, then turned it on out-of-the-box. The default is 90 seconds, but you can push that all the way up to five minutes or “never.”

This way you can create your new password, copy it to your clipboard literally without lifting a finger, paste it into your final destination, then sit back and let 1Password clear your clipboard for you, keeping that info safe and sound.

1Password for iOS—keeping your info safe since 2008, and now saving you even more extra taps since December 2012.

You have questions about the new 1Password for iOS, we have answers. Frequently answered questions, to be exact.

What’s the big deal about 1Password 4 for iOS? How do I do [blank] with iCloud? How can I fix a problem with [blank]? You can find your answers to these questions, and many of these filled-in blanks, in our 1Password for iOS Frequently Asked Questions document.

While you’re there, be sure to do some window shopping at our other documents. We have all manner of user guides and tutorials for a whole bunch of stuff, and more on the way!

There’s a lot of new stuff in the new 1Password for iOS—I mean, a lot—but one of the most important changes is the new Categories tab. We rounded up all the different types of stuff you keep safe and use in 1Password and made it all more flexible, not to mention easier on the eyes.

You can check out our user guide on the new Categories, but I’ll give you the cliff notes. Categories is the tab in Vault Mode where you create and organize all your stuff, including Logins, Secure Notes, Credit Cards, Identities, and more. It also includes everything that was in the Wallet tab in 1Password 3, like Rewards Programs, Bank Accounts, and Memberships.

From the Categories tab you can tap into any category and get down to business, but now you can also reorder them! Yes, another great addition to the new 1Password for iOS is the ability to reorder Categories however you want—simply tap the Edit button in the top titlebar, then drag Categories above or below each other. Maybe you really love Secure Notes and want them to be above Logins, or maybe you don’t plan on having to add or update your Identities anytime soon. Drag them around to your heart’s content, then tap Done.

The new Categories tab can be a big help, and you can learn more about it in our user guide. Plus, don’t forget to check out the new 1Password for iOS, now available in the App Store!

You may have seen the news and incredible reviews elsewhere, so we are absolutely delighted, thrilled, ecstatic, and, overjoyed to tell you that the new 1Password for iOS is here. In the App Store. Right now. If you’re curious about making the transition, we have a great new FAQ too.

What’s the big deal about the fourth edition of 1Password for iOS? In short, everything.

We spent more than a year thinking, designing, dreaming, drafting, listening, testing, and ultimately building. The new 1Password for iOS marks a new era for the most incredible password and identity manager for the iPhone and iPad which, in the words of Rene Ritchie at iMore, has been “redone from pixel to bit.”

We have an all-new interfaces for both iPhone and iPad that’s easier to use and even more beautiful; a full-featured Web Mode with tabbed browsing and form filling for Logins, Identities, and Credit Cards; iCloud sync; custom templates; Favorites for quick access to your most-used stuff… I could go on, or you could check it out in the App Store or go through just some of our best new stuff below:

• 110% redesigned interface – It’s a whole new app for your iPhone, iPad, and iPod touch!
• All-New Favorites section – You asked for quick access to your most used stuff, you got it!
• All-New Web Mode – A full browser with tabbed browsing on iPhone and iPad, a URL bar—the works!
• All-New Form Filling – Just like the Mac and PC versions, you now have Logins, Identities, and Credit Cards just a tap away in the all-new Web Mode
• All-New Vault Mode - A redesigned place to organize your items by Categories, Favorites, Folders, and powerful search
• Global Search – Search your entire Vault, Favorites, or a specific Category
• iCloud sync support – 1Password sync: Not just for Dropbox anymore!
• Folders – All the joy of folder organization from the desktop on your mobile device
• Customize your items – Let each item be the unique snowflake that it was created to be.
• Introducing Linked accounts – Multiple URLs can be associated with a single Login.
• Action Bar — Swipe across an item to easily Smart Copy, Favorite, Open in Browser, or Delete.
• View Attachments on iOS – Viewable on iOS, just like on the desktop!
• Auto-Copy for passwords created with the Strong Password Generator (tap the “show password recipe” when using the SPG)
• Supports 13 languages – English, French, Spanish, Italian, German, Russian, Korean, Japanese, Portuguese, Chinese (Simplified), Chinese (Traditional), Dutch, Norwegian
• Demo Mode – Want to show off 1Password to a friend or post a screenshot, but don’t want to share your Vault with the world? Enable Demo Mode in Settings, lock 1Password, then type “demo” as your Master Password to make 1Password 4 for iOS load up a bunch of sample data instead of your personal Vault.
• A brand new Quick Tour for new users. It’s much easier to get started with 1Password now.
• PC-less sync setup – We now use iCloud and Dropbox’s new API to get you setup with sync, so you no longer need a Mac or PC to setup sync for your iPhone and iPad.
• Better backups – Not only faster, but now it is a part of iTunes File Sharing feature in Settings > Sync.
• Strong Password Generator is now included in all of your password fields—secure passwords everywhere.
• Auto-Copy for passwords created with the Strong Password Generator (on by default, but tap the “show password recipe” when using the SPG to see it and other options)
• Clear Clipboard – New in Settings, enabled by default, this option lets you clear your iOS clipboard at intervals of 30 seconds to five minutes. Great for preventing apps or websites from grabbing your passwords or other sensitive data.

We also streamlined 1Password for iOS to a single, new, universal app for iPhone, iPad, and iPod touch that requires iOS 6 and has a unified price of $17.99. But to celebrate a year of work and our best release to date, we’re holding a Launch Celebration and Upgrade Sale of just $7.99—over 50 percent off! Get it while the sale lasts, because we’re not sure yet when it’s going to end.

We’d like to thank our fearless developers, visionary designers, steadfast customer support team, and of course our incredible customers for making the new 1Password for iOS what it is today. We hope you love it, because this is just the beginning.

An unforgettable journey. An epic battle. A fellowship strengthened. Ancient truths protected by the one password you need to remember.

1Password 4 for iOS is coming.