DevBits, featured image

On The Design And Building of 1Password for Apple Watch

When Tim Cook took the stage back in September to announce the next generation of Apple hardware, and that there was already an SDK for it, we were incredibly excited (and that’s putting it mildly!)

I believe our reaction was something akin to:

“We can make a 1Password app for Apple Watch!”

“That’s awesome!”

…brief silence…

“What would a 1Password app for Apple Watch do?” 

Day 0: the idea phase

We tossed a number of ideas around that first day, but the one we kept coming back to was our new (at the time) support for one-time passwords in 1Password for iOS.

One-time passwords seemed like a perfect fit for Apple Watch. They are a fixed length of 6 characters, so fitting them on the Apple Watch’s screen would be simple. They are refreshed every 30 seconds, so they could be stored and displayed without the need for authentication each time.

Also, they fit perfectly into the use case of logging into a site on your computer, and then looking to your wrist for the second factor verification.

So, we were decided, one-time passwords it was!

Day 23: build/design phase, part 1

1Password for Apple Watch was a simple three screen app in its infancy. There was one screen for the scenario of “no data”, one screen to list the items that included one-time passwords, and one screen to show the selected item’s one-time password.

A crucial part of the design was that we didn’t want you to have to enter your Master Password anywhere to access the information on Apple Watch. The usefulness of having your 1Password data on your wrist went way down if you needed to pull your phone out of your pocket to access it.

 

Interlude

Apple Watch apps are an interesting animal in that very little code actually runs on Apple Watch itself. Instead, each Apple Watch app is comprised of two parts: the visual “shell” that runs on Apple Watch, and an app extension that runs on the phone. The app on Apple Watch talks to the app extension over Bluetooth to get its data and respond to user interactions.

Apple Watch App Architecture

1password-for-apple-watch-03A good example to illustrate this idea is the PIN code screen in 1Password for Apple Watch. Each time you tap a digit on Apple Watch’s screen the following actions take place:

  1. Information about the tap is sent via Bluetooth to the 1Password Watch Extension (running silently in the background on your iPhone).
  2. The 1Password Watch Extension determines which digit was tapped and adds it to any digits tapped before.
  3. The extension then tells the Apple Watch app to update the PIN length indicator at the bottom of the screen, which requires another transfer of information over Bluetooth.
  4. If the tapped digit is the fourth in a series the 1Password Watch Extension checks to see if it is the correct PIN code, and if so tells the watch app to display the list of items, which requires yet another trip over Bluetooth.

As you can see, even a simple interaction with an app on Apple Watch can create a lot of Bluetooth traffic back and forth between Apple Watch and iPhone.

Day 45: fine-tuning

Once we had a baseline set of requirements and user interface designs we started to work out how to get the one-time password data to 1Password for Apple Watch.

Because we weren’t going to require your Master Password to access your data we precluded ourselves from being able to decrypt your 1Password vault, meaning we needed a place to store the one-time password secrets for use by 1Password for Apple Watch. We decided to utilize the iOS keychain as a secure storage location that wouldn’t require decryption each time we wanted to use it.

Of course this decision came with its own set of challenges, namely that we were going outside of the 1Password ecosystem to store secure data. Because of this fact we knew we had to ramp up our customer education efforts about this new feature and make sure that it was opt-in only.

We added what we called a “keychain maintainer” to the main 1Password app that would listen for changes in the 1Password database, determine if those changes were one-time password-related, and update the iOS keychain accordingly. The keychain maintainer worked out really well as it handled changes that were made by our sync system as well as any changes made to an item by a person manually.

With the keychain successfully populated with data all we needed to do was load this data in the 1Password Watch Extension and use it to populate the list of items. We finished up the implementation of the three screens and 1Password for Apple Watch was done…or so we thought.

Day 97: 1Password for Apple Watch v1 debut …

At this point we were quite happy with ourselves. 1Password for Apple Watch was complete months before Apple’s launch date of late April. We began to show it off to friends and industry acquaintances to get their reactions. Some of them thought it was very cool that they’d have access to their one-time passwords on their wrist, but many more of them weren’t exactly over the moon about it, and some had to be educated about one-time passwords before they understood exactly what it was we were offering.

It all came to a head when we were on a business trip and in a meeting with a handful of individuals whose opinions we really respect. With our usual gusto we showed off 1Password for Apple Watch and…it fell flat. Out of the five people in the room with us, only one person was genuinely excited about. They say two outta three ain’t bad. No one ever says anything about one outta five.

We knew we needed to do more.

So we went back to the drawing board: beyond one-time passwords, what kind of information would be useful to have on your wrist? We started to brainstorm ideas and realized there was a whole class of secure information that could be stored in 1Password that we weren’t leveraging: all kinds of small pieces of secure information that you need throughout the day.

Store your locker combination on your Apple Watch.

Store your locker combination on your Apple Watch.

1Password for Apple Watch can ensure that your door's unlock code is always handy.

1Password for Apple Watch can ensure that your door’s unlock code is always handy.

 

We started to work up some use cases. Gym locker combination? Check. Garage door code? Check. Would it be useful to see your credit card info while placing an order over the phone? Yep. We discovered all sorts of situations where it might not be convenient to pull your phone out of your pocket, unlock it, open 1Password, unlock 1Password, and search your vault for the data you needed. Apple Watch, however, was the perfect place for this kind of information. App interactions are incredibly short and perfect for the things you need on the go: you get in, get your data, and get out.

Day 98: the re-build phase

With this new vision for 1Password for Apple Watch we began to rework both the user interface and the code.

Because we were expanding beyond one-time passwords we no longer wanted 1Password for Apple Watch populated with a whole set of information automatically. Everything that appeared on your wrist needed to be there because you put it there. A button was added to the bottom of the item detail screen that allows you to add/remove an item to/from your Apple Watch. This button ended up being a shortcut for adding a new “Apple Watch” tag to the current item. The cool thing about this approach is that you can manage your Apple Watch items not only on your phone, but also on any of your other devices or computers simply by adding the “Apple Watch” tag and syncing the changes over.

Our keychain maintainer evolved beyond looking for one-time passwords to looking for items tagged with “Apple Watch” instead. We added an extra set of attributes (encrypted with the 1Password Apple Watch PIN code) to our keychain entries to handle the extra data for logins, passwords, secure notes, and credit cards. 

In 1Password for Apple Watch itself we ended up adding four new screens to support the new item types in addition to the original one-time password screen. When Apple Watch shipped at the end of April our app’s design looked like so:

Apple Watch App Storyboard

Today

1Password for Apple Watch 01I hope you’ve enjoyed this little glimpse into the process behind 1Password for Apple Watch. If you have any questions please leave them in the comments below, I’d love to talk some more about our process here. For some further reading I’d recommend our excellent Apple Watch User Guide and our Apple Watch Security Guide.

1Passwords new brain

Synapse and 1Password’s new brain

Filling is clearly one of the most important features in 1Password.  I know, I know, security is super important too … it protects our data from prying eyes and provides some very valuable peace of mind. But day to day, it is the convenience of being able to fill those long, randomly generated strings of gibberish into various sign-in pages that makes 1Password truly awesome. I’d love to say 1Password’s encryption is my favourite feature, but I’d be lying. When it comes down to it, I just don’t want to have to type my passwords. Ever.

So we rely on the 1Password extension to put those complex passwords where they belong to log us in to websites, pop our credit card details into online shopping forms, and provide our identity details for all those fun new services we can’t wait to try out.

Unfortunately, every now and then we run into a website that just doesn’t seem to want to play nice with 1Password’s current filling algorithms for one reason or another. Believe me, our intrepid filling gurus have performed some complicated code gymnastics to convince the existing extensions to fill forms on these less-than-standard websites. As 1Password sought to tackle more complex login screens, it became more and more challenging to write new solutions in and around the existing codebase.

So, in the 5.3 update for 1Password for Mac, our developers decided the best solution was a complete brain transplant for the extension.

1Password’s new brain

Version 5.3 of 1Password for iOS and version 5.3 of 1Password for Mac have now been released with this brand new brain, and Windows and Android users will see updates soon that take advantage of 1Password’s new smarts as well.  This new brain will provide filling that is more consistent across all of the platforms that we offer 1Password on, with more flexible algorithms that can be used on multiple websites, and easier-to-code solutions for those ‘unique’ sign in pages.

What’s improved here?

The browser extension is now a lot smarter at capturing user information on non-standard websites when a new Login is saved. And you may not notice this on your end, but many sites that previously required some of those complicated code gymnastics filling workarounds now fill smoothly – which makes the codebase a much nicer place for our team to play. Starting in version 5.3, you will see an improvement in Credit Card and Identity filling, particularly with respect to the filling of expiry dates. In addition, our gallant gurus have finally managed to slay a particularly troublesome dragon of a website: Citibank saving and filling will now work seamlessly across all login pages! Go on, re-save your Citibank Login to test … I know you want to.  :)

Even more awesome than the changes that are already introduced is the framework that our developers have built here. We’ve got a great foundation for future improvements … and our team is already working on slaying more dragons.

Synapse

Not only is 1Password’s new brain better, stronger, faster, AND more fill-ier than ever, but it ALSO comes with an awesome new reporting feature that will allow users to let us know when 1Password isn’t filling properly – from right within the app! Not only does this feature save you the effort of having to post in the forums or email in to tell us when filling isn’t working, but it quickly gets developers the information that they need, and provides a way for us to communicate fixes and workarounds to you. It’s all-around awesome.

So, what is Synapse?

Synapse is a brand new tool that lets customers report broken filling on websites directly through 1Password. Synapse will automatically gather the information about the site that developers need to quickly diagnose (and fix) the problem.  Now, that’s a great improvement for our team, but Synapse is also something for you to get excited about, because beyond making it easy to let us know when something’s not right, this tool will also advise you of any known workarounds (or the fix version) when you report a site that we’re already working on.

How can users report?

report_website_issueOur Knowledgebase has an article that can tell you all about this awesome new feature. But it’s easy to find, right in the extension’s menu!

What information does Synapse gather?

First and foremost: Synapse does nothing without your explicit consent. No information is gathered until you click the ‘submit’ button when reporting a website.

Because Synapse is an information-gathering tool, we want to be very clear about what information we are receiving when you report a website. As always, we take your privacy very seriously. And with Synapse, we take every effort to prevent sensitive information from being collected. Usernames, passwords, and other secure details are not included in the report which is sent to us. We’re also careful to mask any kind of information that could possibly identify you.

screen_shot_2015-04-09_at_11.08.59_am

Here’s what Synapse does collect:

  • The platform you are using. Currently this feature is implemented in 1Password for Mac (introduced in version 5.3), and the beta version of 1Password for Windows. We’d love to expand this feature to our mobile platforms in the future, if possible.
  • 1Password’s version number.
  • The version number of the browser extension.
  • Which browser is being used (Safari, Chrome, Firefox, or Opera).
  • The browser’s user agent.
  • The browser’s bundle identifier.
  • The URL of the site that is misbehaving.
  • The item’s Category type: whether you are attempting to fill a Login, Identity, Credit Card, or Password item.
  • Where the item was created: sometimes a Login created in the main app can behave differently than an item that was saved directly from the extension.
  • The date the item was created.
  • The date the item was last updated.
  • Any additional comments you might choose to share.

How does this make life easier for us all?

On the development end of things, Synapse gives developers a lovely aggregated list of the reported sites, which easily identifies the top issues and lets the team focus on fixing the issues that are most important to you. In addition to easy prioritization, developers have a ton of useful information to help track down the issue … without even needing to request it. Not only does this save time for our developers, but it also saves you from having to hunt down these details, which are not always easy to find! We think it’s a win-win situation.

Synapse also provides us a way to easily notify you when progress has been made on the issues you report. When you report an issue in Synapse, you’ll see an option to provide us with your email address. Sharing your email address means that our team can contact you if they need any more information about the issue that you reported. But, more importantly, it also means that we have a way to let you know when we have a workaround, or, even better, a proper resolution to the issue.

What else will you see when you report an issue with Synapse?

When you report an issue with Synapse, you’ll also be advised of any existing workarounds for the issue and be able to vote on if the workaround was successful for you, which provides us with some valuable feedback.  If our developers have already fixed the issue for a future update, you’ll see that notice as well.

Basically, what it comes down to is a pretty awesome update for those of us who rely on 1Password’s filling magic. 1Password’s filling is stronger and more ready to take on those uniquely designed websites, and with Synapse you can easily tell us when something’s not working and give the developers the details they need to fix it quickly.

Let us know what you think about Synapse and 1Password’s new brain in the comments, or in our forums.

An Open Letter from AgileBits

An open letter to banks

Update (2015-04-02): TD Canada Trust updated their iPhone app today re-enabling pasting in the login fields. It’s a great first step toward friendliness with security-conscious customers and password managers.

TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field. Users who embrace password managers for their online security were quick to point out their … well, ‘unhappiness’ with this decision. TD Canada’s original response to those users was unsettling:

Hi Steve, thx for stopping by. For ur security, your password should be committed to memory rather than using a password mgr. ^SB

The original tweet has since been deleted by @TD_Canada.

For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is completely cringe-worthy … unfortunately, it’s really not all that uncommon in the banking world. Many banking and financial sites implement restrictions on password length, require certain special characters to be present, and put in place various ‘security theatre’ measures on their websites that do little for increasing user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords in on the site. Why do they do this? Well, it’s difficult to know for sure, although our Chief Defender Against the Dark Arts does have a theory on the matter.

With the conversation about online security and banking so fresh in everyone’s minds, I thought now would be a great time to send a message out to banks and financial institutions everywhere to encourage them to to take users’ security more seriously. I’m writing this not only as a member of the 1Password team who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data.


Dear banks,

I know that you have my best interests at heart.

I know that you’ve worked hard to put ‘safeguards’ into place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and “please input the nth character of your password” fields) to thwart various types of attacks.

But the truth is that these ‘security measures’ are not actually helping your users.

Do you know what would really help your users? Long, random passwords.

Using long, random, and unique passwords is the best defense that we, your users, have against attackers. This advice is true for every site we have to sign in to these days … and believe me, we sign in to a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible for all but the most savant-ish of us. Password managers help us increase our security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to.

Many of the ‘security measures’ you have put into place serve only to make it much more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place.

You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users (in web browsers as well as in mobile apps).

Now, it just so happens that there is a very simple way that you can give your users easy access to their banking data in your mobile apps. We’ve written an App Extension API that can be added to your iOS app in 3 easy steps. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required.

1Password has been giving people control over passwords for almost 10 years now, and it truly is a wonderful thing. Our team built 1Password around the idea that being secure should never be compromised for convenience. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us.

For now, passwords are a necessary evil. Remembering them shouldn’t have to be.

Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too.

Signed, a hopeful user.


Since TD’s original response last week, they seem to have had a change of heart. A tweet from @TD_Canada on Saturday indicates that they are in fact working on an update that will allow copy and paste within their app … and possibly considering integrating password managers.

Hi Rick, we're working on providing our customers w/ the option to use copy/paste & PW managers. No dates to share yet. ^SK

This is incredible news! Without seeing the update, it’s hard to know exactly what they have in store for users, but they have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with!

If you believe as I do that banks should add 1Password (and other password manager) integration to their iOS apps, please consider sharing this open letter with your bank. #BanksNeed1Password

Extension-960

Apps ❤ 1Password: Travel

1Password can help you login faster and be more secure while reading the news and getting productive, but it can also help you get across town or the globe.

As our Apps ❤ 1Password directory grows to nearly 120 iOS apps strong, some pretty cool travel apps are joining the pack, including Foursquare, Uber, Rego, and Tripomatic.

Check out the Travel category of apps that ❤ 1Password below, and our full directory of all apps that support our new iOS 8 App Extension!

Travel Apps ❤ 1Password

Workflow icon

Community Goodie: Workflow + Chrome for iOS + 1Password

Have you discovered Workflow for iOS yet? It joins Launch Center Pro and others in the category of Super Useful Apps that can save you a ton of time doing repetitive tasks or complicated things that span multiple apps. They can also just blow your mind with tasks you didn’t know iOS could pull off.

One of Workflow’s tricks is that it can make your workflows available inside other apps via its own App Extension. Harnessing the true power of this knowledge, 1Password user and Redditor papa-lozarou created a Workflow that searches 1Password for the domain of the current tab right within Chrome for iOS.

 

Picture this: you’re groovin’ along in Chrome for iOS, and you have to log into a thing to do a thing. Instead of switching to 1Password to unlock, manually search, copy, switch back over, and paste your password, you can now simply trigger Workflow right inside of Chrome. From there you can invoke 1Password’s in-app extension, which then automatically searches for the URL of your current tab.

You’ll still have to tap into the item to copy your password, but you’re still in Chrome where you can easily paste it and get on with your bad self.

Let’s give a shout out to Redditor papa-lozarou and Workflow for being just great. On an iOS device, you can download the Chrome workflow here.

Extension-960

Apps ❤ 1Password: They really, really do

The number of apps adding support for our 1Password App Extension for iOS 8 is growing briskly. I know of dozens of apps that are gaining support as you read this, and we are at nearly 100 shipping apps right now.

We are deeply grateful to every developer adding support, and thankful to our users for helping us to spread the word. If you haven’t checked out the apps that are making it easier to create accounts, log in with a tap, and stay secure online, here are some of the latest categories gaining new entries from developers and businesses all around the world.

Finance

Business

Lifestyle

Social Networking

document_256px

Apps ❤ 1Password: Productivity

You’ve seen Apps that ❤ 1Password to help you stay secure while socializing and keeping up with the news, but now it’s time to get to work.

We’re seeing a great number of iOS Productivity apps add 1Password support, and we are truly thankful! Turns out our iPhones and iPads can’t just be for cat GIFs and Yo-ing each other. Apparently we actually have to, like, do stuff with them.

Now you can do stuff with these apps more quickly and securely by logging in and creating accounts with 1Password and Touch ID!

news icon

Apps ❤ 1Password: News

It can be tough to stay in touch with all the news outlets, blogs, and just plain great stuff that’s important to you. Thanks to these iPhone and iPad apps that ❤ 1Password, you can log in securely and get to reading, scrolling, and favoriting faster than ever before.

From podcast clients to information curators, bookmarking services to news readers, these are all great ways to stay informed. With their new 1Password integration on iPhone and iPad, you can stay safe online with strong, unique passwords, yet log in quickly thanks to 1Password, Touch ID, and a single tap.

1P iOS icon 1024

Apps ❤ 1Password: Social Networking

Our Apps ❤ 1Password page is growing by the week, so it’s about time we start highlighting these fantastic apps! Developers are adding support to their apps so you can quickly log in and, in more and more cases, even sign up for a new account with 1Password and Touch ID!

For our inaugural post I’d like to get social. It’s one of our most popular categories so far and has something from and for everyone, including Twitter clients, crowdfunding, and an app for meeting people to, you know, actually get social!

Check out the Social Networking Apps that ❤ 1Password category, and give them some love in the App Store!

App Extension

Our 1Password App Extension for iOS 8 is already supported by over 100 apps, here are nearly 20

App ExtensionThe response to 1Password’s App Extension for iOS 8 has been incredible: our customers are beyond excited to use 1Password across iOS with Touch ID and their favorite apps, and an amazing number of developers have already added our extension to their upcoming apps in preparation for iOS 8!

We can’t share the full list of developers yet (we just cracked 100!). But we can show you nearly 20 apps that are already working on integrating 1Password’s iOS 8 App Extension for fast, one-tap logging in and even updating your passwords!

Plus, our 1Password update for iOS 8 will be free to existing customers! Since you can get 1Password for iOS for just $9.99, you can start saving time and get secure online right now.

What the 1Password App Extension can do for you

Since the announcement, our mad-scientist developers have kept working in their secret laboratory to add even more super-hero powers to this powerful extension. Developers, check out our GitHub project to add 1Password integration to your own apps!

Here’s the rundown of the skills we’ve added to the extension so far:

  • Fill Logins, Credit Cards, and Identities into Safari
  • Fill Logins into other third party apps (including web browsers) that add support for it
  • Generate strong, unique passwords and create new Logins during a signup process
  • Update a Login’s password if you change it in an app

Apps that already Love 1Password

As promised, here is a sample of over 100 apps that are already preparing for iOS 8 and our new extension ship!

Read more