An Open Letter from AgileBits

An open letter to banks

TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field. Users who embrace password managers for their online security were quick to point out their … well, ‘unhappiness’ with this decision. TD Canada’s original response to those users was unsettling:

Hi Steve, thx for stopping by. For ur security, your password should be committed to memory rather than using a password mgr. ^SB

The original tweet has since been deleted by @TD_Canada.

For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is completely cringe-worthy … unfortunately, it’s really not all that uncommon in the banking world. Many banking and financial sites implement restrictions on password length, require certain special characters to be present, and put in place various ‘security theatre’ measures on their websites that do little for increasing user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords in on the site. Why do they do this? Well, it’s difficult to know for sure, although our Chief Defender Against the Dark Arts does have a theory on the matter.

With the conversation about online security and banking so fresh in everyone’s minds, I thought now would be a great time to send a message out to banks and financial institutions everywhere to encourage them to to take users’ security more seriously. I’m writing this not only as a member of the 1Password team who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data.


Dear banks,

I know that you have my best interests at heart.

I know that you’ve worked hard to put ‘safeguards’ into place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and “please input the nth character of your password” fields) to thwart various types of attacks.

But the truth is that these ‘security measures’ are not actually helping your users.

Do you know what would really help your users? Long, random passwords.

Using long, random, and unique passwords is the best defense that we, your users, have against attackers. This advice is true for every site we have to sign in to these days … and believe me, we sign in to a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible for all but the most savant-ish of us. Password managers help us increase our security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to.

Many of the ‘security measures’ you have put into place serve only to make it much more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place.

You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users (in web browsers as well as in mobile apps).

Now, it just so happens that there is a very simple way that you can give your users easy access to their banking data in your mobile apps. We’ve written an App Extension API that can be added to your iOS app in 3 easy steps. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required.

1Password has been giving people control over passwords for almost 10 years now, and it truly is a wonderful thing. Our team built 1Password around the idea that being secure should never be compromised for convenience. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us.

For now, passwords are a necessary evil. Remembering them shouldn’t have to be.

Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too.

Signed, a hopeful user.


Since TD’s original response last week, they seem to have had a change of heart. A tweet from @TD_Canada on Saturday indicates that they are in fact working on an update that will allow copy and paste within their app … and possibly considering integrating password managers.

Hi Rick, we're working on providing our customers w/ the option to use copy/paste & PW managers. No dates to share yet. ^SK

This is incredible news! Without seeing the update, it’s hard to know exactly what they have in store for users, but they have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with!

If you believe as I do that banks should add 1Password (and other password manager) integration to their iOS apps, please consider sharing this open letter with your bank. #BanksNeed1Password

Extension-960

Apps ❤ 1Password: Travel

1Password can help you login faster and be more secure while reading the news and getting productive, but it can also help you get across town or the globe.

As our Apps ❤ 1Password directory grows to nearly 120 iOS apps strong, some pretty cool travel apps are joining the pack, including Foursquare, Uber, Rego, and Tripomatic.

Check out the Travel category of apps that ❤ 1Password below, and our full directory of all apps that support our new iOS 8 App Extension!

Travel Apps ❤ 1Password

Workflow icon

Community Goodie: Workflow + Chrome for iOS + 1Password

Have you discovered Workflow for iOS yet? It joins Launch Center Pro and others in the category of Super Useful Apps that can save you a ton of time doing repetitive tasks or complicated things that span multiple apps. They can also just blow your mind with tasks you didn’t know iOS could pull off.

One of Workflow’s tricks is that it can make your workflows available inside other apps via its own App Extension. Harnessing the true power of this knowledge, 1Password user and Redditor papa-lozarou created a Workflow that searches 1Password for the domain of the current tab right within Chrome for iOS.

 

Picture this: you’re groovin’ along in Chrome for iOS, and you have to log into a thing to do a thing. Instead of switching to 1Password to unlock, manually search, copy, switch back over, and paste your password, you can now simply trigger Workflow right inside of Chrome. From there you can invoke 1Password’s in-app extension, which then automatically searches for the URL of your current tab.

You’ll still have to tap into the item to copy your password, but you’re still in Chrome where you can easily paste it and get on with your bad self.

Let’s give a shout out to Redditor papa-lozarou and Workflow for being just great. On an iOS device, you can download the Chrome workflow here.

Extension-960

Apps ❤ 1Password: They really, really do

The number of apps adding support for our 1Password App Extension for iOS 8 is growing briskly. I know of dozens of apps that are gaining support as you read this, and we are at nearly 100 shipping apps right now.

We are deeply grateful to every developer adding support, and thankful to our users for helping us to spread the word. If you haven’t checked out the apps that are making it easier to create accounts, log in with a tap, and stay secure online, here are some of the latest categories gaining new entries from developers and businesses all around the world.

Finance

Business

Lifestyle

Social Networking

document_256px

Apps ❤ 1Password: Productivity

You’ve seen Apps that ❤ 1Password to help you stay secure while socializing and keeping up with the news, but now it’s time to get to work.

We’re seeing a great number of iOS Productivity apps add 1Password support, and we are truly thankful! Turns out our iPhones and iPads can’t just be for cat GIFs and Yo-ing each other. Apparently we actually have to, like, do stuff with them.

Now you can do stuff with these apps more quickly and securely by logging in and creating accounts with 1Password and Touch ID!

news icon

Apps ❤ 1Password: News

It can be tough to stay in touch with all the news outlets, blogs, and just plain great stuff that’s important to you. Thanks to these iPhone and iPad apps that ❤ 1Password, you can log in securely and get to reading, scrolling, and favoriting faster than ever before.

From podcast clients to information curators, bookmarking services to news readers, these are all great ways to stay informed. With their new 1Password integration on iPhone and iPad, you can stay safe online with strong, unique passwords, yet log in quickly thanks to 1Password, Touch ID, and a single tap.

1P iOS icon 1024

Apps ❤ 1Password: Social Networking

Our Apps ❤ 1Password page is growing by the week, so it’s about time we start highlighting these fantastic apps! Developers are adding support to their apps so you can quickly log in and, in more and more cases, even sign up for a new account with 1Password and Touch ID!

For our inaugural post I’d like to get social. It’s one of our most popular categories so far and has something from and for everyone, including Twitter clients, crowdfunding, and an app for meeting people to, you know, actually get social!

Check out the Social Networking Apps that ❤ 1Password category, and give them some love in the App Store!

App Extension

Our 1Password App Extension for iOS 8 is already supported by over 100 apps, here are nearly 20

App ExtensionThe response to 1Password’s App Extension for iOS 8 has been incredible: our customers are beyond excited to use 1Password across iOS with Touch ID and their favorite apps, and an amazing number of developers have already added our extension to their upcoming apps in preparation for iOS 8!

We can’t share the full list of developers yet (we just cracked 100!). But we can show you nearly 20 apps that are already working on integrating 1Password’s iOS 8 App Extension for fast, one-tap logging in and even updating your passwords!

Plus, our 1Password update for iOS 8 will be free to existing customers! Since you can get 1Password for iOS for just $9.99, you can start saving time and get secure online right now.

What the 1Password App Extension can do for you

Since the announcement, our mad-scientist developers have kept working in their secret laboratory to add even more super-hero powers to this powerful extension. Developers, check out our GitHub project to add 1Password integration to your own apps!

Here’s the rundown of the skills we’ve added to the extension so far:

  • Fill Logins, Credit Cards, and Identities into Safari
  • Fill Logins into other third party apps (including web browsers) that add support for it
  • Generate strong, unique passwords and create new Logins during a signup process
  • Update a Login’s password if you change it in an app

Apps that already Love 1Password

As promised, here is a sample of over 100 apps that are already preparing for iOS 8 and our new extension ship!

Read more

iOS 8 App Extensions icon

Filling with your approval: On 1Password’s App Extension and iOS 8 security

App ExtensioniOS 8 has an incredible feature coming called App Extensions, and we’re thrilled to say we have a 1Password extension ready for developers to use right in their apps! In apps that gain support for our extension, you will no longer have to copy and paste passwords from 1Password. Yes, it really is a game changer, and you can see it in action for yourself.

Naturally, this new-fangled way for apps to interact in iOS 8 is leading people to ask how we do this in a secure manner:

  • Are we really letting third-party apps poke around inside of your 1Password data?
    • Answer: No, that is not how extensions work.
  • Can these third party apps ask 1Password for your PayPal password?
    • Answer: Well, they can ask, but you decide if they should get what they ask for.
  • Can they trick you into entering your 1Password Master Password into something that isn’t 1Password?
    • Answer: The very same mechanisms that prevent that today apply to application extensions.

TL;DR

I will elaborate on all of this below. But to summarize, all of my points and these safeguards in both iOS extensions and 1Password are built on an important design principle: Nothing happens without your explicit action.

Read more

iOS 8 App Extensions icon

Introducing the 1Password App Extension for iOS 8 apps

Throughout history, the greats have always sought a “holy grail.” The Dude really wanted that new rug. Indiana Jones searched for… well, the Holy Grail. Today, we’re happy to say we built our holy grail: automatic 1Password Logins right in iOS 8 apps.

The video embedded here, produced by our fearless co-founder Dave Teare, speaks for itself. Thanks to Apple’s incredible new developer features in iOS 8, third-party apps can let 1Password fill Logins without the user ever leaving the app. Yep, complete with Touch ID for unlocking the vault. Yep, it’s this awesome.

How easy is it for third-party apps to get in on this one-tap Login goodness? Extremely! Developers: check out our 1Password App Extension on GitHub with documentation and sample code.

App users: reach out to the developers of your favorite apps and help us spread the word! Show them the video and link this blog post and our GitHub project.

We want to share our holy grail with all apps: the convenience of one-tap Logins and the security of strong, unique passwords with 1Password.