DevBits header

Web View Filling ups the awesome factor of the 1Password App Extension

App Developers, this one’s for you!

Since the introduction of the 1Password App Extension API, support for the extension has been added to over 200 apps. We are so excited by this show of support from the development community that we decided to add functionality to the App Extension API to make it even more useful for you and more powerful for your users.

Version 1.5 = (Web View Filling)^2

As most of you already know, the 1Password Extension was originally designed to fill login details (usernames and passwords) in Safari and third-party applications. Thus far, the primary use of 1Password in third-party apps has been to sign in, which means that users likely invoke 1Password only once, right after installing your app.

In the latest update, we’ve made the app extension more powerful and more versatile. I am happy to introduce you to the redesigned Web View Filling capability of the 1Password App Extension API, which will enable your users to use 1Password to fill not only Logins, but also Credit Cards and Identities in any of your app’s web views.

From a technical point of view, this updated capability works in a similar fashion to the original Web View Filling: it can fill 1Password items in web views. However, to get the best user experience from the 1Password Extension, we should treat it as two distinct capabilities. Let’s take a quick look at what makes these two options unique, so that you can determine the best choice for your use case.

Scenario 1: Authentication

Let’s say users have to sign in to a service before they can use your app. When the user opens your app, they are presented with a web view in which they can enter their username and password to log in. In this case, you do not want the user to be distracted or confused by Credit Card and Identity items. You only want the Login for the service to show up in the 1Password Extension so the user can log in quickly.

Login selection screen using app extension API 1.5

Scenario 2: Web Browsing

  • Can your users purchase items from your web store?
  • Can your users sign up for a service by entering their information in to a web view?
  • Does your app have a built-in browser?
  • Does your app have billing and/or shipping forms for users to fill?
  • Would you like the 1Password Extension to show in the share sheet?

If you answered “yes” to at least one of the above questions, consider adding support for 1Password using the wonderful new Web View Filling capability, which will enable you to permit the filling of Credit Cards and Identities. You will also benefit from the fantastic new Brain filling logic we use in 1Browser and Safari.

This capability will help make your users’ browsing experience simple and secure by filling Login details, Credit Card items and Identities.

Fill Login, Credit Card, and Identity info when using app extension API 1.5

The Code

Choosing between the two scenarios is very easy: simply decide whether you want to show the Credit Cards and Identities that the user has stored in 1Password. To show only 1Password Login items in the 1Password app extension, pass YES as the parameter for showOnlyLogins. To unlock the full awesomeness of the 1Password app extension and take advantage of the new Web View Filling of Logins, Credit Cards and Identities, pass NO. That’s really all there is to it!

- (IBAction)fillUsing1Password:(id)sender {
    [[OnePasswordExtension sharedExtension] fillItemIntoWebView:self.webView forViewController:self sender:sender showOnlyLogins:NO completion:^(BOOL success, NSError *error) {
        if (!success) {
            NSLog(@"Failed to fill into webview: <%@>", error);
        }
    }];
}

1Password ❤ App Developers

I want to take this opportunity to thank all of you app developers who have already added the 1Password app extension to your apps; you’re awesome! This new functionality gives you the chance to make security even more convenient for your users, and I can’t wait to see how you use it. Please don’t forget to submit your app to our Apps ❤ 1Password directory.

A newsletter just for you

You can also subscribe to our 1Password App Extension Developers newsletter. We’ll send you an occasional newsletter containing 1Password App Extension news, updates, and tricks, to help you realize the full potential of the 1Password Extension API in your iOS apps.

If you have any questions, you can comment on our GitHub project or email support+appex@agilebits.com. I look forward to talking to you!

DevBits header

Improved locking in 1Password 5.5 for iOS

Security and convenience

One of the coolest features in 1Password for iOS is the extension. For nearly a year, it’s been really easy to log in to participating apps without having to copy and paste usernames and passwords. Shopping in Safari is also a breeze, now that you can add items to your cart, then fill in your credit card and address with just a couple of taps. The icing on this cake is that you can log in to 1Password using Touch ID instead of tapping out a PIN or your entire Master Password over and over again.

Integral to the extension is the 1Password Lock Service, which determines how often you’re prompted to unlock the app and whether you’re prompted to use quick unlock (Touch ID or PIN Code) or your full Master Password. Thanks to the feedback you’ve provided, the Lock Service has gone through a couple of transformations since iOS 8 was released last fall. The latest update to 1Password is no exception and includes some major improvements that we’re sure you’ll love!

Touch ID: The star of the show

When Apple announced Touch ID on the iPhone 5s in 2013, we knew it would be the perfect way to unlock 1Password for iOS quickly and securely. It took a year before we were able to integrate it, but it was definitely worth the wait!

1Password for iOS Touch ID lock screen

In previous versions of 1Password, cancelling the Touch ID prompt cleared your Master Password from the iOS Keychain, which meant that you would have to enter your Master Password before you could use Touch ID again. This was inconvenient, especially when your goal was just to dismiss the Touch ID prompt without unlocking 1Password.

In version 5.1, we decided to force quit the main app and dismiss the extension when the Touch ID prompt was canceled. It seemed like a good idea, but it was confusing because it looked like the app was crashing. So we went back to the drawing board.

In 1Password 5.5, canceling Touch ID will cause 1Password to display the Master Password prompt, but your password won’t be cleared from the iOS Keychain. This means that you will be able to use Touch ID the next time you open 1Password without typing your Master Password; all you need to do is to tap the fingerprint icon to bring up the prompt.

1Password 5.5 for iOS Master Password lock screen with Touch ID icon

Lock Service: Centralized and better than ever

In 1Password 5.5 for iOS, we have created a “central” Lock Service that is shared between 1Password and its extension. The extension will now use the settings you have specified in the main app. Additionally, when you unlock the 1Password extension, you will also unlock the main app (and vice versa). Those of you who use 1Password on Mac will probably notice that this is similar to the way 1Password and 1Password mini lock and unlock in unison.

As long as you have Lock on Exit disabled, you will no longer be prompted to unlock 1Password moments after you unlock the extension in Safari. Depending upon your Auto-Lock settings, it may be as long as an hour before you’re prompted to unlock 1Password again.

1Password 5 for iOS security settings

iOS Keychain + 1Password Extension = ❤️

In previous versions of 1Password, the extension never saved the Master Password to the iOS keychain. This meant that if your Master Password were cleared from the iOS keychain (like when you restart your iPhone or iPad), you would have to launch the main 1Password app and enter your Master Password before you’d be able to use quick unlock. Entering your Master Password in the extension would allow you to access your vault, but you’d have to keep reentering your Master Password until you finally unlocked the main 1Password app.

Now it doesn’t matter if your Master Password is cleared from the iOS keychain! If you have quick unlock enabled, you’ll just need to enter your Master Password in either the extension or main app—once. After that, you’ll be able to use quick unlock until the next time your Master Password is wiped from the keychain.

It’s taken some time and experimentation to get the main 1Password app and the extension working together just so, but we think our latest changes offer a balance of security and convenience. We hope you’re as happy with this update as we are! We’d love to hear your thoughts in the comments and in our discussion forums.

1Pi icon 1024

1Password 5.5 for iOS: The Fun in the Sun Edition

While all the AgileBits kids have been having a fun- & sun-filled summer vacation, our development, docs, and support teams have been toiling away in our air-conditioned nerd caves to bring you the best 1Password for iOS release since the last one!

Our focus for this release was keeping your security as convenient & refreshing as an ice-cold drink on a hot summer day. Let’s take a sip from the improvements to Vaults, Touch ID, the Extension, and the Apple Watch app.

Switching it up

Multiple vaults are the best way to keep different parts of your life secure, without a ton of clutter. We all have our personal data, family vaults, and even work accounts to keep safe & organized.

We’ve made switching between these roles of your life super simple with an all-new vault switcher. Simply tap the new Vault icon in the upper left to get the quick switcher. Select a vault and you are instantly switched to it.

OPI-55-Vault-Switch

Touchable on demand

In the olden days (meaning yesterday), if you opened 1Password and then tapped Cancel on the Touch ID prompt, 1Password would switch to the Master Password prompt. For your security and convenience, the new Master Password prompt is more flexible: now when you tap Cancel, there is a fingerprint icon on the Master Password screen. Simply tap this icon to immediately restore Touch ID.

Note: If you restart your device, or the Master Password timeout is reached, this new icon will not appear, as the Master Password will still be needed in those situations.

OPI-55-TouchID-Restore

Improved short-term memory

The extension and the main app now share unlock settings, so when you unlock the main app, the extension will remember this and use Touch ID.

Again, restarting the device or reaching a Master Password timeout will still require you to enter your Master Password.

Never drop a PIN again

Unique passwords are great for your logins, and unique PINs for your credit cards are also fantastic. Remembering them? Not so much.

Credit Card items on Apple Watch will now show the PIN field. The next time you buy chips & salsa with your credit card you can take a quick look at your wrist for your purchasing needs.

Closing the Vault

There are many more improvements and fixes in 1Password 5.5 for iOS, and you can check them all out in the release notes or in the in-app Message Center, located in Settings.

While I need to close up the vault for this release, the team can’t wait to show you all the great things we’re working on for the next one! In the meantime, we’d love to hear your thoughts. Leave your comment here, in our discussion forums, on Twitter/ADN, or on Facebook.

DevBits header

Accessibility in 1Password for iOS

At AgileBits we believe that everyone should be secure online. That means we want 1Password to be usable by as many people as possible. We have worked hard to implement many features that make 1Password more accessible. In this post I will explain some of the technologies we’ve taken advantage of to improve accessibility in 1Password for iOS.

What We Have Done

While our efforts are ongoing, here are some of the areas in 1Password where we offer accessibility features.

Colour Vision Deficiency and Password Readability

You may have noticed that when viewing a password, 1Password colours numbers and symbols differently. This is not only for convenience. We have carefully chosen colours easily seen by those who have trouble distinguishing different shades of a colour. We have tested for deficiencies related to protan, deutan, and tritan.

Those with achromatopsia (no ability to distinguish colour) must rely on character shapes to tell them apart. 1Password therefore offers a choice of fonts to make it easy to distinguish between the letter o and the number zero; and between lowercase l, capital I, and the number one.

colouredpasswordcropped

Large Type

Sometimes you have to enter a password on another device that cannot run 1Password (e.g. a combination lock, employer’s computer, etc.). For this reason, we provide the large type feature that, when activated, displays the password as large as possible for easy reading when entering it elsewhere.

largetype

Dynamic Type

iOS provides a great feature called dynamic type. This allows apps to dynamically adjust the size of text to user settings. You can experiment with dynamic type in the iOS Settings app in General > Accessibility > Larger Text.

As a developer, it’d be too easy just to turn the feature on and leave it at that. But that would result in text that grows too large for the screen and ends up getting truncated to the point that it is unreadable, or it would push interface elements so far out of the way that they are unusable. Less important text could also crowd out more important text.

We’ve taken care to limit text size where necessary and ensure inevitable truncation happens such that the most important part of the text is still shown. We’re even looking at ways to rework the UI when the text is too large to fit.

dynamictype

VoiceOver

Apple has a fantastically comprehensive voice-over system in iOS. In 1Password we take advantage of that by ensuring all of our interface elements and data values are properly labeled for accessibility so VoiceOver can read them aloud in a context that makes the app more usable. We have also minimized redundancies in describing the interface to make sure relevant interface elements are described quickly and effectively. To keep your passwords secure, 1Password will not read your passwords aloud unless you explicitly request it.

Work in Progress

As interfaces in software change and new features get added, accessibility support can change too. If there’s an accessibility feature you would like to have, or something you feel is not implemented as well as it could be, please let us know! We welcome feedback and want to make 1Password more usable for all of our awesome users!

1Password for Mac logo

Adventures in beta testing: 1Password, El Capitan, and iOS 9

Let’s talk about betas. Specifically, let’s talk about Apple’s operating system betas. It used to be that you had to be an active member of the Apple Developer Program to get access to the betas. Last year, Apple launched a beta software program that enables anyone to sign up to test-drive pre-release versions of OS X. This year, for the first time, anyone can sign up to evaluate iOS 9 beta in addition to OS X 10.11 El Capitan beta.

Newshiny

There’s something thrilling about using beta software. It’s exciting to experience the software development process, with frequent updates that fix and improve things before our very eyes. It’s gratifying to participate in that process, seeing our bug reports get resolved and change requests considered and sometimes implemented. I don’t know about you, but I love feeling like I’ve helped make an improvement from which everyone using the software will benefit.

Hark, the cheers from developers far and wide

One of the most difficult things for software developers is getting the feedback they need before an application version goes public. This is because the pool of beta testers is generally so small. We could think everything is just fine, and then it gets out there and—BOOM—suddenly there are all these edge cases that never came up during the beta, because there are so many more people using it.

Public betas can be a real boon to developers, in that they help to increase the size of the beta pool and the degree to which the beta application is tested.

Hard hats required

under construction

Perhaps you remember those “Under construction” images from the early days of web publishing? It’s a very real metaphor for beta software. The most important thing to remember1 is that beta software is incomplete. Some things will not be implemented yet, some will be broken, and some may cause unexpected system kerfufflery.

Here are a few tips to help make your beta experience safe and enjoyable:

Spare a square

Ideally, beta software should be installed on spare hardware. If you have only one Mac, you can install El Capitan beta on separate partition of your Mac’s hard drive. If the iPhone you use every day is your only iOS device, it’s probably best not to install iOS 9 beta. If you have a non-critical iPad or an iPod touch, that would be a good place to install the beta.

Back that thang up

I know some of you are going to ignore me completely and install the betas on your mission-critical devices. Before you do that, please make sure to create a reliable backup!

We hear you

Your feedback is indispensable. If you notice anything wonky, be sure to report it to developers. I’ve seen beta issues reported in App Store reviews. While developers certainly read those and learn from them, they have no way of reaching out to the customer to help. It is best to contact developers directly with your beta feedback.

If you’re using 1Password beta, we have dedicated beta discussion forums. The beta forums are monitored by our developers and our support team is around to help you seven days a week!

If something you report isn’t immediately addressed, don’t worry. Developers may not be able to do anything about it just yet. Rest assured that the issue will be resolved as quickly as possible.

1Password 5, El Capitan, and iOS 9

I’m happy to tell you that we have thus far encountered no major issues in our testing. I have noticed a couple of graphical and layout issues in El Capitan beta, but it’s too early to tell whether the issues are in 1Password 5 for Mac or in El Capitan beta. We don’t want to spend time fixing something that may not actually be broken on our end, so for the moment we’re waiting to see how things pan out. We’ve documented the issues so we don’t lose track of them.

How to test 1Password beta for Mac

You are warmly invited to join our family of beta testers. The more, the merrier! 1Password 5.4 beta for Mac doesn’t require El Capitan beta, but it does require that you use the AgileBits Store version of 1Password, not the Mac App Store version. It’s very easy to switch over, but you will not be able to sync with iCloud.

How to test 1Password beta for iOS

Apple’s TestFlight Beta Testing program enables developers to extend a limited number of invitations to customers. There has been a great deal of interest in 1Password beta for iOS, and we are not looking for additional testers at this time. You can be the first to hear about opportunities to join our beta family for iOS by following @1PasswordBeta on Twitter.

1Password beta for Mac does not require 1Password beta for iOS.

1Password happy face

Have fun!

I lied earlier. The most important thing is to have fun, but keeping in mind the foibles of beta software and protecting yourself against them are a close second. =)

Security

1Password inter-process communication: a discussion

Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.”  It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password.

The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances.  But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.

For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini; however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. A recent paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF),  by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. He and his team have been excellent at providing us with details and information upfront.

As always, we are limited in what we can do in the face of malware running on the local machine. It may be useful to quote at length the introduction of that article

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer [could obtain your 1Password data].

That was written more specifically about  keystroke loggers, and there are some things that set the new attack apart. Like superficial keystroke loggers it doesn’t require “admin” or “root” access, but they were able to sneak a proof of concept past Apple reviewers.

The threat

The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren’t using 1Password.

Background

1Password provides its own security. What I mean by this is that for the bulk of what we do, we don’t generally rely upon security mechanisms like sandboxing or iOS Keychain. So it doesn’t matter whether those sorts of security measures provided by the operating system fail.

The careful reader will note, however, that I used phrases like “for the bulk of what we do” and “don’t generally rely upon” in the previous paragraph. There are some features and aspects for which some of 1Password’s security makes use of those mechanisms, and so vulnerabilities in those mechanisms can allow for harm to us and our customers.

1Password mini listens to the extension

Application sandboxing is a good thing for security. But it limits how the 1Password browser extension can actually exchange data with 1Password itself. Indeed, the extension (correctly) has no direct access to your data. Keeping your data out of the browser (a relatively hostile environment) is one of our security design choices. But this does mean that the 1Password browser extension needs to find a way to talk to something that does actually manage your data. 1Password mini (originally the 1Password Helper) was invented for this purpose.

One of the few ways that a browser extension can communicate locally is through a websocket. Browser extensions are free to talk to the Internet as a whole, but we certainly don’t want our browser extension doing that; we only want it talking to 1Password locally. So we restrict the browser extension to only talking to 1Password mini via a local websocket.

Mutual authentication

Obviously we would want 1Password mini and the browser extension to only talk to bona fide versions of each other, so this becomes a problem of mutual authentication. There should be some way for 1Password mini to prove to the extension that it is the real one, and there should be a way for the browser extension to prove to 1Password mini that it is a real 1Password browser extension.

The difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead, we employ a number of separate mechanisms of authentication, but each has its own limitations. We have no way to guarantee that when the browser extension reaches out to 1Password mini it is really talking to the genuine one.

There are a number of checks that we can (and do) perform to see if everyone is talking to who they think they are talking to, but those checks are not perfect. As a result, malware running on your Mac under your username can sometimes defeat those checks. In this case, it can pretend to be 1Password mini when talking to the browser extension and thus capture any information sent from the 1Password browser extension that is intended for the mini.

What can be done

Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.

What you can do

1. Check “Always Keep 1Password Mini Running” in Preferences > General

In the specific attack that Luyi Xing demonstrates, the malicious malware needs to be launched before the genuine 1Password mini is launched. By setting 1Password mini to always run, you reduce the opportunity for that particular attack.

keep mini running

 

 

2. Keep using the 1Password browser extension

Although what is described is an attack against the communication between 1Password mini and the browser extension through specialized malware, using the 1Password browser extension protects you from a more typical malware attack of pasteboard/clipboard sniffers. Likewise, the 1Password extension helps fend off phishing attacks because it will refuse to fill into pages that don’t match the domain for your saved Logins.

Quite simply, the 1Password extension not only makes life easier for you, but it is an important safety feature on its own.

3. Pay attention to what you install

As always be careful about what software you run and install on your system. On your Mac, open System Preferences > Security & Privacy > General. You’ll see an Allow apps downloaded from: setting there. We strongly recommend confirming that this setting is configured so that only apps from trusted sources can be opened. You can read more about the setting and its options on Apple’s support site.

Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.

What we can do

There are additional (defeasible) mechanisms that we can add to our attempts at mutual authentication between the extension and 1Password mini. I will briefly mention a few that we’ve considered over the years.

Encryption with an obfuscated key

One option is to have a shared obfuscated key in both 1Password mini and the extension. (Remember that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.)

Obfuscation only makes things harder for attackers until someone breaks the obfuscation, and every system designer should assume that obfuscation will be broken. See our discussion of Kerckhoffs’ Principle in our article, “You have secrets; we don’t,” for some background on why we tend to be reluctant to use obfuscation. Of course, it may be warranted in the absence of a more effective alternative, so this remains under consideration.

In anticipation of a likely suggestion, I should point out that even the magic of public key encryption wouldn’t save us from having to rely on obfuscation here; but I will save that discussion for our forums.

Using the OS X keychain

Another option would be to store authentication secrets in the OS X keychain, so that both our browser extension and 1Password mini would have access to it. This could be made to work for authenticating 1Password mini to the extension for those browsers that allow easy use of the OS X keychain.

This might solve half the problem for some browsers, but to date we’ve been focusing on solutions that work across all of the browsers we support.

An extreme solution

In the extreme case, we could have some explicit pairing (sort of like Bluetooth) between 1Password mini and the extension.  That is, the browser extension may display some number that you have to type into 1Password mini (or the other way around).  With this user intervention we can provide solid mutual authentication, but that user action would need to be done every time either the browser or 1Password mini is launched.

Quite frankly, there is no really good solution for this. To date, our approach has been to put in those authentication checks that we have and keep an eye out for any hints of malware that exploits the known limitations of what we do.

Is 1Password for iOS affected?

The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS.

Shared data security

1Password for iOS shares some of its data with the 1Password app extension. As most of that data is encrypted with your Master Password, it is not a substantial problem if that data becomes available to attackers. The exception, of course, is the TouchID secret.

As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates.

Conclusion

We truly are grateful for the active security community, including Luyi Xing and his team, who take the time to test existing security measures and challenge us to do better. Our analysis of the researchers’ findings will continue and we will post an update if further action is necessary.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.

Watch-on-wrist

1Password for Apple Watch: Putting Security Within Arm’s Reach

1Password for Apple Watch 01Today’s the day! A number of you (and a number of us) are finally going to be able to play with the latest and greatest addition to our gadget family: Apple Watch. No doubt, once you have sent your heartbeat to someone, put in your height and weight measurements for fitness tracking, and marveled at just how cool the haptic feedback is, you’re going to start playing with all the apps that have added support for Apple Watch. As you may have noticed from our latest iOS update, 1Password is one of those apps. We’re thrilled to introduce 1Password for Apple Watch and answer all of your burning questions about this handy little companion app to 1Password for iOS.

Is all of my 1Password data on my watch?

Add to Apple WatchNope! Much like Apple Watch is a companion device to your iPhone, 1Password for Apple Watch is a companion app to 1Password for iOS. After you enable Apple Watch functionality in 1Password’s settings, a new option will appear on the item detail screen which will allow you to “Add to Apple Watch”. You choose which pieces of information you want to make available on your Apple Watch. Logins, Passwords, Credit Cards, and Secure Notes are all fair game to add to Apple Watch.

What am I going to use this for?

When Apple Watch was announced, we immediately began brainstorming ways to bring 1Password to this incredibly personal device. Our first idea was a bit of a no-brainer: the small screen of Apple Watch, coupled with being able to access it quickly, made it the ideal place for one time passwords (TOTP). For a long time that was all our Apple Watch app did; however, after some more thought we realized it could be used for so much more.

As a recent blog post explains, 1Password can be used to store all kinds of information beyond website logins. Locker combinations, bike lock combinations, garage door codes, office keyless entry codes, banking PINs…. All of these pieces of information can be stored in 1Password, and with the introduction of Apple Watch they can now be stored on your wrist.

This is where 1Password for Apple Watch shines: Small pieces of secure data that you need throughout your day can literally be kept within arm’s reach at all times.

Store your locker combination on your Apple Watch.

Store your locker combination on your Apple Watch.

1Password for Apple Watch can ensure that your door's unlock code is always handy.

1Password for Apple Watch can ensure that your door’s unlock code is always handy.

Ok, I’m in! How do I get started?

We have a much more detailed User Guide that goes in-depth on how to set up 1Password for Apple Watch, but we’ll give you the 30,000 foot view of it here.

Step 0: Ensure you have set a device PIN code (or, preferably, a longer, more secure passphrase) and that you have purchased our Pro Features.

Step 1: Open 1Password for iOS and tap on Settings > Apple Watch > Enable Apple Watch. Set a PIN code for use on Apple Watch, and you’re good to go.

Step 2: Add an item to your Apple Watch by tapping on “Add to Apple Watch” in the item details screen.

There is no step three! (And no, we didn’t cheat by starting at zero).

Well this sounds lovely

We hope you love using 1Password on your Apple Watch as much as on all of your other devices! How will you use it to help keep all of your bits of information easily accessible? Leave a note in the comments and let us know.

1P iOS icon 1024

1Password 5.4 for iOS: The “Go Go Gadget Watch!” Edition

watchdrawn_2xYou’ve come to love 1Password as the handiest of multi-tools on all your gadgets: your computer, your phone, your tablet…and now, your watch.

That’s right, 1Password for Apple Watch is here, ready to save the world (and, more importantly, your time)!

You don’t need to be an intrepid inspector (or a precocious crime-solver in pigtails) to appreciate the awesomeness of having 1Password on your wrist. 1Password for Apple Watch helps you find the little pieces of secret info you need every day, quickly and easily. If you need the code to open your garage door, one of your one-time passwords, or to look up the Konami Code for those extra lives when playing Contra, 1Password is right there for you.

After a couple months of diligently attending the gym, you’ve earned a coveted private locker. Of course, remembering your locker combination is probably not a priority when you’re counting reps. But if you store that combination in 1Password, it only takes a couple of taps for you to see the combination in 1Password for Apple Watch when you’re back at your locker.watch-locker-use-case

You don’t have to be a secret agent on a mission to see how 1Password for Apple Watch is the best partner your wrist could ask for. No matter what you need to have with you, 1Password for Apple Watch is there.

We’d love to know what sort of items you’re most excited to add to your new Apple Watch! Let us know in the comments or in our discussion forums.

1Password for Apple Watch is included at no additional cost for owners of the Pro Features. If you don’t yet have the Pro Features you can find them in Settings > Pro Features for $9.99.

Hand-Polished 18-karat Cogs & Sprockets

1Password 5.4 for iOS isn’t all about Apple Watch. Our quartermasters have made some other refinements to the app as well. Based on your feedback, the Message Center now has a button to mark everything as read. We also added a toggle to remove the unread badge from the settings tab. We hope you enjoy the tips we’re sharing with you via the Message Center, but this improvement will ensure it’s not distracting you during important covert missions.

1Password’s memorization skills have been fine-tuned, and it will now remember whether you were viewing Favorites or Categories and take you back there when you reopen the app.

With the 5.4 update for 1Password for iOS, quickly accessing your secure information is easier than ever, whether on your wrist, or in your pocket.

Go Go Gadget Ears!

If you want to learn more about 1Password for Apple Watch, the Chief has a message for you. Don’t worry, this one won’t self-destruct! Sign up for our Apple Watch newsletter to get relevant communiques sent directly to your inbox!

Update 2015-04-15: Changed a use case example. 

1Password 4 for iOS icon

1Password 5.3 for iOS: The Extended Brainiac Edition is out!

This major, free update to 1Password for iOS is so awesome, we thought about pulling a Harry Potter and releasing it in two parts. But when Apple told us Daniel Radcliffe wasn’t available, and they didn’t even have his number in the first place, we just had to give it all to you at once.

A 400 percent better App Extension

1P iOS 5.3 App Extension CC Identities borderYou know how our App Extension can fill Logins into Safari, our own 1Browser, and hundreds of other apps with a single tap? Now it can also:

  • fill Identities
  • fill Credit Cards
  • create new Logins when you’re signing up for new services
  • show all Logins if none are found for the current app (App Extension only)

It’s all in the name of saving you even more time when logging in and now filling long forms and shopping carts.

A brand new Brain

We affectionately call 1Password’s under-the-hood tools and form-filling logic the “Brain,” and we gave it a huge upgrade in 5.3. It’s much smarter about matching websites and subdomains and fills forms even faster.

We need to talk

OPI 5.3 Message Center

There is so much great stuff going on with 1Password that we added a new Message Center to keep you in the know. It brings you 1Password news and tips right in our in-app Settings. Don’t worry, Push Notifications need not apply.

So, so much more

We added Large Type so you can view usernames and passwords in Jumbo Size, and we fixed a couple Zoom Mode bugs and a crash for iPhone 6 Plus users. Truly, there is a mountain of improvements you can check out in the full release notes.

Our free 1Password 5.3 for iOS update is now live in the App Store, so take it for a spin and let us know what you think on TwitterFacebook, and in our newly redesigned forums!