1Password for iOS header

iOS 9.2 adds 1Password to many new apps

During WWDC this year, Apple announced SFSafariViewController. This was really exciting news for us. Just imagine: if a third-party app used Safari as its in-app browser, that would mean that 1Password could fill Logins automatically without developers doing any extra work!

SFSafariViewController was introduced to everyone in iOS 9. Immediately, we began receiving reports from customers about 1Password disappearing from their favourite apps! It turns out that the JavaScript we were using couldn’t be executed in SFSafariViewController. We did some work on our end to address this issue and also reported it to Apple. Then, we waited.

Patience is a virtue

A Very Rad Holiday

One day in late October, while I was on vacation in a place where Internet access was scarce, Slack exploded with mentions from my colleagues about 1Password automatically working in many new apps when using the new iOS 9.2 beta. There I was, with an Internet connection barely good enough to check my email, and with no way to download the new iOS and Xcode beta goodies. All I could do was wait. And wait. And wait. It was the first time I ever wished that my vacation would end sooner!

Yay! Thank you, Apple!

Finally I returned home and was able to verify the amazing news: the 1Password App Extension API will simply appear in all Safari View Controllers in any app! After spending weeks working on this, I was ready to buy everyone at Apple a beer.

Let’s have a look at how this actually works. In the following example, you can see how easy it is to use 1Password to add your account to Tweetbot, one of the most popular Twitter clients.

What’s even more awesome is that Paul (the developer of Tweetbot) didn’t need to do anything to enable this feature. It just works! If you are an app developer, users of your app simply have to make sure that the 1Password App Extension is enabled.

To enable 1Password in apps, simply set up 1Password. It will then appear as an option on the share sheet, where it can be toggled on and rearranged. For illustrated, step-by-step instructions, please see our user guide.

1Password ❤ App Developers

The 1Password App Extension offers iOS app developers the opportunity to provide a simple and secure login experience. If your favourite iOS app prompts you to log in and doesn’t display the 1Password icon, reach out to the developer and direct them to our Dev Outreach page. They’ll be amazed by how easy it is to integrate 1Password into their app.

If you’re a developer and have already added the 1Password app extension to your iOS app, thank you; you’re awesome! Please don’t forget to submit your app to our Apps ❤ 1Password directory.

1Password developer newsletter

iOS app developers are invited to subscribe to our 1Password App Extension Developers newsletter. We’ll send you an occasional newsletter containing 1Password App Extension news, updates, and tricks, to help you realize the full potential of the 1Password Extension API in your iOS apps.

If you have any questions, you can comment on our GitHub project or email support+appex@agilebits.com. I look forward to talking to you!

Security header

1Password and your browsing habits: What we don’t know can’t hurt you

1Password blueprintThere are some things that we would love to know about people who use 1Password. Some of that information would be useful in improving 1Password, some might just be interesting statistics about our users. Here are a few things we might want to know:

  • What sites are among your 1Password data
  • When, how often, and from which IP address you use 1Password to log in to particular websites
  • Which new Logins you save
  • How often and where you fill credit card data

Knowing such things about our customers would help us focus our development efforts on the things that people want to use most. But here is the point of this article: We do not have that information and we have built 1Password so that it would be hard to even collect that information. Our principle of Private By Design means that we don’t know many things. This is for your benefit.

We have no such data

Despite our curiosity and the usefulness of such data, we have designed 1Password so that we can never see that information. We’ve written before about how our security architecture protects your privacy (see Private By Design and the opening sections of our 1Password for Teams white paper [PDF]), but I will highlight some of its points below.

The importance of knowing nothing

One of our design principles is based on the fact that we cannot lose, use, or abuse data that we never have. We believe that you should be in control of your data and that your use of your data is your business. To the extent possible, we have built 1Password in such a way that not only do we not retain data about your use of 1Password, but we make it hard to even obtain such data.  We have also chosen not to include any in-app analytics tools within 1Password.

Some of this is basic security design. Our design principle isn’t radical in theory, but it can be difficult to implement. For example, our underlying data synchronization system would be much simpler if we allowed ourselves to know which sites you are logging in to when you log in to them. But because we do not want to ever know that information, we have had to put in more intricate machinery.

I should also acknowledge that some of our design principle is motivated by cowardice. We do not want our servers and systems to be heavily attacked, so we have designed our systems such that we have little worth stealing. Our cowardice here works to protect your privacy and your security. Cowardice can be a virtue.

Example: We can’t watch from the Watchtower

1Password WatchtowerA relatively simple example of our privacy mechanism is how Watchtower works in 1Password for Mac and Windows. 1Password does not send a query to our server to ask, “Is site X in the Watchtower database? What does it report?” If we had built it that way, our server logs would be able to determine exactly which sites are in your 1Password data. Instead, 1Password fetches all of the information needed by Watchtower on your computer. Every instance of 1Password is fetching the same data file in a way that does not depend on which Logins you have.

Security designs matter

I would like to step back and look at a picture that is perhaps even bigger than the privacy matters discussed here. Please indulge me in my musings.

We are proud of the overall security design of 1Password, and we certainly like to talk about it. Yet very understandably most people are not going to look at the subtleties of the design and its implications. As a consequence, some of the things that we think are the biggest security benefits of 1Password are invisible to users, and so we occasionally hit you with articles like this.

Sometimes our security design makes certain “features” irrelevant and inapplicable. See Authentication v Encryption for a discussion of one such feature. Sometimes, as in the example of Watchtower described above, it means that we have to work harder to put a feature in place than we would have if we’d used a different security design. But even when we have to work harder, we believe that our security design is the better choice. To maintain a privacy-preserving security architecture we are happy to do the extra work.

More than just passwords header

Secure all the things in Secure Notes

The more I use 1Password, the more uses I think of for it. Of course, all my usernames and passwords are stored in the app, and I can’t tell you how much I love signing in to an iOS app that has enabled the 1Password app extension. It’s downright magical. If that’s all 1Password ever did for me, I’d be more than satisfied. But as 1Password has grown and developed, it’s given me so many wonderful options for keeping all kinds of data secure and sorted. For a girl who loves organization, it’s a dream come true!

One of my favourite improvements to 1Password is the Secure Notes category. With custom fields (and custom icons!), I’ve got my very own customizable database for any type of information I want to keep secure yet easily available. I want to share with you just how awesome this category can be, so here are a few of my favourite uses for Secure Notes.

Family medical history

Secure Notes: Medical info

Do you remember your complete medical history? How about your partner’s, your child’s, or your pet’s? I store information about each family member’s allergies, prescriptions, previous surgeries and other important details in a Secure Note shared in my family vault. Custom fields help me keep all the details nicely sorted, and the custom icons make these entries easy to recognize! I hope it’s never necessary, but it’s great to know that it’s available there, just in case.

Taxes

Secure Notes: Taxes

Thankfully, we only have to deal with taxes once a year. But that infrequency can lead to a lot of forgetfulness. There are all sorts of identifying numbers associated with filing taxes, even more if I want to file online. In years past, I have had to dig through my not-so-awesome paper filing system to locate all those details. Now I’m building a Secure Note with all my tax information, including a list of charitable donations and other relevant deductions I know I’ll want to remember. I can even attach PDFs of previous tax returns and necessary forms for reference. I’m dreading tax season less already!

Insurance Policies

While we’re talking about fun stuff, do you know your insurance policy details? Whether it’s for your home, car or health, this is the sort of information that you don’t really need—until it’s really, really necessary. In my mind, this is exactly what the Secure Notes category in 1Password was designed for. Knowing that this data is secure and available when I need it gives me a whole lot of peace of mind.

Hardware database

Secure Notes: Hardware

It’s the age of technology, and we all have a wonderful collection of gadgets and gizmos to help us do our jobs and entertain us throughout the day. And each of those gadgets comes with warranty information, user guides and an array of important details. If that information gets stored in my “filing cabinet” (ok, it’s just a box with a bunch of loose papers at this point) it may as well go in the recycling bin. Now 1Password is my go-to database for all my hardware information from cameras and iDevices to game consoles and home appliances. Very neat and tidy.

Where is that thing?

I work with some really smart people. A while back, Mitch shared an awesome idea for Secure Notes. In his blog post, he talks about training 1Password to remember where you’ve stored physical things that are hardest to find when you need them, like a passport or winter gloves. I’m still geeking out over it!

I’m amazed by how powerful custom fields have made the Secure Notes category. I use them so much that I could probably talk to you about them all day. But I’d rather hear from you. Have you used this feature to simplify your life? Please share your story in the comments.

Security header

How 1Password for Teams protects your secrets

Since this is my first AgileBits byline, allow me to introduce myself. Last month, I joined the awesome security team here at AgileBits. I’m super excited to work with Jeffrey Goldberg, our Chief Defender Against the Dark Arts, and Jessy Irwin, our resident Security Evangelist. I aim to review product security and keep bad things from happening to good people. In addition, I write readable things: I’ve got a number of blog posts on deck that I look forward to sharing with you fine folks.

With pleasantries exchanged, let’s talk about 1Password for Teams, and about how your privacy and the security of your data are of the utmost importance to us. We are able to offer the great new features of 1Password for Teams by providing it as a service. If you are using 1Password but don’t have a 1Password for Teams account, your existing vaults remain unchanged, whether you sync them using Wi-FI, Dropbox or iCloud. While we have made some significant changes to how your data is stored in 1Password for Teams, our commitment to security and privacy has not changed.

How 1Password for Teams keeps your data safe

When we set out to build 1Password for Teams, our first concern was that our cryptography and security be absolutely top notch. I mention them both because they work hand in hand to keep your data secure. We opted for security that is enforced by cryptography instead of software or personnel policy.

Cryptography is what makes your data completely worthless to hackers. It is our cryptography that ensures that even if someone were to hack into our servers they would be able to access nothing more than a bunch of random numbers.

Security is what ensures that there are no back doors or vulnerabilities in the code. Security has to do with the assurance that certain policies are enforced by the operating system. Specifically, that there are no workarounds or back doors into our servers.

Private by Design

We take the “privacy by design” approach because we believe that we can best protect your secrets by not knowing them. It is impossible to lose, use or abuse data one doesn’t possess. Therefore, we designed systems that reduce the amount of sensitive user data we can access or acquire.

Triple-Layer Cake

1Password for Teams stores your encrypted data on our servers, but neither your Master Password nor your Account key is ever sent to our servers over any network. This means that we do not actually have the ability to decrypt your data. That is because decrypting your data requires all three of the following:

If you use 1Password, you are already very familiar with the Master Password and its role in protecting your data. Let’s talk about the other two pieces of the puzzle: the Account Key and the Secure Remote Password.

The purpose of the Account Key is to protect your data from being decrypted by someone who might access or compromise our servers. It ensures that a password-guessing attack against your data is useless: even if an attacker were to correctly guess the Master Password, the vault would not unlock.

The Secure Remote Password (SRP) is a way for both the client and the server to authenticate each other without either revealing any secrets. The SRP encrypts all traffic over the network and verifies the authenticity of the remote server before sending your information over TLS/SSL.

In Math We Trust

These three pieces of information work together to symbiotically protect your data. The Account Key strengthens your Master Password exponentially. And since it never gets sent over the network, it can’t be reset, intercepted, or evaded. In fact, I would be happy to print out a 2D barcode of all of the information in my 1Password for Teams personal vault and tape it to my front door. And if you knew me, you would know that this is a very big deal.

Still have questions? You can read all of the details of how we secure your data and why we made the decisions we did by reading our White Paper (PDF). Please also leave us a comment below or join the conversation in our discussion forums. We love hearing from you!

1Password for iOS header

1Password 6.1 for iOS: The Unity Edition

It’s been an incredibly exciting week for us. We finally shared a secret project that we’ve been working on for ages! But that’s not all we’ve been doing. Our developers have been burning the candle at both ends to ensure that the 1Password apps you know and love continue to be awesome and powerful.

Today we’ve got a great update to 1Password for iOS for you. Version 6.1 not only integrates Teams features into the app, but adds a handy All Vaults view and all sorts of polish.

You get a Team, and you get a Team…
Everyone gets a Team!

1Password for Teams in iOS: Add a new account

1Password 6.1 for iOS is our first official release with support for 1Password for Teams. Once you’ve signed up and created your team on the 1Password for Teams website, you’ll be able to pop over to the Settings tab in 1Password for iOS and add your team right to the app by using the handy QR code found on your team’s Get the Apps page.

Any vaults you add to your team will show up automatically on your iOS device (and will get added to the awesome new All Vaults view – more on that later!) Best of all, you can still use the same one password you’ve been using all along to unlock 1Password for iOS – no muss, no fuss.

As an added bonus, activating your 1Password for Teams account unlocks the Pro Features in 1Password, just for you!

Unify your life with All Vaults

1Password 6.1 for iOS: All Vaults

You already know how easy it is to share you items by using multiple vaults. 1Password for Teams makes it even easier, which for us has resulted in a number of additional vaults. While this feature is fantastic for organizing our items, it does present a challenge: Where did I save that one item? Hopping around between vaults isn’t the most fun we could be having, so we decided to do something about it: we built an All Vaults view.

The shiny new All Vaults view enables you to see all of your items, no matter which vault they’re stored in. But wait!, you say. I don’t want to see all my vaults at once!, you say. No worries, we’ve got you covered. The Settings screen now has a vault selector to let you easily choose which vaults should be included in the All Vaults view. Careful now, toggling those switches is pretty addictive! =)

Bessere Leistung! (Better performance)

Not only have we improved our translations, but we’ve also sent 1Password to the gym to handle those bigger vaults with grace and ease. There are a lot of other great refinements, as well; see our release notes for the full details.

1Password 6.1 for iOS is available now as a free update for all existing owners. Head to the Updates tab of the App Store to update to the latest version now! Got feedback? We’d love to hear from you. Add a comment here, check out our discussion forums, or visit us on Twitter or Facebook.

1Password for Teams: Getting Started (Admin)

Starting your admin adventure with 1Password for Teams

Whew! Tuesday was an exciting day for the AgileBits family. In case you missed our big announcement, we’ve been working on a great new solution that makes it super simple to share secrets securely with your team. (Say that three times fast!)

We hope you’ve already signed up to reserve your team name. We’re letting people into the beta just as fast as we can. If you’ve already gotten your golden ticket, you’re probably pretty excited to get 1Password for Teams set up. So many new and exciting things to play with, but where to start? Let’s start at the very beginning. A very good place to start.

After you’ve signed in to your 1Password for Teams account, your adventure begins on the Home page. This is where you will find the vaults you can access. Initially, you will see Your Vault and the Everyone Vault on this page. Let’s get things rolling by creating a new vault for your team.

Anything that has to do with managing your 1Password for Teams account is done in the Admin Console. Head over there by clicking the Team menu in the top right corner and selecting the Admin Console menu option.

1Password for Teams Home: Admin Console menu option

Go ahead, seize the day and create a new vault now: while in the Admin Console, click the Vaults tab. On the Vaults page, click the + button to create a new vault. There’s no limit to the number of vaults you can create, and vaults can be shared with some or all of your teammates.

1Password for Teams Admin Console: Vaults

Every excellent adventure needs a crew, so click the Invitations tab in the Admin Console to invite your team members aboard. Send out email invitations to everyone, or use the special link that 1Password for Teams generates for you.

To add a teammate to a vault, two things need to happen: they must accept the invitation you sent them, and you must approve them. Once a user has accepted their invite, you can return to the Admin Console and confirm their membership.

1Password for Teams Admin Console: Invitations

Now you’ve got your vaults and your team. You’re almost ready to take off. All you need to do is decide who gets access to which vault. On the Vaults page, select the vault you want to share and click on Manage Access. Simply select the people you would like to add to this vault and it will show up immediately on their Home page.

1Password for Teams Admin Console: Manage vault access

I hope you’ve enjoyed the guided tour so far. Continue the adventure on your own by reading the Getting Started guide for admins, and stay tuned for more posts.

If there is something in this flow that could be improved to work better for you, please let us know in the forums. These beta days are the best days to get in your bug reports and suggestions for improvement. Thanks so much for trying out 1Password for Teams Beta!

1Password for Teams beta announcement header

Introducing 1Password for Teams

Today I am happy to announce 1Password for Teams, an exciting new way to use 1Password within a team environment!
Read more

Shield Security header

When a Leak Isn’t a Leak

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.

AgileKeychain & OPVault Data Formats

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

In December 2012, we introduced a new format that encrypted much more of the metadata. OPVault, our newer and stronger data format, provided authenticated encryption as well as many other improvements for 1Password users.

This format worked well in situations where we didn’t need to worry about backwards compatibility, including iCloud and local storage on iOS and Mac. For Windows, Android, and Dropbox syncing, however, we needed to decide if we should migrate to the new format or provide compatibility with older versions of 1Password.

We decided to take a conservative approach and not automatically migrate everyone over to OPVault because many users depend upon older versions of 1Password and they wouldn’t be able to log into their accounts. We knew we could trust the security of the AgileKeychain to protect confidential user data so we didn’t want to rush into something that would disrupt people’s workflows.

Switching to OPVault

Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users. For users who would like to switch to OPVault sooner than this, here’s how you can get started immediately:

To avoid losing access to your data, be sure to back up your 1Password data beforehand, and only follow these instructions if you are NOT using any legacy versions of 1Password. If you have any questions or concerns, or would like to migrate but aren’t sure if your version of 1Password is affected, our knowledgebase, forums and support team are here to help.

1Password 5 for Mac logo

1Password 5.4 for Mac: The Convenience Edition

Picture this. You’re on your Mac, and this website is asking you to enter particular characters from your password. But your password is 50 characters of 1Password-generated gibberish; how are you supposed to find the 5th, 14th, and 32nd characters without losing your place? Wouldn’t it be amazing if 1Password could make it just a little bit easier for you?

Picture this. You’ve just found out about the great Multiple Vaults feature and excitedly set up a vault to share with your family. Awesome. But sometimes, secondary vault passwords need to be changed. Wouldn’t it be cool if 1Password made it easy for you to do that?

As of today, it can. And it does. You’ll find these and other new convenience and security features in 1Password 5.4 for Mac: The Convenience Edition, ready to download right now in the Mac App Store and from our website. Read on for the lovely details, then sally forth and download—for the low, low price of free, if you’ve already bought 1Password 5 for Mac.

Large type option now available for passwords

Easily enter specific characters from your password with the new Large Type feature. Selecting this option for your password will display it in big, friendly, colour-coded letters on your screen.

1Password 5.4 for Mac: Large Type

You already know that you can hover over a password in an item’s detail view to copy or reveal it. You’ll see the new large type option in that same menu, always within easy reach.

1Password 5.4 for Mac: Large Type menu option

This feature is also great if you need to enter your Apple ID password on the Apple TV across the room or give guests access to your home Wi-Fi network.

Change the password of a secondary vault

Since your 1…Password (that never gets old around here) unlocks your primary vault and your secondary vaults, it’s very easy to create a secondary vault and never think about its password again. Until now, changing that secondary vault password meant basically recreating the vault.

We’ve made things much more convenient for you in 5.4: you can now change the secondary vault password at will. While you’re at it, don’t forget that it’s a good idea to save this password in your primary vault; since you don’t use it all the time, it’s easy to forget! If you’ve already done that, fantastic! Don’t forget to update that item when you change the secondary vault’s password. =)

A view from the top

Did you know that 1Password for Mac offers multiple layouts? The default is a three-column view, but there’s also a “top” layout option. If you’re a fan of the classic Mail.app layout, you’ll like this one. You can try it out by selecting the View > Item List Layout > Top menu option. We’ve made some improvements to this view in 5.4, all based on your feedback. Thanks for your help!

A new layer of security

We all rely on 1Password to keep our secrets secure. In the 5.4 update for 1Password for Mac, our developers have made 1Password securer than ever by adding a new secret agent to safeguard the communication between 1Password and your web browser.

Safari 9 in Yosemite and El Capitan includes important security updates that address the XARA vulnerability, so please update to the latest Safari and to El Capitan as soon as possible. Our 1Password update works hand in hand with Apple’s OS X security updates to ensure that cross-process communication between 1Password and the web browser in OS X remains secure and properly authenticated.

Because this is a brand new way for the various bits of 1Password to talk to each other, it currently requires the beta browser extension. We’d love your help in ensuring that we didn’t break anything. It’s easy: simply use 1Password in your web browser as you normally do, and let us know if something unexpected happens. If you’re interested in helping us out, please install the 1Password beta extension in your web browser and let us know how things are working in our forums. Thanks very much!

We thank Apple for giving us the tools we need to keep 1Password secure. We’ll have a blog post coming later today explaining the details of this important fix.

But wait, there’s more!

You can find the entire list of new features, improvements, and bug fixes in the release notes.

1Password 5.4 for Mac is available now as a free update if you already have a 1Password 5 for Mac license (or downloaded 1Password 5 from the Mac App Store). Choose the 1Password 5 > Check for Updates menu option, or grab the new version from our downloads page. If you are a Mac App Store customer, the update will download automatically or appear on the Updates tab in the App Store app, depending on your settings.

Got feedback? We’d love to hear from you. Add a comment here or in our discussion forums, or start a conversation with us on Twitter, ADN, or Facebook.

DevBits header

1Password App Extension API and time-based, one-time passwords

The App Extension API was released as a companion to 1Password 5 for iOS last year. Now that 1Password 6 is out, I’m sure some of you are curious to learn about what’s new in the API. To celebrate the App Extension API’s first anniversary, I’d like to tell you about one of its best-kept secrets: Time-based, One-time Passwords (TOTPs).

TOTP + 1Password extension = 🔐

Did you know that our App Extension API supports one-time passwords? In fact, it’s been there since version 1.5 of the API. If you haven’t already, I recommend that you upgrade to the latest version, 1.6.1. Not only can your users fill their usernames and passwords in your app with a few simple taps, their one-time passwords can be filled just as easily.

Best of all, it’s an absolute cinch to implement: simply check whether the one-time password exists in the login dictionary from findLoginsForURLString:

@IBAction func findLoginFrom1Password(sender:AnyObject) -> Void {
        OnePasswordExtension.sharedExtension().findLoginForURLString("https://www.acme.com", forViewController: self, sender: sender, completion: { (loginDictionary, error) -> Void in
            
            // Fill the username and password into the fields
            self.usernameTextField.text = loginDictionary?[AppExtensionUsernameKey] as? String
            self.passwordTextField.text = loginDictionary?[AppExtensionPasswordKey] as? String

            // Check if the user has a One-Time Password for the selected 1Password Login
            if let generatedOneTimePassword = loginDictionary?[AppExtensionTOTPKey] as? String {
                self.oneTimePasswordTextField.text = generatedOneTimePassword

                // Important: It is recommended that you submit the TOTP to your validation server as soon as you receive it, otherwise it may expire.
                self.submitRightNow()
            }
        })
    }

That’s all it takes to make your users’ lives much simpler.

1Password ❤ App Developers

If you have already added the 1Password app extension to your iOS app, thank you; you’re awesome! This new functionality gives you the ability to make security even more convenient for your users, and I can’t wait to see how you use it. Please don’t forget to submit your app to our Apps ❤ 1Password directory.

A newsletter just for you

You can also subscribe to our 1Password App Extension Developers newsletter. We’ll send you an occasional newsletter containing 1Password App Extension news, updates, and tricks, to help you realize the full potential of the 1Password Extension API in your iOS apps.

If you have any questions, you can comment on our GitHub project or email support+appex@agilebits.com. I look forward to talking to you!