1P Pro features

TOTP for 1Password users

1P Pro features1Password 5.2 for iOS and 1Password 4.1.0.538 for Windows are out, and they provide support for using Time-based One Time Passwords (TOTP) in your Logins (note: in iOS, it’s part of our Pro Features). Note that this is not for unlocking 1Password itself, but to aid with logging into sites for which you may be using TOTP, such a Dropbox and Tumblr.

To learn how to have 1Password help you manage your TOTP Logins, go straight to our user guide. If you would like to better understand when and why TOTP is useful for 1Password users, and what to do if you truly want two-factor security, continue reading here.

TOTP countdownI’ve previously written (at excessive length, in some cases) about TOTP in general, but in each instance pointed out that it is of limited utility to 1Password users. This is because such schemes are of most use to those people who have weak or reused passwords. If you are using a strong and unique password for a site, then many of the gains of two-step (or multi-step) verification are not relevant for you.

But “most” is not the same as “all”. There still are some cases where multi-step verification is useful to people using 1Password.

Sometimes you must use TOTP

Sometimes a site or service will simply require that TOTP always be used along with your regular password. Patty (one of my dogs) is working with a research group analyzing the structure of heart worm DNA. When she connects to the lab’s server, she is required to use TOTP.

TOTP example in 1Password for Windows

TOTP example in 1Password for Windows

She has set up an app on her laptop that just constantly displays the current TOTP code. It’s sitting there ticking away all the time her laptop is running. Ideally, it should only be visible when she actually needs it, but she is understandably just trying to save time. Clearly, she could use TOTP more securely if it were available for the Login item within 1Password.

One-timeness? Yes

One-time passwords (the “OTP” in “TOTP”) are useful over insecure networks. Normally, when you submit a password to a site or service, you send the same password each time. Ideally, that connection is well encrypted so that the password cannot be captured when it is in transit. This is why it is very important to:

  • use HTTPS instead of HTTP when doing anything sensitive
  • pay attention to the lock icon in your browser’s address field (indicating HTTPS)
  • heed browser warnings about such connections

But networks are easy to compromise. Recently Molly (my other dog) was at the Barkville Airport. When she connected to Wifi, she saw several open wifi IDs. One was BVT-access, and the other one was “Airport Free Wifi”. As it turned out, BVT-access was the legitimate one, but she connected to Airport Free Wifi. Airport Free Wifi was actually a laptop operated by Mr Talk, our neighbor’s cat.

Mr Talk is using SSL-strip on his rogue wifi hotspot. If Molly isn’t paying close attention to the HTTPS status of her browser’s connection, she can send things unencrypted over Mr Talk’s network while thinking it is a secure connection. I should probably point out that Molly lacks the discipline to pay close attention to anything other than a squirrel or rabbit. This way, Mr Talk can capture Molly’s passwords in transit to the servers and save them for later use.

That is one of several ways that passwords can be captured in transit. The point of one-time passwords is that they are not reusable even if they are captured in transit. In this way, TOTP provides a meaningful defense against plausible attacks even though there is nothing “second factor” about how it is being used.

Second factor? No

We need to make the distinction between one time passwords and second factor security. One time passwords are often part of second factor security systems, but using one time passwords doesn’t automatically give you second factor security. Indeed, when you store your TOTP secret in the same place that you keep your password for a site, you do not have second factor security.

However, you still have the benefits of the one-timeness of TOTP codes.

Systems like TOTP are sometimes used as part of second (or multi) factor authentication systems. But this is far from their only usage. To be truly second factor, the TOTP secret (from which the one time password is generated) must not be stored on the same device that you use the regular password on.

Let’s consider an example. Molly has a Tumblr where she posts pictures of the squirrels she is after. So far, she has been using the Authy app on her phone to manage TOTP. If she never logs into to Tumblr on the same phone, then she is using her phone as a second factor. But if she is also using Tumblr from her phone and has had to use her one time password from there, then there is no second factor.

In general, there is a reason why many services that offer TOTP refer to it as “two-step verification” instead of as “second factor authentication”. The security that such sites seek to gain from this is not in the second-factorness; it is in the one-timeness. In particular, many of the sites and services that offer or require two-step verification with one time passwords are doing so because many of their users have weak or reused passwords. Although that should not apply to 1Password users, there are other benefits to one time passwords as I discussed above.

If you really want true two factor

If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.

Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.

Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.

For everyone else, if you find the one-timeness of TOTP worthwhile on its own (or are required to use it), 1Password’s new support in v5.2 for iOS and v4.1.0.538 makes it easier to use than ever.

1Password 4 for iOS icon

1Password 5.2 for iOS: The Awesomesauce Edition is here

OPI 5.2 jar of AwesomesauceThe holiday season may be over, but we saved your best present for last! Well, at least the best present with ‘AgileBits’ printed on it somewhere. 1Password 5.2 for iOS is now making its way to the App Store, and we even saved you the time to unwrap it.

(Get it? Because software is digital and therefore impossible to wrap with paper.)

This free update goes out to our new customers and Pro feature owners. To start, we added our first-ever Login Creator, a really slick new tool that makes it easy, dare I even say fun, to add your existing Logins to 1Password and get a feel for how much time it can save you.

Login Creator has a polished workflow for hundreds of sites and services, and we hope it makes getting started with 1Password even easier.

1P iOS Login Creator

For our Pro feature owners, let’s start with a new One-Time Password tool. This helps you sign into a growing number of services (like Amazon and Tumblr) that support a secondary, randomized password for that extra… je ne sais quoi. You can learn more about One-Time Passwords at TwoFactorAuth.org.

1P iOS OTP

Pro owners can now also delete attachments from the item editor and add many new custom field types like addresses, dates, and month/year.

Rounding up this release are plenty of additions in the 1Password App Extension, design, sync, Accessibility, and translation departments. You can check out the full iOS changelog if you want all the details or skip straight to the App Store and pick up the latest and greatest 1Password for iOS!

While you’re there, please take a minute to give us a great review—it helps more than you may know! Finally, let us know what you think of this release on Twitter and Facebook, and stay in touch with the Agile Newsletter.

1PM icon 1024

1Password 5.1 for Mac: The Syncerrific Edition is here

Judging from the title, you might think this update is about Watchtower enhancements or properly formatting credit card numbers, but you would be only half right! 1Password 5.1 for Mac, rolling out now to the the AgileBits Store and Mac App Store, is all about sync.

In short, we completely overhauled how you manage sync for your primary and secondary vaults to save you time. In Preferences > Sync, you can now view all your vaults and how they sync, and change sync methods with a click.

OPM5 new sync pane

Wi-Fi Sync users also get a whole new Preferences pane that makes setup much easier. Oh, and secondary vaults can now sync via Wi-Fi!

We packed lots of other great changes into v5.1 for Mac, from copying addresses in Identities with just a click to support for Portuguese. You can view the full changelog for all the details.

1Password 5.1 for Mac is a free update available now for all v5 owners. If you’re a Mac App Store customer, please leave us a great rating and review, they really help!

As always, let us know what you think on Twitter and Facebook, and stay in touch with the AgileBits newsletter!

Jimmy_Kimmel_Live_hero

People accidentally tell their passwords to Jimmy Kimmel and the world

See? This is why you don’t use your pet’s name and high school graduation year for your password. Because you’ll end up on Jimmy Kimmel Live, telling it to the entire world.

To stay safe online, you want good, strong, unique passwords for all your accounts. That’s where 1Password‘s Strong Password Generator for Mac, iOS, Windows, and Android has you covered.

Homescreen icon

Check out the other apps on 1Password user #Homescreens!

Homescreen iconA little while ago, the fine folks at Betaworks released a clever app called #Homescreen. With a tap, you can share a screenshot and list of apps on your homescreen with your Twitter pals, then check out everyone’s apps at homescreen.is.

But #Homescreen’s cleverness runs much deeper. Not only can you click each app and check it out in the App Store, you can see some really cool stats (like 1Password is on 23 percent of homescreens!) and even all the other apps used by, say, the 1Password community.

Turns out 1Password is in some great company! Of course, Facebook and Twitter are there, and so are great apps (and favorites among AgileBits staff) like Fantastical, Day One, and Reeder. There’s also Slack (which we love for office chat), Launch Center Pro, Workflow, and Mailbox, and the list goes on. It’s also dynamically generated as more people share their homescreens, so it might even change over time.

Check out the full list of apps your 1Password comrades use, there are plenty of gems to discover! Give #Homescreen a try too—it’s a smart, simple way to learn more about your fellow homescreens.

2014 Top 100 Emails - Campaign Monitor

We sent one of the top 100 emails of 2014!

One of the things we love most about this job is talking to you, our customers. We’re on the Twitters and Facebooks, but we also love making and designing the occasional email newsletter for our one million subscribers. Apparently we’re doing something right, too, because our newsletter service, Campaign Monitor, just announced that we sent one of the Top 100 Emails of 2014!

To be specific, our Heartbleed newsletter was quite popular, hopefully because we helped explain what was going on and, of course, whether 1Password was affected (spoiler: it wasn’t). If you scroll to the bottom of our entry there, you’ll see Campaign Monitor gave us good marks for knowing how to balance our design and message, as well as founder (and Chief Newsletter Writer) Dave Teare’s personal touch.

We send just a handful of newsletters per year. Sometimes we even include goodies, such as a free copy of The Email Field Guide by David Sparks in our Thanksgiving newsletter last month.

In fact, Dave’s preparing our Christmas newsletter as you read this, and I hear it will include a gift. If you have yet to experience an AgileBits newsletter, right now is, quite literally, the perfect time to subscribe and get a party in your inbox!

Thanks to Campaign Monitor for the kind words, and thanks to everyone for subscribing!

iMore Best 2014 Awards

iMore names 1Password 5 for iOS an App of the Year for 2014!

It isn’t every day that we have a chance at winning a best-of-the-year award from iMore. In fact, I am told that the opportunity comes only once a year.

And this year we won!

We are thrilled and thankful and just plain touched that iMore named 1Password 5 as the iOS Utility App of the Year for 2014, and 1Password 5 for Mac as a runner-up for Mac Utility App of the Year!

iMore reviewed and listed a ton of stuff for its awards this year, from apps to accessories for both iOS and the Mac. It’s a great list from a bunch of smart folks, so be sure to give the entire thing a look!

1P Emergency Kit v3

Incredible 1Password users release 1Password Emergency Kit 3.0

The 1Password Emergency Kit is a clever PDF created by some of our brilliant users to help families and friends during unfortunate times. Invented by Mike Vardy at Productivityist a couple years ago, it recently reached version 3 and looks even more useful.

The idea behind this user-created Emergency Kit is simple: we create a will and place sensitive items in safe deposit boxes in case something happens to us. But with so much of our lives these days depending on the internet, many of us want a way to make 1Password part of these plans.

Thanks to Productivityist reader and 1Password user Charles Hamons, the 1Password Emergency Kit v3 is now a fillable PDF and includes space for even more useful information, such as locations of multiple vaults (and their Master Passwords) and even instructions for what to do with one’s social media accounts.

Admittedly, this isn’t quite a fun or exciting feature to boast about. But we are absolutely thankful for the work of Mike Vardy, Charles Hamons, and others in the community for building a useful 1Password tool that can help immensely during one of the most painful times in our lives.

App_Store_Best_of_2014

Apple lists 1Password among the App Store Best of 2014

App_Store_Best_of_2014

We are amazed, humbled, and absolutely thrilled that Apple has listed 1Password among the App Store Best of 2014 for iPhone and iPad!

We’re listed alongside some incredible peers, too, from Storehouse to Xcom: Enemy Within, Litely to NYT Now. Apple sure does know how to pick ‘em.

We are especially honored since v5 was both a major feature release and a huge step in taking 1Password for iOS freemium. We added some of our best features ever—like Touch ID and App Extension support for other apps— and we made 1Password 5 for iOS free to start using for new customers. Now, everyone can enjoy 1Password’s security and convenience, then unlock their full potential with a single, one-time in-app purchase.

We might be biased, but we agree that makes 1Password worthy of a Best App of 2014 spot. Thanks to you, our customers, for getting us here!

1P4 Android bot

Avoiding the clipboard with 1Password and Lollipop

Copy & Paste clipboards (or “pasteboards” as they are called on Mac and iOS) can be dangerous places for secrets if you have malicious software running on your device. On most operating systems – mobile and desktop alike – most running applications can read from the system clipboard. When you copy a secret to the system clipboard, a malicious process may be able to read and steal that secret.

This, by the way, is not news, but it is good that it has made the news. It helps people be aware of clipboard usage, and it gives me the opportunity to talk a bit about what we have been doing over the years about this.

We have always worked to reduce how much people need to depend on system clipboards when using 1Password. The details differ from system to system, and each operating environment gives us different ways to help reduce clipboard use. On the Mac and Windows PCs we have the 1Password Browser Extensions communicate with 1Password so that web form filling can avoid the clipboard. 1Password for Windows also uses auto-type to reduce clipboard activity. 1Password 5 on iOS offers 1Browser and integration with other apps through App Extensions

1Password Android browserBut today I will reveal a few things that our 1Password for Android beta testers know.

Aside: Before I get to that discussion, I should point out (as I often do), that the single best defense against a malicious program running on your machine or device is to keep your systems up to date with all software and system updates. It is also important to be careful in what you install on your system. 1Password can offer some significant defenses against malware on your system, but you have to help keep your systems free of malware.

1Password 4 for Android already has a simple built-in browser. This allows you to go directly from your Login item in 1Password to the web page, filling the data without the clipboard. Our iOS users are already familiar with 1Browser, and this is shaping up on Android.

Lollipop provides clipboardless sweetness

Of course, web pages aren’t the only thing that people need to fill passwords into, and sometimes people may wish to use something other than the browser built in to 1Password. In the current Beta release of 1Password for Android, we used the latest security and accessibility features in Android 5 (Lollipop) to allow 1Password to fill into other apps without making use of the clipboard.

Starting with Lollipop, we have a way to fill password data into other apps without using the clipboard. Perhaps it would be best to just quote what Nik, our Happiness Engineer, had to say in the beta newsletter just a couple of weeks ago:

Wondering why app and browser filling requires OS 5.0? Me too! So I asked our developers. It turns out that the only way for us to do this in earlier versions of Android OS was to use copy/paste accessibility APIs, meaning that any clipboard manager or malicious app could listen to clipboard events and collect login credentials as they were filled.

In Lollipop, 1Password can fill your information directly, without using the clipboard. Therefore, it isn’t possible for a third party to obtain your passwords by snooping on what 1Password’s doing.

Prior to Lollipop, it would be possible to get this kind of app-filling, but it would have relied on the clipboard under the hood. Because using the clipboard involves known risks, we feel that we should make it clear when copy/paste is being used and minimize it’s use wherever possible. As a result, we decided to focus on a Lollipop-only implementation of our filling feature

If you have an Android device with Lollipop installed and would like a sneak peek, I invite you to sign up for our Android beta.

Clipboards may always be with us

As you can see, we are working to reduce dependency on system clipboards when using 1Password. This is an on-going process. Browser integration on the desktops was something we started with back when the very first versions of 1Password was released for the Mac nearly eight years ago. Later, we introduced our own browser into 1Password for iOS, and much more recently encouraged 1Password integration for other iOS 8 apps using App Extensions. Along the way, we introduced auto-type in 1Password for Windows and a web browser into 1Password for Android. As you’ve learned here, we have in-app filling in our Android Beta, making use of the latest features of Android 5.0, Lollipop.

But while we are progressively reducing the need for copy and paste to a system clipboard, we are a long way from eliminating the need to use these. This is why I must repeat my advice to keep your system free of malicious software.

What I would like to see is a clipboard that could only be read when the user explicitly chooses to paste. This is something that has been suggested a number of times before, but has not be implemented on the most popular operating systems. I suspect that there is a reason for that, but if you know, I eagerly await your insights in the comments.