1password Safari extension question

Discussion in 'iOS Apps' started by Nolander07, Sep 17, 2014.

  1. Nolander07 macrumors 6502a

    Oct 16, 2012
    I can't get Touch ID to work for 1password in the safari extension. The 1password icon is there in the sharing menu, but when I tap on it the only option is to input my password. Touch ID works fine with the 1password app itself, so I assume I am missing something in the settings, but I can't figure it out. I have been messing with it for the last hour or so. (Running iOS 8 of course with iPhone 5s). Thanks.
  2. AGKyle macrumors 6502a

    Jun 10, 2012
    Oh boy, this should be fun :) I am sorry in advance if this doesn't work. I do not yet have a TouchID enabled device so I am not able to test things personally before relaying this information.

    What I've heard (from TouchID enabled coworkers) is that you need to goto 1Password -> Settings -> Advanced -> Use iOS Keychain and make sure that is enabled.

    Basically, what happens is that to unlock 1Password we need to store the master password in the iOS keychain. TouchID only provides us with a "Yes/No" style response, so, we store the master password in the iOS keychain with a few parameters.

    1. It can only be read by 1Password, not other applications
    2. It will never leave your iOS device
    3. It requires the unlock code for the device, OR TouchID to validate and gain access

    So, it's pretty secure, so long as you use a strong passcode for your iOS device (I suggest using more than the 4 digit pin unlock).

    Once this is enabled, we store the master password in the keychain. Then when 1Password asks you to unlock it'll throw up the TouchID screen. You confirm with your finger(s) that you are who you say you are, TouchID tells us you are the person you claim to be, we use that to get the master password, and unlock the application (or extension).

    Let me know how it turns out! :)
  3. anarche macrumors member


    Sep 11, 2014
    To add another question to this thread so we don't create a new one, is there any way to migrate all my lastpass accounts and passwords to 1password? I'd like to move to this, but don't want to go through the effort of re-entering everything.
  4. AGKyle macrumors 6502a

    Jun 10, 2012

    You can use the LastPass Import feature in the Mac application.

    Details here:

    Also, a user contribution may do an even better job of importing:

    Both should get you up and running with the data in the Mac app, of which you can get free for 30 days (http://www.agilebits.com/downloads)

    Then you can sync this data, either via Dropbox or Wifi (iCloud won't work unless you're on Yosemite and using the latest 1Password for Mac beta) along with iOS 8 and 1Password 5 for iOS.

    Let me know if you run into any trouble! I'll be happy to help!
  5. Nolander07, Sep 17, 2014
    Last edited: Sep 17, 2014

    Nolander07 thread starter macrumors 6502a

    Oct 16, 2012
    1password Safari extension question

    Thanks for the info. I set it all up this way, and still no option for Touch ID(in the Safari extension). It does open 1password from the Safari extension without requiring a password though with iOS keychain turned on. I will keep trying to get the Touch ID to work in the extension. It works fine with the app itself. Thanks again.
  6. AGKyle macrumors 6502a

    Jun 10, 2012
    Interesting, can you shoot us an email, see the Contact Us link in my signature. Mention my name in the message and it'll auto-tag me as a watcher on the ticket. Then just for good measure, send me the ticket ID you get in response (separate email) either here in the ticket, or private message so I can make sure I got tagged on it and I'll research this with a developer.

    Let me know what settings you have on/off and what the options are in both Security settings and in Advanced.
  7. anarche macrumors member


    Sep 11, 2014
    Thank you, very helpful, except that I'm a Windows person so is this available on Windows as well?

    I'm still evaluating my LastPass Premium which runs for a year vs. 1Password, but 1Password appears to have better integration with browser logins, etc.

  8. AGKyle macrumors 6502a

    Jun 10, 2012
    The last link includes instructions for allowing import into 1Password 4 for Windows.

    You just need the Windows application, which is also free for 30 days. I'm speaking of this link:


    Instructions on how to use are here, specifically for LastPass:


    Let me know if you have any other questions or trouble along the way.
  9. Nolander07 thread starter macrumors 6502a

    Oct 16, 2012
    1password Safari extension question

    I ended up deleting the app and reinstalling it and now everything works perfectly. Maybe something got corrupted during the update or I had a default setting off causing it not to work right. Either way, I am happy. It is one of my favorite apps, especially now with Touch ID. Thanks to everyone for the help, especially Kyle from AgileBits who so kindly dealt with my emails and gave me advice.
  10. supertonic macrumors member

    May 5, 2010
    How to use your 1Password log-ins in Safari:

  11. AGKyle macrumors 6502a

    Jun 10, 2012
    Glad to hear you got it all up and running! I'm sorry I didn't have a better answer more quickly though :)

    Don't hesitate to get in touch if you have any other questions. We're happy to help.
  12. JoelBC macrumors 6502a

    Jun 16, 2012
    I don't know whether this is 1Password issue of an Apple issue but when I move the extension to the far left, as suggested, it does NOT stay there...would be great to get this fixed...
  13. BasicGreatGuy Contributor


    Sep 21, 2012
    In the middle of several books.
    I bet it is an iOS issue.
  14. JoelBC, Sep 17, 2014
    Last edited: Sep 17, 2014

    JoelBC macrumors 6502a

    Jun 16, 2012
    I noticed one other problem which needs an immediate fix...Touch ID "timeouts" meaning that although Touch ID is enabled in stops working after a few minutes and no longer allow log-ins via touch but only via password...after / once the password is entered then the Touch ID starts working again for a few minutes and then, the cylce continues.
  15. Nolander07 thread starter macrumors 6502a

    Oct 16, 2012

    Thanks, but that wasn't the problem. I knew all that, it was an issue with not having the option of using Touch ID for the extension. I think it was my mistake, and the iOS keychain option has to be on in the app. It works great now.


    Set the request master password to every 30 days. That will give you more time before it resets.
  16. chrfr macrumors 604

    Jul 11, 2009
    I am having this issue myself. So far, it appears that the success rate of being presented with the Touch ID option is less than 50%.
    Edit: This addressed my issue https://guides.agilebits.com/1password-ios-kb/4/en/topic/touch-id-faq

    The master password timer is independent of all the other timers, so no matter what you set in Touch ID options, after that times out, you'll need to re-enter the password.
  17. JoelBC macrumors 6502a

    Jun 16, 2012
    Appreciate the link as well as the explanation which I think I understand as it appears that there are two timers i) time between opening with the master password and ii) time before asking for a finger print again...to maximize the amount of time that one can use touch ID the first needs to be set to 30 days (longest available) while the second can be set to a shorter interval for security (say, two days)...

    I do however wish that the functionality would be different and simpler...to me the best approach would have been to simply allow the use of Touch ID in place of the master password (i.e. in the same way one can use Touch ID to unlock a phone).
  18. chrfr macrumors 604

    Jul 11, 2009
    I'm ok with needing to put the password in every 30 days or on a reboot and figure that Agilebits has valid security reasons for giving these options. The interface should make the options clearer, though, without having to find a FAQ page.
  19. AGKyle macrumors 6502a

    Jun 10, 2012
    This is an iOS issue. Almost everyone on our team has filed a bug report with Apple, hopefully it gets fixed soon... It also existed in the betas.

    There's no super simple way to do this. TouchID does not give us anything other than a "Yes/No" type of response. It's hard to replace the master password with Yes/No and still be secure :)

    What we do is store the Master Password in the iOS keychain with a few important flags:

    1) It can only be accessed by 1Password
    2) It never leaves the device (no iCloud Keychain sync)
    3) It requires the device's passcode (we suggest a longer non-digit only passcode) or TouchID to gain access to the item in the iOS keychain

    We can then use that to unlock the application. Given that though, we felt limiting the time it was made available before typing in the master password served a few great functions:

    1) Basing it on time means that the user can use it for fast app switching purposes only if they wish, or have it on for a longer period of time
    2) Basing it on time means they do have to type their master password in at some point, otherwise they may forget it.

    Nothing hurts worse than telling a person we cannot recover their master password because they forgot it. Happens often enough to give me nightmare's. We cannot reset a user's password so if it's forgotten it's forgotten and so is the data contained within. If we allowed resets that would mean there was a way for a malicious user to try to gain access.

    We made these choices to provide the best set of options for you, our users. They may not always be exactly what you want, but they're usually a pretty good middle ground between being secure and convenient.


    Agreed. It's just hard to explain in limited amounts of space :) I'm sure we'll reword it over time in an attempt to improve it. Sometimes you have to get feedback from users about what is confusing and seeing it in support before you know what is unclear or needs alteration.
  20. JoelBC macrumors 6502a

    Jun 16, 2012
    Kyle, thank you, very helpful and very clear, greatly appreciated...
  21. AGKyle macrumors 6502a

    Jun 10, 2012
    My pleasure :) If you ever have any questions just let me know. I'm happy to clear up any questions. Many times there's a really good explanation for how things are they way they are.

    We try to hide as much of that as possible and just make it "make sense" but sometimes it's hard and well, we get things wrong sometimes too with some of the decisions we make with user interface and user experience.

    TouchID is definitely somewhere I think we can improve on in an iterative way. Most of our beta users are technically capable so they have no issue fiddling with settings to get it how they want. More casual (and new) users are who we need to improve the experience for with TouchID.

    Let me know if I can ever help though!
  22. JoelBC macrumors 6502a

    Jun 16, 2012
    I am one of your beta testers -- at least for 1Password for Mac and 1Password for Windows!
  23. AGKyle macrumors 6502a

    Jun 10, 2012
    Yea, we have those open to anyone who wants to use them at this point. The iOS version though has limits on how many people we can invite to test it so that's a bit of a trickier situation and it's by invite only. Usually it's a tough thing because we really want the feedback from casual users but they're also less likely to try beta versions :) Because of that we end up having to do our best for things and then get feedback in our support system to decide how to make changes to better fit the non-developer or power user type.
  24. gc916 macrumors regular


    Apr 23, 2012
    I'm experiencing the same issue as the OP. I have verified that the "time" settings for Master Password and TouchID are correct, but I am still required to enter my MP each time I attempt to use the Safari extension.
  25. AGKyle macrumors 6502a

    Jun 10, 2012
    Make sure you goto Settings->Advanced and enable the Use iOS Keychain option.

    Otherwise it works differently than you expect.

    Basically here's the summary:

    With TouchID we only receive a response of yes or no on whether your finger prints match what was expected.

    Many applications do not encrypt their data so they can use TouchID as a simple gatekeeper to show or not show the data in the application. For us, we have encrypted data and need to do a lot more to show the user's vault. Since the Master Password is required we must store it somewhere. That gives us two options:

    1) If the option to store the master password in the iOS Keychain is off then we must rely on the master password being stored in memory. This goes away when the app is quit by the user, or by iOS, including restarts of the device. When that happens we have to get the Master Password again so we ask for it.

    2) If the option to store the master password in the iOS keychain is on then we store the obfuscated master password there and you can change the option to let you unlock with TouchID for up to 30 days. We then access the master password in the iOS keychain to unlock the vault again as needed. This should make things more predictable for what you want to see.

    A few notes about #2 though. We have a few parameters on the item we store in the iOS keychain that are relevant here:

    * The item can only be accessed by 1Password
    * The item will never leave the iOS device (it's also stored in the Secure Enclave and encrypted by your device passcode)
    * The item requires the device passcode or TouchID approval to be accessed

    We also limit the TouchID period to 30 days to force users to type in their master password. Otherwise it's possible that some users may never type it in and forget the only key they have to access their vault data.

Share This Page