Friday, September 24, 2021

iOS Safari Extension: 1Password

Sami Fathi:

With iOS and iPadOS 15, Apple allows Safari extensions developers to release their previously exclusive Safari for Mac extensions to the iPhone and iPad, allowing users to use extensions on all of their devices. 1Password was one of the first to tease support earlier in June, and with its latest App Store update today, it’s bringing it to all users.

With its Safari extension on iPhone and iPad, 1Password users now have immediate access to all their passwords and 1Password entries right inside of Safari, including in-page suggestions. 1Password for Safari uses on-device machine learning to automatically fill in the login process of complicated websites and even automatically fills in two-factor authentication codes.

Too bad it doesn’t work with standalone vaults.

Update (2021-10-04): Mike Rockwell:

With the introduction of 1Password’s Safari extension, they’ve also discontinued their share sheet extension. This has managed to irritate quite a few users, including myself.

While the Safari extension is great, it doesn’t replace all of the functionality of the previous share sheet extension.

[…]

So if they had already stopped maintaining it, the claim that it would require additional work to maintain doesn’t really hold water. The sensible solution would have been to keep the share sheet extension in the app for some period of time alongside the Safari extension and then notifying users of its imminent retirement.

What irritates me the most is the lack of messaging. I had no idea the share sheet extension was even in consideration for retirement. One day I just updated the app and it was gone — it wasn’t even mentioned in the 7.8 release notes.

Update (2021-10-05): Damien Petrilli:

1Password removal of the share sheet is also preventing it to work with Firefox on iOS as it was used as a a workaround as they provide no plugin

7 Comments RSS · Twitter


So, what are the downsides of the new, Mac/iOS built-in password/2FA system at this point?


@Sean I discussed that a bit here. Also, Safari Passwords has very limited fields and incomplete import/export.


Was also sad about not working with stand-alone vaults. But then I‘ve seen that the next major 1Password release will sunset stand-alone vaults at all.
So no surprise they didn’t support it.

Well, have to decide now, whether I want my passwords stored in their cloud (and pay the bill for it) or move on to some open-source self hosted solution.

Not easy, as I really love their apps and use them since the beginning.


1Password on iOS 15 sometimes resets itself every time it unlocks, requiring that a new session be opened with 1Password.com. This can lead accounts to be littered with dozens of broken logins, which is sure to quickly become a headache for administrators who like to keep tabs on what sessions they users keep open.

1Password Support says they are aware of the problem and investigating it, but I am surprised the extension shipped in this state to end-users. Now that the Share extension has been removed, all that is left of 1Password to use reliably on iOS is the Auto Fill feature, and that is far from being universally useful…


@Thyraz — if you can stomach an Electron app (which you're facing anyway if you stick with 1p) check out KeeWeb (https://keeweb.info). The KeePass ecosystem is extensive, albeit mostly with hideous UI on Mac. KeeWeb is the exception, IMO. I recently switched from 1Password, and wouldn't hesitate to recommend it. You can sync your password files using virtually any method that exists.


Oh. What a bummer. Was hoping the extension would work with local vaults.

The old auto-fill itegration should still work with local vaults though, I hope.


The 1Password extension on iOS is closer to the Linux version than to what users are used to on macOS. It creates a direct connection to 1Password.com and appears there as a “Safari” login, indistinguishable from actual browser sessions.

This would not be so bad if the extension did not randomly forget its login information and if erasing Safari’s History did not log it out every single time. Currently, users must re-authenticate with the 1Password service multiple times a day (in my experience, pretty much every time the extension is used), causing endless “zombie” sessions to appear on 1Password.com — sessions for which no local tokens exist, but which the server considers active. This feels like a security and a usability issue.

I contacted 1Password shortly after iOS 15.0 was released and they more or less waved it aside, explaining this was not intended behaviour and hinting at sunnier days ahead. Now that iOS 15.1 has been released and the extension behaves in exactly the same way, I have grave doubts about their ability to deliver as things stand.

Furthermore, the removal of the Share extension entails a security regression: both Auto Fill and the Share extension could mandate biometric authentication to fill in passwords. The new Safari extension only allows for time-based locks — and the option to lock at reboot was removed with 1Password’s last update.

This leaves users with Auto Fill as the only secure and predictable solution that neither litters their 1Password accounts with spurious logins nor allows “drive-by” attacks. And we all know how smart Auto Fill is…

Truly a frustrating state of affairs, especially considering the removal of the Share extension was so sudden. It is a shame 1Password did not wait until their new solution (or the frameworks it depends on) was stable before getting rid of battle-tested code.

Leave a Comment