1Password chrome extension keeps locking out every few minutes due to this! — Sometimes there is actually an update available for chrome (I use their canary channel so updates are very frequent), but a few times I've noticed this coming even when Chrome says there aren't any updates. This makes the extension almost unusable for me since it's used not just for passwords, but also used for autofill. Why should 1Password stop working every time chrome has an update? It doesn't make a lot of sense. 1Password Version: 1Password for Mac 8.5.0 Extension Version: version 2.1.4 OS Version: Mac 11.6.1

steph_giles @jamesbull has nailed the issue. Restarting Chrome is an ordeal. As an agency many of our customers are providing Google Accounts for our employees. The easiest way to manage these multiple Google Workspace accounts is to use multiple Chrome profiles. Users will frequently keep Chrome open for 3-4 weeks at a time with 5-6 Chrome profiles with 5-6 windows per profile with 20-30 tabs per window (yes, the machines are beefy and people are using tab suspension) and only restart when an OS Chrome when an OS update is pushed. People even take this a step further by using multiple virtual machines and then facing this problem with multiple instances of Chrome running on virtual machines all on one physical machine... Yes, this is probably not a common use case but you'd be surprised with software devs... Also, it would be almost impossible to measure if people are doing this, it's just going to look like one account being used on many machines... Additionally, people are using 5-6 1Password instances due to being given accounts on client 1Password instances. This experience has gotten way better so props on that 1Password. Still not there yet though... I'd still like to see an experience like Slack Connect for 1Password to make working with external businesses easier but I imagine that'd be amazingly difficult to do with a secure architecture... And it would lead to a significant reduction in paid user accounts for 1Password. Our employees can basically have 6 accounts, one paid for by us and 5 by clients.... It's still painful using multiple 1Password instances though where those instances have unique passwords, I know 1Password will unlock all instances if they share the same master password and that because of the unique architecture of the 1Password Master Password password reuse doesn't have the same negative implications it does elsewhere... That still breaks most users brains though "oh, don't reuse passwords anywhere, it's really bad... Oh except the most important password you have, your 1Password Master Password, it's fine to reuse that... But remember, only as a Master Password on other 1Password instances... The irony (whilst technically sound) of 1Password deploying password reuse to solve a UX problem does not seem to have been lost on the community and was thoroughly discussed here: https://1password.community/discussion/comment/608291/#Comment_608291 Realistically one should close out their browser and update it quickly to be as secure as possible. That's best practice. It's just not always realistic if it needs to be done weekly or daily. The current user experience feels like 1Password is getting opinionated about what people's update habits should be around other apps beyond 1Password. That feels like overreach and and a holier-than-thou attitude. It just leaves a bad taste. I don't think that's actually what's happening here, I think it is a genuine architecture of the browser extension/desktop app relationship but that won't matter to a user who doesn't care to understand the nuances of the architecture. They just see 1Password having opinions about how up to date their browser is and see functionality being restricted in order to force behaviour change and not monthly or quarterly, sometimes weekly or daily depending on how frequently Chrome updates rollout (which is not to their stated fortnightly schedule btw, that's an aspiration, it usually whenever something urgent needs patching). Imagine if Chrome started restricting access to Google Products if the browser was out of date and this happened daily or weekly... Yeah nah. 1Password is a critical tool that gets used hundreds of time per day by our users. Using that power to force people to reboot other applications by restricting access to that tool and doing that multiple times per week (even if unintentionally) feels like negligence at best and abuse of power at worst. This is part of a broader issue for the tech industry (Google is going to face it with Chrome and their 'traffic light's update system in Chrome) which is that users will revolt if core applications start needing full restarts daily or multiple times per day. There is going to need to be a concerted architecture effort by most applications to enable live patching wherever possible and keep the requirements for full restarts to the absolute bare minimum. Applications that manage this engineering challenge will inherit the users of applications that choose to prioritise engineering ease over UX. What I'm saying is that 1Password have made architecture tradeoffs that cause a poor user experience, that's fine but I imagine 1Password is flying close to the sun on this and is getting to the point where they're crossing the line of what they can force users to do... I mean only 1Password have access to user churn data but if I had to guess, this sort of thing would be driving it up. It feels like a Steve Jobs moment is required where he comes in, says that he doesn't like the way the bounce animation works on iPhone scroll and holds the entire iPhone project until the bounce animation feels just right. Yeah it's a good damn engineering pain in the backside but it's what makes for iPhone level UX driven success. If 1Password wants that level of success, keep prioritising the UX. Keep refusing to ship product with a solid engineering solution but a bad UX. Don't ship until the engineering is genius and the UX is best in class. There are plenty of other password managers out there... Don't mess up your USP.

Hey 1Password.. Chrome has moved to weekly updates: https://security.googleblog.com/2023/08/an-update-on-chrome-security-updates.html and I'm at wits end with 1Password failing. I certainly can't try to get my family to start using our teams account when the passwords which were "just there" in their chrome profile don't go missing. I never have cared what security benefit there is from having the extension validate the browser.. now that the browser is pretty much always considered invalid, we really need a better workflow here.

OMYGOODNESS IT'S CHRISTMAS The 1Password browser extension in Chrome will now maintain a connection with the 1Password app even when a Chrome update is pending.

@ObjectConsulting I'm happy to see your enthusiasm for the new update, our development team took everyone's feedback to heart and worked hard to get this right. 💙 -Dave

Can this please be fixed (at least in the short term) by letting us disable code signature validation for selected browsers? We finally have the ability to select trusted browsers, so this really isn't a huge leap. I might try disabling chrome-auto updates because this behavior is so frustrating.

1Password chrome extension keeps getting locked because an update is available

85 Replies

Former Member
3 years ago
This is really painful. Browser updates happen too often and I have to close all my tabs.
Former Member
3 years ago
I also find this behavior very frustrating, but having looked into it I don't think there's much 1Password can do here without compromising security. Presuming it's even possible, end-running MacOS' code signature checks would be hacky and prone to vulnerabilities.

It seems clear that Chrome's method of overwriting the static (disk) copy of the code violates the expectations of MacOS' SecCode framework, so it really is on Google to conform to the platform on which Chrome is running. (FWIW it seems like writing a new Chrome to disk and only moving it into place when it's about to be run would do the trick, but it begs credulity to imagine the Chrome devs haven't thought of that; so there must be some non-obvious problem with it.)

It would be nice to have some confidence that Agile Bits are actively in touch with Google and actively pushing them to resolve this issue. Google is aware of, tracking, and implementing workarounds to https://bugs.chromium.org/p/chromium/issues/detail?id=1297588 bugs rooted in Chrome overwriting itself on disk while it's still running, but 1Password isn't in the list. There is one public Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=622770 specific to 1Password, but it's 6 years old and hasn't had any activity in it for 3.5 years. Which gives the appearance that Agile Bits are resigned to it as intractable, when it can (and should) be fixed. Squeaky wheel…
Former Member
3 years ago
I'd like to add my voice to this as well -- there has to be a better way to handle this, while still maintaining security.
objectwork
New Contributor
3 years ago
Not ready to post in detail about this yet but just want to say I'm very interested in this discussion: how the 1Password Application PC/macOS, 1Password Chrome Extension, and Chrome/'Google Update' interact with each other and present challenges to efficient-use/workflow.
Former Member
4 years ago
I'd like to add my name to this issue. I often keep several dozen tabs open, so I can't update Chrome every time a new version is available. It's a major pain to restart the browser. Having 1Password require the master password every few minutes is just as big of a pain. I'm also considering looking for a new solution if this can't be resolved. From the comments above, it seems there are other options that don't have this issue. I have the annual family plan and I don't want to change services, but this problem is going to force the issue.
Former Member
4 years ago
Is there no way to have 1Password be aware of the code signature of both the old and new versions of the browser? This security feature makes using 1Password + Chrome + Touch ID really frustrating given how often Chrome updates. Turning off the desktop integration is not a solution because then I lose the Touch ID support. Hope you can come up with a user-friendly solution for this one that doesn't sacrifice security!
Former Member
4 years ago
Same - this is a really annoying behaviour even with a standard Chrome installation - Updates are too frequent. I'm considering switching to another app too.
Former Member
4 years ago
Given how often Chrome is being updated, this headache is causing me to seriously considering going back to using LastPass.
ag_chantelle
1Password Team
4 years ago
@pastelsky

Currently, 1Pass invalidates the session as soon as a background upgrade is downloaded.

We only invalidate after we attempt a reconnection with the desktop app. But I can see how the two might coincide if the browser updates multiple times in a single day/session. As Yaron suggested, disabling integration might be the best approach for your case in the meantime. We'll continue to work with our development team to see if we can find ways to improve the experience here. Apologies for the disruption.
Former Member
4 years ago

However for 1Password to maintain a secure connection to your desktop app, it needs to be able to validate the code signature of the browser

That does make sense, however, it's something that I would expect to happen when I actually hit update on Chrome. Chrome dev/beta / canary download updates quite frequently in the background — may be several times a week, however, I may only hit update less often.

Currently, 1Pass invalidates the session as soon as a background upgrade is downloaded.

Forum Discussion

1Password chrome extension keeps getting locked because an update is available

85 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Duplicate entries after imports

Want to rely on Hello, avoid master password entry after reboot

Security incident Postmark and 1P ?

1Password website does not load when updating entry

Passkey transfer via CXP supported on iOS 26