ssh agent on Mac Os - no prompt for password after the first connection

1Password Team

3 years ago

Great question! This is a design choice we've been internally debating for a while before launching this functionality.

The reason why we don't require the account password to authorize SSH connections when 1Password is already unlocked is because the additional protection that this gives does not outweigh the UX overhead.

On macOS, a malicious process that would try to approve a malicious SSH connection by automating the Authorize button click would first need explicit Accessibility permissions in the OS settings or require root access. This makes it acceptable to lower the approval requirements on macOS, in favor of the UX for non-Touch ID / clamshell mode users.

However, with this reasoning you could argue that when 1Password is already unlocked we should not ask for Touch ID either, because it's not required. But we concluded that in the case of Touch ID, there is some value in the consistent UX of placing your finger on the Touch ID sensor regardless of whether 1Password is locked or unlocked.

Forum Discussion

ssh agent on Mac Os - no prompt for password after the first connection

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Unofficial 1Password SDK for Rust

🔊 Securing Cursor agentic development with 1Password Environments

ssh agent and ansible 12 prompting incessantly

1Password Chrome extension is incorrectly manipulating <code> blocks

Custom aliases and OpenSSH fields for SSH Bookmarks