Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
ssh agent on Mac Os - no prompt for password after the first connection
Hello!
I have a question i did not find an answer to yet.
We are a database related support company, and we use ssh keys to login into machines.Recently we started to try out the ssh agent feat...
floris_1P
1Password Team
1Password TeamGreat question! This is a design choice we've been internally debating for a while before launching this functionality.
The reason why we don't require the account password to authorize SSH connections when 1Password is already unlocked is because the additional protection that this gives does not outweigh the UX overhead.
On macOS, a malicious process that would try to approve a malicious SSH connection by automating the Authorize button click would first need explicit Accessibility permissions in the OS settings or require root access. This makes it acceptable to lower the approval requirements on macOS, in favor of the UX for non-Touch ID / clamshell mode users.
However, with this reasoning you could argue that when 1Password is already unlocked we should not ask for Touch ID either, because it's not required. But we concluded that in the case of Touch ID, there is some value in the consistent UX of placing your finger on the Touch ID sensor regardless of whether 1Password is locked or unlocked.
