Back

You might not know that 1Password Safari extension has been through five (!) rewrites over about a decade, with each incarnation adopting the latest supported framework:

2009: Swizzling Safari
2011: Safari Extension
2017: Safari App Extension (SAE)
2020: Safari Web Extension (SWE)
2021: Safari Web Extension for iOS

(If you've never heard of swizzling, picture injecting Objective-C into Safari at runtime to implement autofill by overriding methods. It was as great/terrible as that sounds.)

Safari extensions used to trail far behind other browsers. In fact 1Password did not have anything close to feature parity in Safari until just a few years ago.

Everything changed when Apple adopted the Web Extension API at WWDC 2020 — the same one used by Chrome and Firefox. And a year later, Apple brought extensions to iOS.

We were *ecstatic*. We jumped at the opportunity to bring 1Password to Mobile Safari, redesigning every component in just under three months.

https://blog.1password.com/1password-for-safari/

Each new Safari extension framework meant better compatibility, stronger security, and more features. But there were also growing pains. The SAE and SWE frameworks had much larger surface areas, more bugs, and new and different restrictions.

These kinds of obstacles crop up with any new API. But the issues in more recent frameworks had especially harsh consequences for a critical aspect of 1Password usability: the ability to be — and stay — unlocked.

1Password faces a unique challenge in the web browser: your data needs to be locked (encrypted) when it's not in use, and your unlock keys need to be kept safe from attackers — never cached or exposed in plain text.

Browser extensions do not have any way to securely manage keys. So if you want to unlock 1Password in a web browser, there's really only one good way to do it, and that's with the help of another app outside of the browser — one that can access the secure enclave/keychain.

When you interact with the 1Password browser extension, it sends a message to a native binary asking it to unlock (using biometry if possible) and to provide it with data. If all goes well, you see a prompt to unlock followed by your autofill suggestions.

But if for any reason the connection with the binary can't be established or isn't working as expected, things start to deteriorate. The extension stalls, or locks itself when it shouldn't, or even stops responding completely.

Keeping up a secure connection between a browser extension and a native app is a perennial challenge. It has to be achieved in unique ways for different browsers and operating systems and has been a major area of focus for our teams over my entire decade+ at 1Password.

But if every environment poses unique challenges, the most challenging of all is Safari on iOS. And the second most challenging is Safari on macOS. :)

The difference between Safari and other browsers comes down to a few fundamental issues:

1) Immature implementation of the Web Extension API
2) Extra indirection and instability in the XPC layer
3) Severe restrictions on extension lifecycles and persistence, especially on iOS.

All of these contribute to an experience in Safari that's just not as fast, reliable, or feature complete when compared to the same browser extensions in Chrome and Firefox.

Safari is the latest browser to use the modern Web Extension spec — something all developers are very grateful for — and Apple has made incredible strides to support extensions, especially on mobile. (Looking at you, Google!)

I love being able to use extensions like 1Password, Noir and Open in Apollo (RIP) on my iPhone and iPad.

But it's not fully there yet. There are still missing and incomplete APIs which must be worked around, and others which simply do not work.

https://getnoir.app

An example of an incomplete API is the `onCommited` event which the 1Password extension relies on to implement one of its newest (and coolest!) features: signing in to sites with SSO/social logins. The event is still missing fundamental properties without which this feature cannot work properly. (Radar: FB10006044.)

https://support.1password.com/sign-in-with-provider/

As for APIs which simply do not work, people report that tapping "Copy" in the iOS Safari extension often does nothing. This is indeed an awful experience — I'm angry at myself whenever someone mentions it. But the truth is, 1Password is calling the clipboard API exactly as it's supposed to. It just doesn't work half the time.

It might seem like we aren't listening, but at the end of the day the fix really does have to come from upstream. (Radar: FB9924270.)

https://mastodon.social/@caseyliss/112526364550291936

@mitchchn This thread was very interesting, and I'm glad you spent the time.

That said, I stand by my thesis: 1Password has gotten worse and worse for me in the last couple years, in every measurable way. I yearn for the time when 1Password was built for users like me, and not for other corporations.

@caseyliss @mitchchn Nostalgia can be great but things weren’t always perfect.

I remember the time when we had a huge number of complaints about 1Password 4 and how it is a huge step back from rock-solid version 3. The support inbox at 10,000+ unanswered emails. The team is burning out because of all the negative feedback.

All this because Apple made a ton of changes in the new version of macOS and it required complete rewrite of 1Password.

@roustem @mitchchn 100%!

All I know is, 1Password used to be a delight *every time I opened it*.

Now — with 1P8 especially — it's painful nearly every time I open it.

---

I'm sure I'm coming across like a world-class asshole, and I am genuinely sorry for that. But I do this because I love[d] 1Password **so. fucking. much.* and I just want it to make me feel that way again.

@caseyliss @roustem @mitchchn I understand very well how underlying platform bugs can mess up the experience and I know damn well that 1P8 has a lot of improvements under the hood and new functionality. Platform bugs do not explain, however, how users lost local-only features, were faced with a new, bewildering, broken app UI, a new extension which has widgets and popups and distractions everywhere, and a constant load of marketing messaging saying that every feature and customer *except us* was
priority one. Apple didn’t do that to us here. I love a lot of what 1P is doing, but honestly I’d give it up if I could have a password manager with a straightforward app and a plug-in that performed autofill without choking back.

I know it’s all harder than that and the trade-offs exist and I do give Agilebits a lot of credit (and get pissed at Casey for complaining so much sometimes), but my feelings are hurt by the product state and product direction.

@joshrivers @caseyliss @roustem I know that you and Casey have other criticisms and I'm not dismissing them. But the past three times I've found myself in a thread of people so frustrated on mastodon, it originated with an issue in Safari.

There's little upside in blaming a platform. I'd much prefer to focus on your feedback about things I/we can address directly. When it comes to Safari, I'll share what I know, call attention to longstanding Radars which will help, and offer suggestions.

@joshrivers @caseyliss @roustem Oh Tailscale is a huge inspiration! Their office is down the street in Toronto. We love their tech and devrel and we're learning from both.

I hear you on the trap of coming across as too enterprise-y. It's one reason why I (plus the founders and others) enjoy talking about 1Password more casually on here, as well as on reddit (r/1Password) and in our Slack (sorry :P) for developers. (Join us: https://developer.1password.com/joinslack.)

@roustem @joshrivers @mitchchn while I will concede that there is not an explicit statement of “we are profitable”, I feel like this is a pretty clear explanation of their business model.

https://tailscale.com/blog/free-plan

(cc @ironicbadger)