While this looks interesting, I'll admit I feel like there's been a bit of drift from their bread and butter over the years since they launched their cloud thing and started pushing hard towards a subscription model. I chose them long ago specifically over options like LastPass because I liked having a rich application without internet dependency and their attention to detail and features there, but it's been a while since it feels like it got major new improvements vs the site. For example, while macOS and Windows have supported smart cards and security tokens like YubiKeys forever now, and I use them to login, unlock, authorize sudo/SSH, etc every day, 1Password still has no support. There are things that can now only be done through the web interface, like finer grained control over permissions for shared vaults, and some of those are also nastily locked away behind more expensive subscriptions. I think everything should be manageable through the application, without ever visiting the site. Duplicate items across vaults remain completely manually managed, when automating stuff like that is kind of the purpose of a password manager. Etc. Heck, even within their own subscription service I think they're missing a trick by not having more powerful/flexible organization(including families) and inter-organizational capabilities.
I still think 1Password is the best option for most people. I specifically want my non-technical family and friends to use password managers too as long as its necessary, and having some multiperson capability is also key to that. I can't say though that I feel like the move to subs has been a huge win in terms of development.
Granted, I'm a little down on the whole field which colors things a bit. Ultimately underlying my feelings is a touch of bitterness that their entire industry even exists. Passwords and password managers are mostly recreating public key auth really, really badly and it stinks. Passwords and other symmetric tokens by definition should never be shared. A website being hacked should never affect me in the slightest, in the same way that me getting hacked doesn't somehow suddenly mean attackers now own Debian/Apple/FreeBSD/Microsoft. Everywhere should just have public keys. We've had the tech for decades and sufficient crypto speed on client systems since at least AES-NI. What's been missing has been glue and effort. It's frustrating every time a hack happens. We shouldn't have to care! Sigh.
> I specifically want my non-technical family and friends to use password managers
I consider it a victory if I can get non-techies to use their browser's facilities to store passwords, and then to choose reasonably long passwords and avoid reuse.
(I use `pass`, myself.)
I use a password manager but, as a mostly-Apple user, I see very little reason not to just use iCloud Keychain: the UX of Apple’s solution is significantly better than all the alternatives because I don’t have to remember yet another password/mfa token to type in every once in a while.
> I use a password manager but, as a mostly-Apple user, I see very little reason not to just use iCloud Keychain
Storing 2FA tokens is one thing iCloud Keychain cannot do (yet ?), and it’s the primary reason I use 1Password over iCloud Keychain.
That being said, with Big Sur, 1Password changed its default behavior from being unintrusive to literally obscuring input fields with big “unlock 1Password” pop up’s.
I’m currently evaluating using either Password-store or Bitwarden with bitwarden_rs as a backend as I really don’t want my logins synchronized anywhere I don’t control.
I think the fingerprint auth stuff Apple’s working on will replace MFA: as I understand it, in Safari, the MacBook’s Fingerprint sensor implements the same protocol as a Yubikey or similar.
Hope because it would allow me to utilize my mac as a Yubikey. I have no idea how they would synchronize it to all Apple devices, but i'm fairly certain they will find a way.
Fear because it will pretty much guarantee i cannot use my password manager on other platforms.
I already use Secretive (https://github.com/maxgoedjen/secretive) to store SSH keys in the secure enclave with touch id integration, and it works really well. I also keep a couple of Yubikeys as backup :)