1Password Watchtower

Client Notes

Last week, I patiently helped Ann & Joe navigate some confusion in 1Password, prepared Pierre & Estella to participate in my 1Password workshops, continued 1Password cleanup with Roberta, and worked with Phoebe to update compromised passwords.

Watchtower Rates Passwords

I just discovered that the Overall Password Strength chart at the top of Watchtower is a clickable experience. Among the 600+ logins in my database, 88% of them are rated “Fantastic.” That’s because 1Password generated them.

When I click on any of chiclets in the graph — or any of the categories below — 1Password loads the list view of Watchtower. This shows my logins with a dozen category filters so I can easily toggle among Watchtower’s insights (see below).

While I have only 25 passwords rated “Excellent,” I’m glad to know there’s another opportunity to strengthen my security.

When you reset a password, I recommend selecting the one suggested by 1Password. Most of the time, this satisfies the requirements of the website, but occasionally it requires some manual tweaking. Let me know if you want to learn how to accomplish this.

Implement Passkeys & Authenticator Codes

I wrote most about passkeys in Biometric Boons, Part 3 — Passkeys. Yet, even now I’m refining my understanding of them and realizing some necessary corrections to this article.

Passkeys use your ability to unlock a device as a means to authenticate and sign into an account. The method of unlocking matters not and could be with biometrics, password, or PIN.

Passkey implementation is still in the early stages of adoption among websites. 1Password has aggregated a directory of sites that support them and Watchtower references this list. Take a look at what’s available and 1Password will help you on the path to add them to your logins.

Where passkeys are not available, the next best thing is verification codes sent to an authenticator app. 1Password can serve as the app that generates these codes and autofills them on login forms. Check Watchtower for Two-factor authentication opportunities and know that these are not codes sent by text message.

As I’ve shared before, there’s a tradeoff between convenience and security as to where these codes appear and how to get them where they need to go. I prefer the convenience of using 1Password, knowing the app is extremely secure and near impossible to breach.

Discontinue 2FA by SMS

SMS is an antiquated and unencrypted method of sending text messages via your cellular carrier. These messages can be intercepted and therefore verification codes sent on this channel are not secure.

When receiving one, you may see a message discouraging you from sharing the code with anyone else. However, you don’t know if a stranger might have already seen it.

Many websites and apps have shifted away from password-based logins and only send codes by email or text message. The embedded security risk is especially high in these cases.

Imagine if a hacker knows your email address and phone number from another breach. If they can intercept your SMS thread, they can log into some of your accounts and potentially lock you out.

You can decline some websites’ offer to send you a code to verify login. However, for those that don’t offer any other method (password, passkey, or authenticator), I encourage you to contact the company and request an alternative.

To streamline this process, I drafted this message template you can use.