1Password lets Claude access websites without seeing your passwords

▼ Summary
– 1Password’s browser integration lets Claude use stored credentials via biometric approval without passwords ever reaching the AI model or Anthropic’s systems.
– The integration addresses the tension in agentic AI by allowing agents to log in without users handing over passwords or taking manual control.
– After autofill, 1Password checks for secret exposure and clears filled values if submission fails, keeping credentials encrypted.
– Agentic Mode locks down the vault during AI agent use, restricting access to only approved logins and one-time codes for the current task.
– The launch comes amid security concerns about prompt injection attacks leaking credentials, with 1Password emphasizing permission-based credential use over direct access.
1Password has unveiled a new browser integration that allows Anthropic’s Claude AI agent to use stored login credentials to perform web-based tasks, all while keeping passwords hidden from the AI model itself. The company announced the feature in a blog post on Thursday, describing it as a zero-exposure architecture. When Claude needs to sign into a site, 1Password prompts the user with a clear explanation of which credential is required and why. The user must then approve the action via biometric verification, after which the login details are injected directly into the webpage. Claude never sees the vault item, password, or one-time code, and access is revoked once the task is finished.
This development tackles a critical challenge in agentic AI. Browser-based agents like Claude can navigate websites, complete forms, and even make purchases, but hitting a login page has traditionally forced users to either share their password or take over manually. 1Password claims this is the first browser integration that enables an agent to use credentials without gaining direct access to them.
Following the autofill process, 1Password checks whether any secrets were exposed on the page. If submission fails, the extension clears the filled values before handing control back to Claude. The credential remains encrypted and managed entirely by 1Password throughout the entire process.
The launch also introduces Agentic Mode, a feature within the 1Password browser extension that automatically locks down the vault when a compatible AI agent is in control. The agent can only use logins and one-time codes explicitly approved for the current task, while the rest of the vault stays inaccessible. Agentic Mode activates even if the 1Password-Claude integration is not configured, and it supports agents beyond Claude.
The timing of this release is significant. Security researchers have recently demonstrated how AI browsers can be tricked into leaking user credentials through prompt injection attacks, with Anthropic’s own Claude extension among those affected. In the company’s announcement, 1Password CTO Nancy Wang emphasized that the solution is not about handing agents your secrets, but about letting a user give an agent permission to use a credential without allowing the agent to see it. She called that distinction the foundation of trust in AI agents.
1Password for Claude is available now on Mac for business, family, and individual plans. It requires the 1Password desktop app, browser extension, Claude desktop app, and Claude browser extension. The company, which recently acquired Israeli startup Apono to govern AI agent access inside enterprise systems, said it plans to add support for payment cards and identity details after the initial launch.
CNET’s password manager expert Joe Supan noted that he would normally be very wary about giving an AI agent access to his password manager, but that 1Password appears to have several strong guardrails in place, particularly biometric authentication for each login. This integration marks the first time a major password manager has built a dedicated secure channel for an AI agent to use credentials at runtime, rather than exposing them to the model’s context. Whether the approach holds up against the kind of prompt injection attacks that have already compromised AI browsers remains to be seen.
(Source: The Next Web)




