What the new 1Password integration changes

The integration grants access per task, not forever. When Claude asks for a credential, 1Password shows the request and waits for biometric approval. Only the approved vault items are available during that session. The rest of the vault locks down automatically while the browser agent is in control.

The password and MFA code are injected directly into the page through 1Password's channel. Claude knows that a login happened, but it does not receive the actual secret. After autofill, 1Password checks the page for exposed values; if submission fails, it clears the filled fields before control returns to the agent.

The Verge notes that the approval is still an interruption. It is simply a smaller and safer one than manually taking over the browser. At launch, the feature is available to 1Password business, family and individual customers on Mac. It requires the 1Password desktop app and browser extension plus the Claude desktop app and Claude browser extension. Payment cards and identity details are not included yet.

A hidden password is not the same as a harmless action

Suppose Claude signs in to a travel account. Keeping the password out of the model protects the credential. Claude can still choose the wrong date, accept a bad fare or change an account setting once it is inside. The login boundary and the action boundary are different problems.

The same distinction matters at work. A small-business owner might ask for a revenue summary, which 1Password gives as an example. The login may also open refunds, payouts, customer records and account settings. A request that sounds read-only does not shrink the permissions of the account behind it.

So the first team test should be boring. Pick one account, one repeated task and one person who already owns the outcome. Watch where Claude asks for access, what it does after the login, and whether the person can tell the difference between reading, drafting and changing something. If the task ends with five minutes of clean review instead of another support mystery, expand from there.

The rollout question is now easier to answer

Until this release, a manager could reasonably stop at: we are not giving an AI our passwords. The new design answers that objection directly. The credential can stay encrypted and out of the model while the assistant uses it for one approved task.

The next objection is more useful: which logged-in chore is worth delegating? Start with work that is easy to inspect and cheap to undo—pulling information into a draft, checking an account for a known value, or preparing a comparison. Do not begin with purchases, deletes, payouts or account recovery because the login now feels smoother.

Also plan for the setup. Four apps or extensions on one supported desktop platform is manageable for a technical early adopter. It is not invisible to a ten-person company. Someone needs to know what Agentic Mode looks like, why the biometric prompt appeared, and how to cancel the session without guessing which window is in charge.

Two views on the first approved login

Mara Vale sees a clean security improvement with a hard limit: keeping the password out of the model protects the secret, not every click made after authentication. Her first test would use an account where a wrong move can be spotted and reversed without calling a bank, customer or vendor.

Jun Vega cares about the moment a normal user sees the request. The approval should name the site, the credential, the task and what happens when the session ends. If the screen only says Claude wants access, the user is being asked to approve a concept rather than a job.

Those views fit together. 1Password has made the credential handoff smaller and safer. Teams should use that progress to test one useful job carefully, not to turn every saved login into an invitation.