1Password's recent security updates address two identified vulnerabilities (CVE-2024-42218 and CVE-2024-42219) following a disclosure by researcher Pablo Sabbatella. He reported a deviation from cryptographic best practices related to hardware tokens requiring a PIN for local authentication, which 1Password initially classified as a minor issue.
AFTER 100 days, the company decided to implement a mandatory PIN verification for hardware tokens in its desktop applications starting July 2026, aiming to enhance security. This change aligns the desktop client with the browser extension, which already mandates PIN verification.