I'm on the edge to switch back to Apple Passwords so I could have my passwords more secure with the convenience of biometric access. It's a MUST long due feature for Proton Pass and ProtonMail clients

Biometric unlock in Safari extension is technically feasible today -- here's how

As a Proton Pass user and software engineer, I wanted to share that this feature is not blocked by an Apple limitation. The Safari Web Extensions API fully supports biometric authentication through a well-documented native messaging bridge pattern. Both 1Password and Bitwarden already ship this in production.

How it works (TL;DR):

Safari extensions can't call Touch ID directly (error -1004: "Caller is not running foreground"). But they can communicate with their native Swift handler (SafariWebExtensionHandler) via browser.runtime.sendNativeMessage(). That handler runs in its own XPC process with full access to LocalAuthentication and the Secure Enclave. The extension asks the native side to authenticate, Touch ID fires, and an encrypted vault key is returned.

Proton Pass already has a native Swift MacPlugin that communicates with the desktop app via nativeMessaging -- the plumbing is in place.

Apple documentation proving this is supported:

- Messaging a Web Extension's Native App: https://developer.apple.com/documentation/safariservices/safari_web_extensions/messaging_a_web_extension_s_native_app
- Messaging between the App and JavaScript: https://developer.apple.com/documentation/safariservices/messaging-between-the-app-and-javascript-in-a-safari-web-extension
- LocalAuthentication framework: https://developer.apple.com/documentation/localauthentication
- Protecting Keys with the Secure Enclave: https://developer.apple.com/documentation/security/protecting-keys-with-the-secure-enclave
- biometryCurrentSet access control (auto-invalidates on fingerprint change): https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/biometrycurrentset

Competitors already shipping this:

- 1Password -- Touch ID in Safari, standalone, no desktop app needed. Uses Secure Enclave key wrapping: https://support.1password.com/touch-id-apple-watch-security-mac/
- Bitwarden -- Touch ID in Safari via native messaging proxy to desktop app: https://contributing.bitwarden.com/getting-started/clients/browser/biometric/

High-level implementation (8 steps):

1. SafariWebExtensionHandler receives { action: "biometricUnlock" } from the extension's background script via browser.runtime.sendNativeMessage()
2. Calls LAContext.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics) to check availability
3. Generates a P-256 key pair in the Secure Enclave with .biometryCurrentSet + .privateKeyUsage access control -- key never leaves hardware, auto-invalidated if fingerprints change
4. At enrollment time (user enables Touch ID): ECIES-encrypts the vault key with the SE public key (SecKeyCreateEncryptedData, cofactor X963 SHA256 AES-GCM), stores the ciphertext in the shared Keychain
5. At unlock time: ECIES-decrypts with the SE private key (SecKeyCreateDecryptedData) -- this is when Touch ID fires automatically
6. Returns a session token (not raw key bytes) to the extension over the XPC channel
7. Extension stores the token in chrome.storage.session (in-memory only, clears on Safari quit)
8. On fingerprint enrollment change, the SE key is automatically invalidated -- user re-enters master password -- new SE key generated

This is exactly the pattern 1Password uses. The architecture is proven, the APIs are stable since Safari 14 (WWDC 2020), and Proton already has the native messaging layer (MacPlugin) in the Safari extension.

This feature has been on the roadmap since Winter 2024 and promised for 2025 across three separate blog posts. The community has given it ~1,600 votes. The technical path is clear -- it's a matter of prioritization.

Reviewing ProtonPass as a 1Password replacement and found this thread.

No unlock with TouchID and Apple Watch on MacOS or unlock with Windows Hello make ProtonPass a non-starter. Without these implemented I can’t subscribe :(

I've read that this is planned, however only as a method to unlock the entire password manager. I would like to have the option to be forced to use biometrics to unlock each password before it is actually auto-filled. This would allow using autofill with a locked manager, thus we wouldn't have to potentially expose the entire vault. This is also the way the Apple password manager works.

Coming from 1pass this is my absolute top concern. No auto lock for the browser extension by default alone sounds awful but no biometric option either? This really needs to be prioritized.

i mean the function is allready there just untie TOTP from FIDO2 and make em a separate option independent of each other but using FIDO2 while being forced to TOTP along with it makes no sense..why lower security for FIDO2 users?do we go now the M7crosoft way and implement features years after we could because we wait for a breach first?i dont get it with you tech companies..we literally pay a 120€ each year

Any updates on this?

clearly proton doesn't know how to implement this

I just bought the premium version thinking it had this feature. Can't believe it hasn't.

New year, new "luck", that this feature will never be implemented... Keep flooding your customers with new products before old products get bare minimum functionality.

I switched from 1Password to ProtonPass, and honestly, this feature is essential for me!

Loving Proton, but it's a shame such basic functionality is missing (and was already promised for Q1/2025).

Changing from 1Password to Proton Pass - where the browser extensions can be unlocked via biometrics. A pin is a no-go for me.

This feature is available in the Bitwarden extension.

For how many years this will be "under review"?

Uninstalled. Proton keeps making promises but never delivers.

I'm loving Proton Pass, but I really miss the "Desktop Bridge" from 1Password.

Unlocking the desktop app should automatically unlock the browser extension. And please add Apple Watch unlock support for Mac.

These two features would make the workflow flawless.

need this asap. im baffled why this is not a priority?

Entering a PIN in public isn't very secure. Please enable fingerprint unlocking on Apple Mac. It's safer and much quicker.

id love to not have to enter a pin everytime, windows hello's faceid avoids me having to do this