Pass Quick Access

Product Introduction

1. Definition: Pass Quick Access is a native macOS utility and password management tool that acts as a lightweight front-end for the Proton Pass command-line interface (pass-cli). It provides a system-wide, keyboard-activated floating panel for rapid credential retrieval and includes a secure SSH agent feature.
2. Core Value Proposition: The product exists to eliminate the friction of accessing Proton Pass credentials on macOS, offering a faster, more secure, and keyboard-centric workflow than opening the full Electron-based Proton Pass application. Its primary value is providing quick access to passwords, usernames, one-time codes, and SSH keys directly from any application.

Main Features

1. Native macOS Quick-Access Window: A floating panel built with AppKit (NSPanel) and SwiftUI appears instantly over any active application via a configurable global hotkey (default ⌥⇧Space). It enables searching the Proton Pass vault with the same substring, diacritic-insensitive, multi-word matching algorithm as the official client. Search results are ordered by most recently modified or alphabetically, and users can directly copy a username, password, or one-time code, or open an item's URL. The panel remains signed in by handling Proton session expiration through web login re-authentication.
2. Security-First Architecture: The security model is built on the principle of not reimplementing Proton's cryptography. The app acts as a driver for the official, Proton-maintained pass-cli, which handles all authentication and cryptographic operations. Secrets are never stored or indexed; the in-memory index only holds metadata (titles, URLs, usernames, existence flags for passwords/codes). Passwords and codes are fetched fresh from pass-cli at the moment of copy, marked as concealed on the macOS pasteboard, and automatically cleared after 30 seconds. The release build utilizes macOS's hardened runtime without the get-task-allow entitlement, preventing other processes from attaching to it, and nothing is written to disk.
3. Touch ID-Gated SSH Agent: This feature replicates the SSH agent functionality found in tools like 1Password but is integrated with Proton Pass. It serves SSH keys stored in Proton Pass to git and ssh commands, enforcing Touch ID verification before each cryptographic signature operation. It names the requesting application for user transparency. The private keys never leave pass-cli; the app only adds the native macOS confirmation layer. Setup involves enabling the agent in settings and configuring ~/.ssh/config automatically, with an optional SSH_AUTH_SOCK environment variable setting for compatibility with all tools.

Problems Solved

1. Pain Point: The standard workflow for accessing passwords in Proton Pass requires switching from the current application to find and open the full Electron desktop client, which can be slow to launch and disruptive to concentration. This creates a "context-switching tax" for frequent password use.
2. Target Audience: The primary users are macOS power users, developers, system administrators, and security-conscious individuals who prioritize speed and keyboard-driven efficiency. Specific personas include Software Developers needing rapid access to service credentials, DevOps Engineers managing SSH keys for multiple servers, and Productivity-focused Professionals who use password managers dozens of times daily.
3. Use Cases: Essential for rapid authentication during terminal-based development sessions (copying database passwords), securely managing SSH key access for git operations and server logins with biometric approval, quickly filling web login forms without leaving the browser, and retrieving two-factor authentication codes during login flows.

Unique Advantages

1. Differentiation: Unlike the official Proton Pass desktop app or browser extensions, Pass Quick Access operates as a system-wide overlay without requiring window focus changes. Compared to traditional password managers' SSH agents (like 1Password's), it offers a free, open-source alternative tightly integrated specifically with the Proton Pass ecosystem. It differentiates itself from web-based or Electron apps by being a native macOS application built with AppKit and SwiftUI, resulting in faster performance and deeper OS integration.
2. Key Innovation: The key innovation is its zero-storage, just-in-time secret fetching model combined with native macOS integration. By never caching secrets and relying entirely on the upstream pass-cli for cryptography and session management, it minimizes its own attack surface. The implementation of a Touch ID-protected SSH agent that leverages the Proton Pass vault as the key store represents a significant privacy and security enhancement for macOS-based development and administration workflows.

Frequently Asked Questions (FAQ)

1. Is Pass Quick Access compatible with my Proton Pass subscription and data? Yes, Pass Quick Access is fully compatible with all Proton Pass subscriptions (including free tiers) and data. It works exclusively through the official Proton-provided pass-cli client, accessing your exact same vault and encrypted data. It does not store your credentials separately; it serves as an interface to your existing Proton Pass data.

2. How does the security of Pass Quick Access compare to using the Proton Pass desktop app directly? Pass Quick Access enhances security by never persisting or indexing secret values on disk, clearing the pasteboard automatically, and using a hardened runtime. It delegates all cryptographic operations and authentication to the official pass-cli, ensuring you benefit from Proton's security audits. Its minimal, native macOS design reduces the potential attack surface compared to a full Electron application.

3. Can I use the SSH agent feature if I already use another password manager like 1Password or the macOS keychain for SSH keys? Yes, but with configuration. To use Pass Quick Access's SSH agent, you must first migrate your SSH private keys into your Proton Pass vault. Then, you would configure it as your IdentityAgent in ~/.ssh/config. You would need to disable the SSH agent functionality in your other password manager for the hosts you want managed by Pass Quick Access, as an explicit IdentityFile entry will take precedence over the agent.

4. Does Pass Quick Access work on macOS versions older than macOS 14 (Sonoma)? No, the application requires macOS 14 or later to function. This requirement is necessary to leverage specific modern AppKit and security frameworks used in the application's native architecture and hardened runtime.

5. Is the SSH agent feature secure? Does it expose my private keys? The SSH agent is designed with security in mind. Private keys are never exposed from the pass-cli environment. The agent communicates with pass-cli to sign requests, and the Pass Quick Access app only facilitates the native Touch ID confirmation dialog for each signature. Your private keys remain protected within Proton Pass's encryption layer at all times.