Unlock

Hello!

I have windows 10 and Chrome. After some time, 1Password locks, which is good. The only thing is that whenever it asks me to unlock is says that I need to click on the toolbar. An example is here on an image below. Is there a possibility for it to ask me my master password there? It would be so much easier than to go, unlock and then come back. Is there a way to do this?

Thanks a lot!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • kaitlyn
    kaitlyn
    1Password Alumni
    edited April 2019

    Hi @davidchavez – you should have a keyboard shortcut here (see screenshot) that allows you to invoke the 1Password popup and type in your Master Password. I'm wondering if you have another extension that's fighting for the same keyboard shortcut. To get to the extensions page in Chrome, you can paste this into your URL bar: chrome://extensions/shortcuts

    Do you notice another extension with the control-shift-X shortcut? That's the default for 1Password X in Chrome, but you're welcome to change it to something else that isn't being used if you'd like.

  • davidchavez
    davidchavez
    Community Member

    I had some other extension using control + shift + X, but now I only have 1Password assigned to it. If the extension is unlocked, will it open (like clicking it)? I am asking becuase I try the keyboard shortcut and does not do anything.

    Anyways, even if it would work, pressing that keyboard combination is an additional step. Meaning that its either click or keyboard shortcut. Is there a way to ask in there directly the master password and unlock?

  • kaitlyn
    kaitlyn
    1Password Alumni

    Control-shift-X should both open and close the popup whether 1Password X is locked or not. If another extension had that shortcut as well, you'll have to change 1Password X's to something else, then change it back to control-shift-X to reset things.

    We currently don't have an option to unlock 1Password X directly in the inline menu. I'm not sure what the restrictions are there, but that's good feedback! For now, getting the keyboard shortcut working should at least avoid an extra click from you.

  • davidchavez
    davidchavez
    Community Member

    Thanks Kaitlyn, changing to something else, then back to control-shift-X worked.

    Hope that in the future the master password can be entered in that small window instead of thru the toolbar. How are suggestions taken into account for future development? I would like to know in case I have an idea, such as this, and would like to submit for evaluation. I am interested in knowing this since I am migrating to 1Password and want to compare. Thanks a lot!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @davidchavez: Thanks for the feedback! While we can't reasonably do what everyone asks of us, we absolutely listen to all of our customers. As for your specific request regarding unlocking, I'm surprised how infrequently it comes up, so I thank you for mentioning it so I have a chance to talk about the reason it's designed this way. :)

    We don't have plans to have users enter the Master Password inline in the field on the webpage there. It's intentional that we make you open 1Password X from the toolbar button instead, because it would be trivial for a webpage to pretend to be 1Password X to trick you into giving it your Master Password. Since a webpage cannot interact outside of itself, it can't open the toolbar menu itself or simulate one. So 1Password X asks you to open it from the toolbar menu to unlock there, since then the Master Password prompt can be verified to be from 1Password X, not something else.

    Though I'm sorry I've got to say "no" to your request, I hope this helps explain why. Be sure to let me know if you have any other questions! :)

  • davidchavez
    davidchavez
    Community Member

    Hello @brenty! Actually, I agree with what you say, but I think there was a missunderstanding. I am not suggesting to be able to write the master password on the web site input itself, but rather than the "pop up" or "window" from 1Password that emerges saying to unlock, to actually ask it. I've modified quickly the screenshot provided by Kaitlyn to indicate where I mean. So, basically it should be a window from the extension itself, not taking the password from the input as that would mean my master password is vulnerable.

    Let me know what you think.

  • davidchavez
    davidchavez
    Community Member

    Also, I have another idea on top of what I've said. Instead of that to be there, that could be an actual pop up, so that in terms of UX, it is absolutely clear that it is not a website trying to fake 1Password, but a dialog from the extension itself. Right now, asking to click or do the keyboard shortcut is another step on the process, that might make some people to completely turn off the locking functionality, which is also making it less secure. I would like to have it to lock every hour or so, but having to click or keyboard shortcut, after many locks/unlocks proves troublesome and tiring for some of us.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I am not suggesting to be able to write the master password on the web site input itself, but rather than the "pop up" or "window" from 1Password that emerges saying to unlock, to actually ask it. I've modified quickly the screenshot provided by Kaitlyn to indicate where I mean. So, basically it should be a window from the extension itself, not taking the password from the input as that would mean my master password is vulnerable.

    @davidchavez: I understand completely. I'm sorry for not being clearer. I know you don't mean enter the Master Password in the form on the website...but it would be easy for the website to include a fake 1Password X Master Password prompt there too. There's no way for you as a user to differentiate between "a window from the extension" and part of the webpage made to look like the 1Password X extension. Does that help? :)

    Instead of that to be there, that could be an actual pop up, so that in terms of UX, it is absolutely clear that it is not a website trying to fake 1Password, but a dialog from the extension itself.

    There is no way for an extension's toolbar menu to be invoked from the webpage. That's a security feature in the browser, since otherwise webpages could get up a lot of mischief. As far as "actual" popup, the only way you as a user can distinguish between UI the webpage is showing and a browser extension is by opening the browser extension from the browser's toolbar, since the latter opens entirely outside the web page itself, as part of the browser's UI:

    Put another way, if you open 1Password X from its toolbar button, you know that's 1Password X. Otherwise what you're seeing may just be part of the webpage, like this:

    If I were malicious, I'd simply code that to instead of using a badly cropped screenshot, with an actual password field that would allow me to collect what you entered.

    Right now, asking to click or do the keyboard shortcut is another step on the process, that might make some people to completely turn off the locking functionality, which is also making it less secure. I would like to have it to lock every hour or so, but having to click or keyboard shortcut, after many locks/unlocks proves troublesome and tiring for some of us.

    You're not wrong, but what you're asking for just isn't feasible currently. And someone keeping 1Password unlocked longer on their local machine is better than them giving their Master Password to an attacker.

  • davidchavez
    davidchavez
    Community Member

    Thanks for the explanation. Although I agree with the security concerns, I am not completely sure that it cannot be solved without risking the security of the account. I am still deciding to migrate from your competitor LastPass. They use something interesting that opens a pop up dialog or a new tab with that information. So, technically it is possible somehow, but well, I just wanted to share this in case it can be considered. I'm not saying do as they do it, just trying to find a solution, since it might sound just a little thing, but having to unlock everytime by keyboard shortcut or clicking the extension is kind of tiring.

    As I said, I'm still not sure that having some functionality like this would necessarily mean to risk the account. I understand this is not a simple problem, just wanting to prove my point that it is worth dedicating some time thinking about it in order to have a better UX and still keep things secure by avoiding any phishing attempts. I know nothing can be done now, just asking to not completely discard it now as something that is unsecure to build, but something that needs thinking to provide a better solution than your competition yet meeting users' needs, or at least the people that need this :)

    Thanks a lot!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for your feedback on this! :chuffed: Our concern is that training people to enter their Master Password in the browser window/tab of another site, while we may be able to do it securely behind the scenes, locally on the device, would be trivial for a malicious website to spoof; and at that point we've setup the user to do something they really shouldn't in that situation, and have no real way of even recognizing that. Opening a separate window/tab for our own site could be feasible, but of course that would be "tiring" for some people too. So, for all of those reasons and more, it's something we need to evaluate carefully in the context of security and feedback from all of our customers. Cheers! :)

  • davidchavez
    davidchavez
    Community Member

    Yes, I understand. Thanks a lot for taking the time to read. I just try to have something quicker and secure. For example, right now my valut was locked, and pressed control-shift-x to unlock, and after that, I had to click again on the username input since the focus did not return. So, it seems that eventually I have an extra step. I just hope there is a new way to do this, is not critical of course, but it is a nuisance. Maybe it is not a pain point for anyone except me, but well, hope this is considered eventually at some point. Thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @davidchavez: We don't have direct control over focus in the browser...but in my experience focus does go in the Master Password field when invoking the extension (as other extensions seem to be given focus by the browser when invoked). Can you tell me the exact OS, browser, and extension versions you're using? You omitted all of that information from your original post, and that may have changed anyway. Do you have other apps/extensions which may be interfering with keyboard focus? I don't think it's reasonable for us to make changes that impact security for all 1Password users just to get around a focus issue, but perhaps we can find the cause for this on your machine. It sounds like having focus work as expected would remove the nuisance for you. :)

  • davidchavez
    davidchavez
    Community Member

    I got the focus on the extension to write my master password, that was never the problem. My problem was the focus did not go again to the username/password field to select the correct one from the dropdown. But I found out that whenever I wrote my master password, it could just press enter into the first record, still on the main extension, and it will fill, which solves this focus thing.

    You can close this ticket, I'm just hoping that the initial thing to unlock not only from the main extension but also from a more intuitive way might be possible in the near future after more analysis and not disregarded immediately. Thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ohhh okay. Thanks for explaining. I misunderstood. Glad to hear that did the trick for you. :) And indeed, if we can find a way to offer more convenience without sacrificing security, I'm sure we will. Cheers! :chuffed:

This discussion has been closed.