Enter master password only in pop up?

Hi,
wanted to use 1password x on Linux and when I click on the extension the first time it always redirects me to the web login.
On the other hand you state on your page about 1npassword to only enter master password in the pop up of the extension but that never shows up when signing in the first time.

Guess the first sync has to be done via web login rather than the pop up, is that correct? Just wandering as I want to avoid crypto over https wherever possible

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @guidanceseeker!

    I believe 1Password X uses cookies to know if you have authenticated in the past or not. Is your browser perhaps set not to store cookies for 1Password.com? This would explain why you are asked to authenticate every time instead of just having to enter your Master Password.

  • [Deleted User]
    [Deleted User]
    Community Member

    @ag_ana
    Thanks. Thats already clear to me. Question is more why the authentication itself is not directly happening withing the pop up of the extension thereby avoidibg any website login.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @guidanceseeker: Either way, it's talking to the same server in the same way. And since we're not relying on TLS for 1Password's security and using SRP to avoid transmitting any secrets period, it's a moot point. :)

  • Hi @guidanceseeker,

    Mitch from the 1Pasword X team here. There are several reasons why 1Password X requires accounts to be added from 1Password.com, ranging from basic engineering concerns (it's better to develop and test one code path and UI) to data loss prevention: if you uninstall the extension, you'll still have an account added in your browser and you'll still be able to recover your Secret Key.

    As @brenty said, the security of 1Password is not dependent on TLS, and the actual cryptography is performed locally on the device using WebCrypto, whether you use the extension or the website.

    All that said, there are inherent shortcomings of trusting a web app delivered over HTTPS, and some people have threat profiles which would preclude them from using it. We will keep these use cases in mind as we continue to develop 1Password X and other solutions for Linux users!

  • [Deleted User]
    [Deleted User]
    Community Member

    @Mitch
    thanks to you too and your kind explanations.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Mitch, you are welcome! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.