Secured Desktop by Default
Hi. From what I have read with Secured Desktop a little more secured than the insecured(?) way of unlocking 1Password, why haven't we made Secured Desktop the default way of entering our master passwords by now? Why must I click on that shield icon each and every time? Can we at least have this as an option so we can set it up as a default for those of us who are a little more paranoid?
With that said, can someone point me to the white paper describing why Secured Desktop might be more secured than the standard way of unlocking 1Password?
With thanks.
1Password Version: 7.4.767
Extension Version: Not Provided
OS Version: Windows 10 Professional
Sync Type: Not Provided
Comments
-
Hi @laugher,
Thank you for reaching out!
The "Unlock on Secure Desktop" feature is about creating an isolated desktop where only the specific list of processes are allowed to run on that desktop, in our case, only 1Password-authorized processes. It helps protect against key loggers. The "Enter Master password" dialog appears on another desktop (that we temporarily create ourselves), and Windows messages do not travel across desktops. Key loggers are thus precluded from spying on the (keyboard) messages.
If you always want to use "Unlock on Secure Desktop, try pressing
CTRL + ENTER
on the lock screen before you enter your Master Password. This will activate this feature without an additional click from you. Let me know how it works. Thanks!++
Greg0 -
To be clear, @laugher, Secure Desktop isn't guaranteed to always protect from all keyloggers. It's a very good counter-measure that makes it far less likely that an installed keylogger will succeed in capturing your Master Password, but nothing in this world is completely foolproof and using a compromised device is never totally safe no matter the precautions you take. This blog post takes a bit of deeper dive into the world of keyloggers and how Secure Desktop does (and doesn't) protect you than some may want, but it's a great example of how even very good counter-measures can and have been fooled and why it's important to always use security best practices even when you do have effective counter-measures like Secure Desktop at your disposal.
With that said, why not Secure Desktop all the time? Well, the exact things that allow it to be a good counter-measure against keyloggers also limit things some of our customers depend on. Screen readers can't announce what's on the screen for the visually impaired on a Secure Desktop since their process can't run, just to give one example. We do think how to unlock should be your choice, but in order to provide that choice, the default must be something where all methods of unlocking can work and are accessible to everyone. So, we show the standard lock screen with all options available and allow you to choose.
Now that doesn't mean we'll never provide a setting to choose a different default. We've already kind of done that for Windows Hello by allowing for it to show automatically when enabled and available. But, it does mean Secure Desktop can't be the default out of the box. I'm glad that Ctrl + Enter is easing things for now and I will certain pass along a request to change your own default to the team. :chuffed:
0 -
@bundtkate - thank you for the explanation and love the blog by @jpgoldberg as usual. It might be time to look at something other than the master password to secure vaults.
I'll use
Ctrl + Enter
in the meantime.0 -
@Greg - Just a followup question. The 1Password browser extensions. Are these simply a wrapper for the actual installed 1Password Windows binaries? What is to stop other browser extensions or in fact, another website I have opened in another browser window/tab from intercepting site specific credentials? Could a rogue extension or compromised website activate the 1Password browser extension to dump credentials from the vault? How does 1Password protect us from threat vectors originating from websites/other extensions?
0 -
Hey @laugher ,
Our extensions cannot and will not autofill anything on their own. They will always require the user to initiate autofilling, which is a very important security measure. We've been receiving a lot of requests from users over the years to make 1Password autofill on websites automatically, but we simply won't do it due to that exact security concern. No other extension can trigger our extension, unless you have an extension that can trigger the autofilling keyboard shortcut, but even then, 1Password will only autofill credentials if the website's URL matches the URL in the login entry, which is another security measure that takes place.
0 -
@Yaron - that's great. Thanks for clarifying. When the browser extension is first triggered and before 1Password client has been unlocked and it prompts the user to enter the master password, is the master password directly calling the 1Password client installed on Windows or does it passthrough the 1Password browser extension first? Trying to understand all the secret flows when the browser extensions are used. Thanks.
0 -
Hey @laugher ,
The 1Password companion extension is a mediator that allows the 1Password 7 for Windows app to interact with your browser. The popup that shows up when you need to unlock is 1Password mini, which is a part of the 1Password 7 desktop app, so your Master Password is actually being input directly in the desktop app.
If you're really into our security methods and protocols, I have some interesting reads that you might like:
- About our security model: https://support.1password.com/1password-security/
- Security audits we've passed: https://support.1password.com/security-assessments/
- Our white paper, which explains in detail every aspect of our security and encryption: https://1password.com/files/1Password-White-Paper.pdf
The white paper is a bit technical but if you find the subject interesting you'll enjoy it :)
0 -
@ag_yaron - Excellent. Perfect bedtime reading!
So I guess I should get straight to the point.
Premise. If we accept the fact that browser extensions can be used for ill intent, namely stealing user data and not all useful browser extensions come from well known sources, how do we protect ourselves from an extension acting as a trojan that can be as harmlessly projected as a password strength checker or a session manager or a cookie cleaner, etc, etc but is instead also capturing data it shouldn't be allowed to?
Does the 1Password browser extension mediator have any or leverage of any protection to ensure there are no extensions installed that can read a login/password field on a website? If not, why not and would there ever be plans to have such a feature?
FYI - I've asked the same question to my security software provider. :chuffed: However, this is specific to the login ID/password fields on any web form so I am curious as to AgileBits' position on this.
0 -
Hey @laugher ,
The questions you ask here are covered in the white paper and explain how we keep your data safe, but I'll try to go over the main points of interest:
- Extensions can't install themselves, the user must approve it.
- In the prompt that asks you if you want to add the extension to the browser, there's a list of the permissions the extension is asking for. If an extension is asking for permissions that sound strange in comparison to the extension's function, that should make you think before approving that extension (e.g. an extension that checks password strength asks permission to use your camera/microphone).
- Most browsers separate each extension into its own process and environment, so they can't interact with each other or read data off of each other.
- Our apps and their background processes verify the browser's integrity before they allow a secure connection.
At the end of the day, staying vigilant is the best form of security. If you install a malicious app on your computer, our best defences might not help. We do whatever we can to protect our users, but users need to be aware and stay vigilant at all times, thats security basics :)
0