Separate password to unlock after browser restart / auto-lock
I'm using a long and very secure passphrase for my 1Password account. However, this makes unlocking the vault in the FF extension e.g. after a browser restart (or after autolock if enabled) very annoying, since I now have to type that long passphrase again - and there isn't even an option to not mask the input, so if I make a type, I have to start from scratch.
Please either add an option to unmask the user input, or let people define a separate password/PIN to unlock (similar to how you can use your fingerprint to unlock the android app) while already being logged-in.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @ThiefMaster!
1Password must be unlocked with your Master Password, so I don't believe we even have plans to allow unlocking it with something weaker. However, we are working to make sure 1Password X can be unlocked with biometrics like the desktop and mobile apps ;)
0 -
Doesn't this lower security in the end? I don't know how it's architectured, but assuming some kind of session token is kept after logging in with secret key + master password, allowing a (weaker) password to unlock that session would ensure that:
- an attacker (no secret key and no active session) cannot use an "easy to enter" password to get access
- a legitimate user does not need to enter a high-value password that often
- enabling auto-lock is less annoying because again, you can enter a password that's quick and easy to type after auto-lock-
0 -
The exact implementation would depend on the platform, but you can see the security details of biometrics unlock here (in this case, for Face ID on iOS):
About Face ID security in 1Password for iOS
So as you can see, your data is still protected by your Master Password, even if biometrics is enabled.
0 -
I agree with ThiefMaster and seems to me like ag_ana you are making assumptions about what is technically feasible or how to best approach this.
The idea is that in the web browser plugin, you would still have to login once with your full password. But once you have done that, unlocking it again would be doable with just a pin. The master password would be required if you enter the wrong pin, or after some time has elapsed since last master password entry (say, 24 hours). The pin could be required on every autofill, or maybe there would be an option to have autofill without pin for a period of time after master or pin entered (say a few minutes).
Currently, once you enter master password, 1password does not relock until computer sleeps or I log in/out or specified amount of time expires. This can be hours, even days. If my password is strong, I will have to choose a long expiry time otherwise I will have to enter master often which exposes my master to being sniffed. The pin on its own is useless if it is sniffed, because the master has to have been successfully entered at least once.
This is clearly more secure than what 1password provides now. Moreover, PIN already works in the android app, so it's not like the idea is new.
0 -
Hey @oschoenborn ,
In every platform we utilize that platform's security mechanisms to make the use of 1Password easier (in this case, unlocking). On Windows, we utilize Windows Hello, which allows to unlock 1Password with a pin code.
However, 1Password X in the browser is currently a standalone extension that doesn't integrate with the desktop app, and therefor has no access to Windows hello, so the only way to unlock it currently is with the Master Password. We're definitely working on integrating it for this to be possible, so stay tuned on that :)
From a security standpoint, you can enter your Master Password on your computer as many times as you'd like and you will remain secure. The only way someone will be able to sniff your password is if your computer is compromised, in which case it doesn't matter if you enter the Master Password once every week or once every hour - it will get stolen. There's very little we (and any other security oriented app) can do if a device is compromised.
Our current suggestions for using 1Password X are:
- Adjust the auto-lock settings as you see fit (but we do recommend to not leave it unlocked for very long periods of time).
- Use a strong memorable password which is easy to remember and type: https://1password.com/password-generator/?type=memorable
- Make sure your computer locks up with a pin/password when you're not using it, which is more of a general security approach to stay vigilant than 1Password X related tip.
Hopefully that integration I mentioned will come soon enough, allowing you to unlock it with a pin code after you unlock it once with your Master Password, as the 1Password 7 for Windows app works right now.
0