Being logged in to the 1Password X Extension opens the 1Password web application when trying to edit an item. As far as I understand it automatically logins into the 1Password web application without having to authenticate again.
I do understand that from a usability point of view this is expected.
But from a security point of view i would expect that the 1Password X extension and the web application are respected as two separate "clients" where a re-authentication needs to be performed (with 2FA / Security Key).
This gets especially problematic when a user can navigate from the edit form in the web application to any other page he likes - whether this is a "hidden" vault during travel (which gets downloaded to the device / browser storage ?) or the profile settings where he could change the travel mode, view other clients or even change billing information. Of course as long as there's an active internet connection.
I would expect that a full re-authentication needs to be performed when accessing the web application - or that only editing is allowed.
I know that the beta provides integration with the native macos/windows app which might prevents this. But i'd like to stay with the 1Password X extension which runs on all platforms.
1Password Version: Not Provided
Extension Version: 1.22.3
OS Version: Not Provided
Sync Type: Not Provided