Security/Authentication in Safari

Manorake
Manorake
Community Member

Hi there,
I noted that 1Password handle authentication with Fingerprint a little bit different to e.g. Apple‘s keychain.
If I go to a website and credentials need to be entered, 1password unlocks the whole vault instead of just authorizing the usage of the related password. Now, the whole vault is unlocked in the Safari extension for a certain time (according to the user’s settings) and if users do not lock their computer (which is still a risk!) when away, access to 1password could be obtained. This is even more risky as 1password stores the recovery key and master pw by default.

It would be better to implement an independent authentication of credential usage and full access to the entries stored in the vault, isn‘t it? Keychain does handle this independently. Why is this not adressed? Or is it somehow configurable?

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the 1Password Support Community, @Manorake! I'm not quite sure what you mean by "1password stores the recovery key and master pw by default"; I don't know what you're referring to by "recovery key," but your Master Password is never written to disk.

    When you enable Touch ID on a compatible Mac, 1Password will store an encrypted secret in the Secure Enclave of your Mac. If you'd like to read a good overview of how it's done, this post from rickfillion is probably best, and the more-detailed follow-up from our Chief Defender Against the Dark Arts (AKA Security Team lead, jpgoldberg) is even more granular. Let us know if you have any questions. :)

  • Manorake
    Manorake
    Community Member
    edited February 2021

    Thanks a lot, that is interesting. But I think my points go in a different direction here. It's more related to basics:

    When specific credentials are required in Safari

    • I have to unlock the whole vault in Safari (by entering the master password or finger print) to see if specific credentials are stored in 1Password
    • once unlocked, the vault is open for a certain time. Users sitting in front have full access to all passwords, at least in the Safari plugin. The re-usage of specific credentials on new pages does also not require re-authentication.
    • In my case, 1Password created an additional vault entry "1Password Account" tagged with "starter kit" including the account key and master password. Which could be dangerous too if the vault is left open.

    Compared to the standard apple keychain:

    • credentials are directly visible when clicking in a specific field. But the usage itself must be authenticated.
    • users do not have access to other passwords just because using one credential. If you want to open the "Password" section in Safari, you will have to authenticate again.

    From a security perspective, I prefer the possibility to configure the second behavior. Using a credential out of 1Password should not unlock the whole vault. There are a lot of users not changing the default Mac settings and configure lock-out times, screen savers etc. as well as default 1Password security settings so that there is a risk, that someone could have access to the entries in the vault if physically sitting in front of the Mac.

This discussion has been closed.