New feature recommendation

sherifelabd
sherifelabd
Community Member

I don’t know if this is the right place for recommendations or not, sorry if posting in the wrong topic.

However I would recommend 1Password to add a feature of entering an certain master password which opens a fake vault(s) or even turn the “Travel Mode” on. I would really like this feature and I see it very useful.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @sherifelabd:

    This is a fine place to request features :smile: We appreciate your input on making 1Password even better.

    We're continually evaluating mechanisms we can build to help protect our customers who may find themselves in various scenarios. With that in mind however, we try to avoid building things that could be considered "security theater". In short, it is a relatively implausible attack scenario where opening a fake vault when a duress password was used would be useful.

    Our Chief Defender Against the Dark Arts has spoken further about this concept and its limitations here: https://1password.community/discussion/comment/613610/#Comment_613610

    Jack

  • sherifelabd
    sherifelabd
    Community Member

    Another recommendations:
    In the document & Data category
    1. Allow preview for pics or PDFs
    2. Ability to create folders inside this category.

    Thanks again

  • brank
    brank
    Community Member

    @jack.platten A situation that's "relatively implausible" to 1Password employees is a daily occurrence for some.

    It's relatively implausible for any 1Password employees to be the target of an aggressive corrupt government when traveling across borders. For journalists in China, Saudia Arabia and other countries, it's an activity of daily living.

    It was relatively implausible for any 1Password employee to use iOS Share Sheets functionality but it was something that myself and many others used daily for years.

    I'd caution you not to infer how people may be using your software or how likely certain occurrences may be without having performed market research.

  • @brank

    A situation that's "relatively implausible" to 1Password employees is a daily occurrence for some.

    It's relatively implausible for any 1Password employees to be the target of an aggressive corrupt government when traveling across borders. For journalists in China, Saudia Arabia and other countries, it's an activity of daily living.

    In the interest of fairness: that isn't what we said was implausible. What we said was implausible was that a feature that amounts to security theater would be helpful to you if you were in such a circumstance. In order for such a trick to work:

    The attacker must have the capacity to compel you to unlock 1Password while at the same time not have the power to retaliate once they discover the deception. Or they must be incapable of discovering the deception.

    Note that even if you can fool the attacker at the time that they compel you to unlock, they are very likely to detect the deception at some later time. They are then unlikely to say, "Oh, nice trick. Very clever of you. I guess we lost."

    And please stop with this:

    It was relatively implausible for any 1Password employee to use iOS Share Sheets functionality but it was something that myself and many others used daily for years.

    We're not going to turn every unrelated thread on this forum into a debate about the share sheet.

    Ben

  • @sherifelabd:

    For organizing any Document items, tags would be your best solution. As for being able to preview Documents inside 1Password, I can see how that would be useful, so I've added your voice to a feature request around that. :smile:

    Jack

    ref: dev/core/core#8252

  • brank
    brank
    Community Member
    edited October 2021

    Hi @Ben

    In response to your comment of:

    The attacker must have the capacity to compel you to unlock 1Password while at the same time not have the power to retaliate once they discover the deception. Or they must be incapable of discovering the deception.

    Note that even if you can fool the attacker at the time that they compel you to unlock, they are very likely to detect the deception at some later time. They are then unlikely to say, "Oh, nice trick. Very clever of you. I guess we lost."

    The context of the attacker being likely to detect the deception at a later time seems irrelevant to many scenarios. Imagine a journalist from Israel who travels to Saudi Arabia. They demand he unlock his KeePass keychain (used as an example because they support duress codes). He enters duress code.

    At "some later time" they realize it was a deception.

    Journalist is already back home in Israel, safe.

    If I'm being really fair, then yes, this is far more niche of a security feature than offline vaults. If you're not going to allow offline vaults, which is a far more useful security feature under significantly more circumstances, then duress codes are much less likely to be useful.

    However, duress codes don't have the same problem that offline vaults have, in that duress code functionality won't reduce the need for people to pay for a perpetual subscription to your service. We all understand that offline vaults might jeopardize the subscription business model and we may not be happy, but we understand. Duress codes wouldn't jeopardize the subs.

This discussion has been closed.