Why do I have to enter my master password and secret key on 1password.com
I'm a disappointed Dashlane user looking for an alternative and just started playing with 1Password.
So far it looks nice, but when looking into multifactor auth (https://support.1password.com/two-factor-authentication/), I am instructed to log in on https://my.1password.com/signin where I have to enter my master password and secret key.
I don't understand why I have to enter these personal secrets on a webpage, when https://1password.com/security/ claims that the password or master secret is never sent over the network.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
@stefaan Although it's not obvious to the user, the website works in the same way as the desktop and mobile apps. Each time you visit the website a web app is downloaded to your device which uses the secure remote password protocol to authenticate you without sending your master password or secret key to the server.
I understand 1Password are looking at adding more functionality to the desktop and mobile apps to reduce the need to visit the website. In the meantime, if you are concerned about the security of using a web app then you can minimise the risk by accessing 1password.com in a separate browser profile with only the 1Password extension.
0 -
Thank you for the response, I suspected it was something like that.
Wouldn't it be better that this is at least mentioned somewhere in the fine print on https://my.1password.com/signin ? Possibly linking to a page like https://support.1password.com/secure-remote-password/
I understand that some functionality is easier to deploy in a webapp than in a desktop app, but can't it be avoided to authenticate with the master pasword + secret key? For example by generating one-time credentials in the desktop app? Or a one-time login link? Or a QR to scan with mobile app?
0