To protect your privacy: email us with billing or account questions instead of posting here.

Why do I have to enter my master password and secret key on 1password.com

stefaan
stefaan
Community Member

I'm a disappointed Dashlane user looking for an alternative and just started playing with 1Password.
So far it looks nice, but when looking into multifactor auth (https://support.1password.com/two-factor-authentication/), I am instructed to log in on https://my.1password.com/signin where I have to enter my master password and secret key.
I don't understand why I have to enter these personal secrets on a webpage, when https://1password.com/security/ claims that the password or master secret is never sent over the network.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    @stefaan Although it's not obvious to the user, the website works in the same way as the desktop and mobile apps. Each time you visit the website a web app is downloaded to your device which uses the secure remote password protocol to authenticate you without sending your master password or secret key to the server.

    I understand 1Password are looking at adding more functionality to the desktop and mobile apps to reduce the need to visit the website. In the meantime, if you are concerned about the security of using a web app then you can minimise the risk by accessing 1password.com in a separate browser profile with only the 1Password extension.

  • ag_ana
    ag_ana
    1Password Alumni

    rootzero is correct @stefaan, let us know if you have any other questions :+1:

  • stefaan
    stefaan
    Community Member

    Thank you for the response, I suspected it was something like that.

    Wouldn't it be better that this is at least mentioned somewhere in the fine print on https://my.1password.com/signin ? Possibly linking to a page like https://support.1password.com/secure-remote-password/

    I understand that some functionality is easier to deploy in a webapp than in a desktop app, but can't it be avoided to authenticate with the master pasword + secret key? For example by generating one-time credentials in the desktop app? Or a one-time login link? Or a QR to scan with mobile app?

  • ag_ana
    ag_ana
    1Password Alumni

    I will mention it to the security and documentation teams @stefaan, thank you for the suggestion :+1:

This discussion has been closed.