Feature Idea - Intercept Email Codes / Magic Links
iOS/macOS does an awesome job of grabbing SMS 2FA codes, but more and more sites I use are doing email 2FA/passwordless logins. This is normally either done by giving a 6-digit code and/or providing a "magic link". It would be really cool if 1Password could be given access to IMAP email account and monitor for these login items.
I think this would be a good feature because while email auth is more secure than SMS, but it's a bit of a pain to jump between mail and whatever login page.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
upvoting this because that is what I've been looking for too!
1 -
Hello @notnotjake and @cristianduguet! 👋
Thank you for the suggestion! The difficulty here is that 1Password would have to be given continual access to your email inbox which is something that we don't want access to. Any password manager that implemented such a feature would then have to continually scan and read all of your emails 24/7 in order to look for, and identify, 2FA codes and magic links.
I would recommend reaching out to the services that do use magic links or 2FA-over-email to request that they offer other options such as TOTP two-factor authentication. You can also see if they support signing in using something like "Sign in with Apple" which 1Password can then save and suggest: Use 1Password to sign in to sites with supported providers
-Dave
0 -
I understand the security concern from that. This could be bypassed by offering a sort of "email masking" service, like Apple's Hide My Email, to preserve the emails of the user private.
If 1password offers simple email proxy inboxes (it could be even just one for all my accounts), then the privacy, and security vulnerability issues your users would be exposed to will be much lower :)
Thank you for suggesting the alternatives, too! I hope medium and nomadlist listen to me here.
0 -
Thank you for the reply. At the moment, 1Password's design means that it has no insight or awareness into what kind of information you're storing in your vault. If you have your login information for Google saved in 1Password then, because everything is end-to-end encrypted, 1Password doesn't even know that you have an account with Google or that you're storing your account credentials for Google in 1Password.
The idea for an email proxy service is interesting but it doesn't answer all of the privacy and security concerns. Since regular email isn't end-to-end encrypted, the design of 1Password would suddenly change since 1Password would be able to see the unencrypted headers and email body content. And since emails from services also contain other data such as usernames and personally identifiable information 1Password would be able to see that as well. Now, you might say that you trust 1Password not to abuse this data but the lack of end-to-end encryption for such a theoretical feature would also make it more vulnerable to breaches and interception since it wouldn't be protected by our end-to-end encryption and Secret Key architecture.
Running an email service is a large undertaking and tricky to do well. It's one of the reasons why we partnered with Fastmail, who do an amazing job and have decades of experience with email, for masked email addresses: Masked Email
All that being said, magic links and email 2FA can be frustrating and I've passed along your feedback to the product team. They'll investigate if there's a way that we can help make things better while keeping your data private and secure. 🙂
-Dave
ref: PB-30521191
0 -
Thank you! For future reference to the Product team too, here are some of the websites I've found to be using magic links:
- notion
- momondo
- medium
- nomadlist
0 -
0
