1PW extension insecure

rb_stern
rb_stern
Community Member
in 1Password in the Browser

I have installed the 1PW extension in the 2 browsers I use - Brave and Safari. When I click on the extension icon and hit autofill, the full details including the password appear, without asking me for a touch ID. This is very insecure, as obviously anyone using my computer only has to hit tht icon and immediately get access to all my work, banking etc. password. How to enable touch ID on these 2 extensions? (Macbook Pro with M1 chip, Monterey 12.3, 1PW 7.9, Brave 1.42.88, Safari 15.4

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Joy_1P
    Joy_1P
    1Password Alumni
    edited August 2022

    Hey @rb_stern! Sorry for the delay in response. With the 1Password extension in the browsers you mentioned, I want to note the following:

    1. There is a built-in extension for Safari that is installed when you set up the 1Password 7 app on your computer. If enabled, then this extension locks and unlocks in sync with the 1Password app.
    2. The classic extension, which is used in browsers outside of Safari, is also a companion extension. It locks and unlocks in sync with the 1Password app.
    3. If you have the new extension set up in Brave instead, then that extension is a standalone tool. However, the new extension does have a feature which links to the app called shared lock state. This feature is on by default. With it on, if you lock/unlock the app, the extension will lock/unlock as well.

    Essentially, if you unlock the 1Password app and then use the browser, any of the above extensions will also be unlocked. The idea behind that is to make the lock/unlock process easier so that you only have to do it from the app. It is not insecure, as the extensions will not be unlocked unless you've taken action to unlock the app. Your Account Password or Fingerprint ID is still required.

    I have two questions:

    1. Is the description above consistent with the behavior that you're seeing? If not, then I'd like to get more details about what's going on so that I can see if there's potentially something broken.

    2. Are you looking to perhaps keep the extensions independent from the app so that you're asked to unlock them anytime you open or close the browser? It's possible to do this with the new extension. Let me know if you're interested in it.

    I look forward to hearing from you again.

This discussion has been closed.