1Password on Mastodon

Conceal any text field in a 1Password entry

dutchminatordutchminator
Community Member
edited December 2022 in Lounge

My usecase
I want to store my 2FA recovery codes for services in 1Password in case my phone or yubikey breaks/gets lost/is replaced. I want these recovery codes to be hidden from sight unless revealed, much like my password or credit card's PIN and verification number are hidden.

Current functionality
At the moment only the "Password" or "One-time password" field type is concealed, and it is a single-line field with a "generate password" button that overwrites the current value without warning. When i copy-paste in the 8 or 10 recovery codes that are generated by services, the new-line character is ignored which potentially destroys the formatting of the recovery codes, making them hard to use.

Desired functionality
Ideal solution:
Allow us to mark a multi-line text field (much like the "Notes" field) as [conceal this field], so that my 2FA recovery codes cannot be accidentally seen by others unless they are explicitly revealed, just like how password fields currently work.

OR less flexible and complex, but solving my usecase:

Add a default concealed multi-line textfield called "2FA recovery codes" to password items, which is concealed until revealed.

Previous feature requests
Similar feature requests go back all the way to 2013, for example this one (https://1password.community/discussion/12433/feature-request-hidden-notes-within-login-entry) or more recently in 2019 this one (https://1password.community/discussion/107901/mask-fields). However, both discussions had been closed without a proper resolution in place.

Why should the 1P team care?
Almost every service implements and requires 2FA nowadays, and sneak-peeking 2FA recovery codes becomes a major security risk if someone is able to look over my shoulder, e.g. in any office or public location.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • sitepodmattsitepodmatt
    Community Member
    edited December 2022

    Yes, it is utterly insane that masked/concealed isn't the default. My 1password opens to a secure note revealed by default :facepalm: along with "new entry" password revealed/unmasked by default it makes me think if they forgot the #onejob principle.. Meanwhile they force their incessant prompting for the ssh-agent as its "good practice"

    The inconsistency in security approaches in this product is alarming.

  • TwiNTwiN
    Community Member

    One thing all password managers have yet to implement is a per-item client-sided encryption mechanism using a password/key completely unbeknownst to the password manager itself.

    Let me explain what the feature would look like first.

    The feature would essentially allow users to make an item "password protected", but this password would not be their account's password nor their account's secret key, it would be a password of their choosing unique to that item. Said password would then be used to encrypt the item's data.

    On 1Password's side, the (client-side encrypted) item would be encrypted again using the existing mechanism, the difference being that unlike with normal items, the items that are password-protected are encrypted on the client side, which means they would not be compromised even if somebody else gained access to a user's 1Password account.

    This would allow users to protect very sensitive items and make it significantly harder for a malicious actor to gain complete access to a user's information even in a scenario where they gain physical access to a user's device or if 1Password is ever breached.

    These items would of course be impossible to recover should the user forget the item's password, as such, it may be a good idea to hide the password protection unless a setting enabling the feature is toggled by the user with a warning mentioning the risk of forgetting their password.

    When a user would try accessing the item, they would always be prompted to enter the item's password.

    This would be useful for securing the following types of items:

    • Bank account credentials
    • Credit cards
    • TOPT (while I agree with some of the points made in https://blog.1password.com/totp-for-1password-users/ and I have hardware security keys for accounts I want true MFA on, it is an undeniable fact that if the feature exists, people will use it, even if it's not always the best decision, and a malicious actor with physical access to a device in which the user is already authenticated on 1Password with would allow them to do a lot of damage)
    • Important credentials, such as the 1Password's credentials that are added automatically upon account creation as part of the "Starter Kit"

    Right now, the only alternative I have is to create a "Document" item and upload a password-protected archive, but that's not the most portable or ideal solution.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Browser:_ Not Provided

  • Dave_1PDave_1P

    Team Member

    Hello @TwiN! 👋

    Thank you for the suggestion! All of the items in your 1Password account are already protected with end-to-end encryption using a private key that is derived from two secrets that 1Password does not know: your account password and Secret Key. All that we see on our end are encrypted blobs of gibberish. You can read more about what we know and don't know about users here: What we (don’t) know about you | 1Password

    This means that no one but you can decrypt your information.

    On 1Password's side, the (client-side encrypted) item would be encrypted again using the existing mechanism, the difference being that unlike with normal items, the items that are password-protected are encrypted on the client side, which means they would not be compromised even if somebody else gained access to a user's 1Password account.

    I'm not quite sure what you mean. All of your items are already encrypted on the client-side (on your local device) before they ever leave your device. Can you expand a little further about what specific threat model you're trying to protect against? In what scenario would an attacker gain access to both your account password and Secret Key but not a third password for specific items?

    -Dave

  • TwiNTwiN
    Community Member

    Hello @Dave!

    By default, when you create a 1Password account, an entry "1Password Account" is created with the tag "Starter Kit".
    This entry contains:

    • Your 1Password password
    • Your 1Password secret key

    Let's say somebody gained access to your computer or your phone, and your account was unlocked.

    They would effectively have access to everything they need.

    LastPass had a feature to protect against this which was basically an optional checkbox on each entry labeled "Require master password re-prompt", which, if enabled on a specific entry, forced the user to re-enter the master password (even if you had already logged in) to view the item's details.

    This would make it so even if a user gained physical access to your account, they'd have to re-enter your password (which they do not know). Securing very important logins (e.g. 1Password Account, bank account, private documents, etc.) would be an excellent way to ensure that physical access to a device does not guarantee access to every logins.

    This may seem like a stretch, but given how many phones are stolen every year, it's not that unusual.

    Anyways, what I was suggesting was implementing something similar to what LastPass has (per-item configuration that lets users configure whether password should be re-prompted to view the credentials), but while allowing users to set an arbitrary password.

    To be honest, the per-entry password suggestion can be ignored, but the ability to require master password re-prompt on items of one's choosing would be a very welcomed security feature.

  • ThorzThorz
    Community Member
    edited January 19

    Hello

    I have been testing the family plan for some days and there is a ton of things that I like.

    But, I don't understand 1Password's constant denial position about the topic of the usefulness of a master password or biometric reprompt (double verification) for eligible items.

    I have been following the support and discussion channels about the service (in this website, Reddit, Twitter, Facebook) for a long time and this is something that gets asked quite often by users.

    I understand perfectly that this is not something that is going to protect vault contents against a professional cyber attack executed locally on the machine, but protecting against this has never been the point of this feature. The point is to have an extra barrier of protection on your most critical items in case you forget to lock your OS. Who hasn't been in that situation?

    Let's say you are alone at home and go to the bathroom. Being alone in your own house you aren't thinking that someone is going to enter, it is easy to forget to lock your PC / Mac at that moment. Suddenly, your kids or partner enter the house. They will have a moment to easily access information from one of the sensitive items stored in 1Password, like your master password, secret key, credit card number or content in a Secure Note. Neither your kids nor your partner are NSA operatives that are going to be able to breach your machine to extract your 1P master password from a memory dump, but anyone that uses the unlocked PC/Mac at that moment can access sensitive info under a situation like this. A simple master password or biometric reprompt is enough to stop this from turning into a bad situation for you and will keep your sensitive items where you have decided to use this option out of their prying eyes.

    Do you really think that every other respectable password manager out there is wrong in implementing this, or that all of them are putting their customers at risk engaging in a dangerous "security theater" as I have seen this called by 1Password team members in many threads about this topic in the past?

    This is something really trivial for the devs to implement and isn't going to hurt anyone. The option could be easily accompanied by an explanation-text like the one you use beside the already implemented Watchtower option if you really think that this could give a false sense of security to a minuscule portion of 1P users. That text says today "This feature may pose a small risk to people that reuse similar passwords". This small risk hasn't stopped you from implementing the option to use Watchtower, isn't it? "Options" is the keyword here, please let us have the option of a master password / biometric reprompt and if you want, just explain the risks, as every other good password manager on the face of the earth already does in 2023.

    Thank you for your time.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Ventura
    Browser:_ Chrome

  • sjefen6sjefen6
    Community Member
    edited January 22

    Please add my voice to this request.

  • sjefen6sjefen6
    Community Member

    I am sorry, seems like I did not read the entire thread. I don't agree with preventing local attacks. Just lock your computers, locking your vaults. But I don't get why a simple concealed text field type is an issue that has been left standing for almost 10 years. This is a simple UI issue. Just duplicate the text field type and make it concealed with an action to reveal like the password type fields. I don't think this is hard. If 1Password don't want to fix it that's fair, they should just say it. But I don't like my recovery codes mooning people watching me copy my password to an app that does not auto-fill.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file