feature request

1passquest
1passquest
Community Member

1password is great. use it on my iphone. would be nice to have a way to add extra layer of security (seconday pin maybe) so when i access HBO, Netflix, .... that works with face id, but when i access Bank of America, that requires a pin or extra step.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Hello @1passquest! 👋

    Thank you for the suggestion! At the moment 1Password doesn't include an option to require a PIN in order to open certain items or reveal certain passwords. It's certainly an interesting idea and I'm happy to pass it along to the team. Can you tell me a little more about the particular threat model that you're trying to protect against?

    When you unlock 1Password (using your account password or biometric unlock) your data is decrypted so a determined and well-equipped attacker with access to your Mac would be able to access your information since your vault data is already unlocked and decrypted. To require a PIN after your data is already unlocked would potentially, in this case, be an example of "security theatre" where a feature claims to offer more security on a surface level but in reality doesn't actually offer more protection.

    What I personally do on my device is set the auto-lock time to a short duration so that 1Password locks after a short period of inactivity. I also have biometric unlock enabled so that I can quickly unlock 1Password without having to enter my account password. You can find guides on how to configure both auto-lock and biometric unlock here:

    -Dave

  • 1passquest
    1passquest
    Community Member

    great information. i understand the issue better now.

    so i may not be able to give the best threat model, but when i am at a busy crowded overpacked airport, and i want to open netflix, i feel better if i am not also able open my banking info without an extra step

  • clarino
    clarino
    Community Member

    1passquest, Wouldn't it be simpler to enable 2FA on your bank? (And don't use 1P for your 2nd factor but something like authy or a hardware token.)

  • 1passquest
    1passquest
    Community Member

    Yes, just thinking of making layered security. The lock in a bank vault does not have the same key as the lock holding the cleaning supplies.

  • 1passquest
    1passquest
    Community Member

    so playing around with other password managers. bitwarden has nice feature, with temp pin. so i can set a temp pin to open my account. can be shorter then password, and is device/login specific. so if i am in airport, and using password manager, even if someone aquired my pin, and once i close the browser, the pin does not work, they need my passcode.

    i just thought that was a useful feature


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Browser:_ Not Provided

  • 1passquest
    1passquest
    Community Member

    as i play around this feature, it also removes some of the disincentive to have a very long password, and lock your system everytime you leave it

  • Hello @1passquest! 👋

    Thank you for the suggestion! Is there a reason why this would work better than using Touch ID to unlock 1Password instead?

    I look forward to hearing from you. 🙂

    -Dave

  • 1passquest
    1passquest
    Community Member

    Great question, I dont have touch id on my computer

  • 1passquest
    1passquest
    Community Member

    i dont use or have touch ID on my computer. the pin is a nice feature. someone from 1password should check it out, and how it functions.

  • @1passquest

    Thank you for the reply. Can you tell me a little more about the "temp PIN" idea? How is the temporary PIN generated? How is the the account password securely stored on the device so that it can be used to decrypt a user's data when the temporary PIN is entered? Is the temporary PIN set on the device that the user is logging into or is it set from another device?

    -Dave

  • 1passquest
    1passquest
    Community Member

    so the way it works on bitwarden, is once you type in your password, you are givin the option of typing in a temp pin. if you log out or reboot computer, you need to then type in your entire passwrod.

    so if i am steping a way from my computer for a moment, but i am in a trustworthy place (like my office) i then just need to type in my pin and i get access. it is specific to that machine, and that login, and that browser.

  • 1passquest
    1passquest
    Community Member

    Think about setting up a study were hundreds of people in various scenarios need to decide if they should log off the 1password, or stay signed on. People have a lot of very sensitive data, financials, health, personal on the computer. the more u use 1password for more stuff, and the better your password, the greater the conflict about whether the user needs to retype the entire password for every break from the system.

  • Dave_1P
    edited January 2023

    @1passquest

    Thank you for the additional details! One option here might be to enable Travel Mode for certain vaults when you're in risky situations such as an airport. You could keep your bank logins in a dedicated vault and then turn on Travel Mode for that vault so that it's not on your device. Then, when you've left the risky situation, you can disable Travel Mode again:

    -Dave

    edit: I've merged your two related threads together.

This discussion has been closed.