feature request
1password is great. use it on my iphone. would be nice to have a way to add extra layer of security (seconday pin maybe) so when i access HBO, Netflix, .... that works with face id, but when i access Bank of America, that requires a pin or extra step.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hello @1passquest! 👋
Thank you for the suggestion! At the moment 1Password doesn't include an option to require a PIN in order to open certain items or reveal certain passwords. It's certainly an interesting idea and I'm happy to pass it along to the team. Can you tell me a little more about the particular threat model that you're trying to protect against?
When you unlock 1Password (using your account password or biometric unlock) your data is decrypted so a determined and well-equipped attacker with access to your Mac would be able to access your information since your vault data is already unlocked and decrypted. To require a PIN after your data is already unlocked would potentially, in this case, be an example of "security theatre" where a feature claims to offer more security on a surface level but in reality doesn't actually offer more protection.
What I personally do on my device is set the auto-lock time to a short duration so that 1Password locks after a short period of inactivity. I also have biometric unlock enabled so that I can quickly unlock 1Password without having to enter my account password. You can find guides on how to configure both auto-lock and biometric unlock here:
-Dave
0 -
great information. i understand the issue better now.
so i may not be able to give the best threat model, but when i am at a busy crowded overpacked airport, and i want to open netflix, i feel better if i am not also able open my banking info without an extra step
0 -
1passquest, Wouldn't it be simpler to enable 2FA on your bank? (And don't use 1P for your 2nd factor but something like authy or a hardware token.)
0 -
Yes, just thinking of making layered security. The lock in a bank vault does not have the same key as the lock holding the cleaning supplies.
0 -
so playing around with other password managers. bitwarden has nice feature, with temp pin. so i can set a temp pin to open my account. can be shorter then password, and is device/login specific. so if i am in airport, and using password manager, even if someone aquired my pin, and once i close the browser, the pin does not work, they need my passcode.
i just thought that was a useful feature
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided0 -
as i play around this feature, it also removes some of the disincentive to have a very long password, and lock your system everytime you leave it
0 -
Hello @1passquest! 👋
Thank you for the suggestion! Is there a reason why this would work better than using Touch ID to unlock 1Password instead?
I look forward to hearing from you. 🙂
-Dave
0 -
Great question, I dont have touch id on my computer
0 -
i dont use or have touch ID on my computer. the pin is a nice feature. someone from 1password should check it out, and how it functions.
0 -
Thank you for the reply. Can you tell me a little more about the "temp PIN" idea? How is the temporary PIN generated? How is the the account password securely stored on the device so that it can be used to decrypt a user's data when the temporary PIN is entered? Is the temporary PIN set on the device that the user is logging into or is it set from another device?
-Dave
0 -
so the way it works on bitwarden, is once you type in your password, you are givin the option of typing in a temp pin. if you log out or reboot computer, you need to then type in your entire passwrod.
so if i am steping a way from my computer for a moment, but i am in a trustworthy place (like my office) i then just need to type in my pin and i get access. it is specific to that machine, and that login, and that browser.
0 -
Think about setting up a study were hundreds of people in various scenarios need to decide if they should log off the 1password, or stay signed on. People have a lot of very sensitive data, financials, health, personal on the computer. the more u use 1password for more stuff, and the better your password, the greater the conflict about whether the user needs to retype the entire password for every break from the system.
0 -
Thank you for the additional details! One option here might be to enable Travel Mode for certain vaults when you're in risky situations such as an airport. You could keep your bank logins in a dedicated vault and then turn on Travel Mode for that vault so that it's not on your device. Then, when you've left the risky situation, you can disable Travel Mode again:
-Dave
edit: I've merged your two related threads together.
0
