Secure Desktop Function Removed?

Shootah
Shootah
Community Member

With the latest update of 1Password 8, it appears as if the functionality of using the secure desktop sign-in feature was removed? Can someone provide some insight on this? For now I guess for us users that want that, we just downgrade back to 1P 7 ? Can we petition to have this functionality re-introduced? Or am I missing a setting?

Thanks


1Password Version: 8.9.13
Extension Version: Not Provided
OS Version: Windows 10
Browser:_ n/a
Referrer: forum-search:Secure Desktop Function Removed

Comments

  • Hi @Shootah, thanks for reaching out about this! You're correct that the latest release of 1Password 8 does not include the Secure Desktop feature.

    This functionality remained in our beta and nightly channels for quite a while, however due to the change in architecture between 1Password 7 and 8, it was challenging to get this feature working up to the standards expected of 1Password. When considering this, alongside the increased availability of alternate ways to authenticate (Single Sign-on and Windows Hello), and security features such as the Secret Key and two-factor authentication, it was decided to not move forward with the Secure Desktop feature in 1Password 8 for Windows.

    However, we are monitoring community feedback about this, and I would be happy to pass your feedback along to our Product team - just let me know!

  • oschif
    oschif
    Community Member

    Hello,
    I used Secure Desktop in my previous password manager.
    It made sure that I type my password in the correct window and don't accidently type it elsewhere.
    It's unfortunate that you don't have this feature.
    I hope you reconsider, because typing my master password is one of the most vulnerable moments when something can steal it.

  • Hello @oschif,

    Thanks for your reply and feedback about Secure Desktop.

    As Gem mentioned, we have other features in place, such as the Secret Key and two-factor authentication. Your account information is encrypted by both the Secret Key and your account password and a malicious users would need both to decrypt your account data: About your Secret Key

    Do these features, coupled with the use of Windows Hello to unlock 1Password on your Windows PC work for you?

    If you can provide some additional details about why you feel Secure Desktop would be valuable on top of the other features included, I'm happy to pass your feedback along to the Product team for future consideration. Thanks!

  • Kyrra
    Kyrra
    Community Member

    @ag_mike_d I'm not the OP, but I see the threat model as protecting against any kind of malware. A keylogger would be able to snoop the master password, then be able to replay it on your desktop at somepoint later to extract all data from my account. Having security measures in place to prevent master password being logged seems like it would drastically harden security on windows given how easy it is to spy other processes and keylog data on them.

  • ag_mike_d
    edited August 2023

    Hi @Kyrra,

    Thanks for your message. During our discussion with the development team, it was noted that secure desktop is not a 100% guarantee that a keylogger can't read your password, it only hides it somewhat from malware that isn't trying.

    With the details provided in my post here and above, alternate ways to authenticate caused the team remove this feature.

    We're keeping an ongoing feedback for our Product team.

  • laugher
    laugher
    Community Member

    Still monitoring this from time to time. I think the decision to remove Secure Desktop for master password entry is a poor one to say the least if it wasn't entirely clear in my previous posts! :-)

    While I understand Secure Desktop for 1Password is less secure than Microsoft Window's own system level processes triggering it, it still provides another layer of security to protect 1Password customers using Windows. Sure, keyloggers - particularly the hardware keyloggers can still log keyboard entries but most software keyloggers will not be able to circumvent the 1Password Secure Desktop.

    Further, there have been many examples of systems being circumvented using fake UIs. It is very EASY for a developer to create a mockup of a UI that looks like 1Password asking for a master password without Secure Desktop. Giving us Windows users an option to activate Secure Desktop by deter most if not all of these mechanisms.

    Remember - we are looking for ways to protect our master password. It is very well and good to just say 1Password data is protected by both 2 or 3 secrets but when even 1 secret has been captured, it weakens the overall security of our vaults and that's never a good thing. This is how real world spy vs spy stuff works. They slowly gather enough intel about you until they have you!

    And yes, Agile Bits can state that it is not our job to protect you from malware, threats and state actors trying to gain access but I hope you all remember that you're in the business of protecting passwords. The vault holds the keys to our kingdoms and it would be poor branding to just fob this off as "not our problem".

    Until Master Passwords become a thing of the past (and I mean you no longer ask for it anymore), I hope you all reconsider this.

  • laugher
    laugher
    Community Member

    Just thinking of this again this morning.

    I understand that the industry is all trying to move towards passkeys and doing away with passwords altogether. Not to mention that this is a fundamental shift in the paradigm and whether or not password managers will be something we will need in 5-10 years time.

    I say 5-10 years because in all seriousness, I do not see passwords disappearing until there is a standard, easily implemented and easily supported way of putting passkey infrastructure in place. So in this interim period, we need our password managers.

    If Agile Bits were to go down the passkeys path as a mechanism in securing our vaults and until that time, we still need to manage the threats and their risks to our vaults.

    Not knowing how Secure Desktop was implemented in 1Password but having some idea in how I could trigger Windows UAC in its simplest form (Microsoft publishes how you do this to the developer community), I don't think this is a hard thing to implement. Sure. Maybe the UI changes when you switch between Secure Desktop and the current 1Password UI but security is better than presentation in my opinion. Otherwise your customer base would not be even considering using 1Password!

    Food for thought.