Vault "App Access" Should Include Plugin as an option

(headline could have been: store 2FA TOTP codes separately from credentials)

Vault "App Access" settings let you restrict vault access to every app platform except the plugin. All vaults sync to all plugins no matter what settings you put here. What's the point of leaving this out? Put Plugin on there (even better: break out Chrome, Firefox, and Edge) to help us lock down where vault data is synced.

Primary Use Case: Keeping 2FA keys physically separate from credentials.

How: One vault has the credentials, another vault has the 2FA TOTP codes. The Credential Vault is available in the plugin and Windows clients, but not mobile. The 2FA Vault is available on mobile, but not desktop clients.

Effect: an attacker on a compromised endpoint gains access to the encrypted credential vault, as well as potentially the Access Key and Password (via keylogger), but still won't be able to login to systems protected by 2FA.

Bonus Points if you link the two vaults so it knows which two vaults belong together. Include a checkbox in a credential edit screen for "Store TOTP code in Linked Vault," and it automatically creates/updates a linked entry in the other vault with the same title, and just the TOTP seed code, with no other fields.

Putting 2FA aside, limiting what data (encrypted or otherwise) is in the wind in the case of a compromised endpoint would be very valuable.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:vault app access

Comments

  • ag_max
    edited January 2023

    Hi @rob29384059,

    I appreciate you taking the time to share your request here. My understanding is our team would like to include 1Password in the browser (the extension) in the list of App Access clients for selection in a future update. Your idea for selecting specific browsers is also a nice touch, and I can see it offering admins a bit more customization and control here. I'll go ahead and pass on your feedback and use case to the team for further consideration.

  • rob29384059
    rob29384059
    Community Member

    Thanks @ag_max. The only thing I would add is that for this to be effective it must be the case that App Access actually prevents the data for that Vault from syncing down at all. If it syncs down to the app (desktop, mobile, plugin, or other) but is merely prevented from displaying, that defeats my purpose, even if it is encrypted.

    Does that make sense?

    Another way of asking this: in the current functionality, as App Access exists now, if I remove Android and iOS from a given Vault, does that Vault get downloaded onto Android and iOS devices, and is just hidden? Or is it prevented from syncing at all?

    The documentation for this (https://support.1password.com/create-share-vaults-teams/) is not clear.

  • @rob29384059,

    I can confirm App Access works in a similar way to Travel Mode. Both of these features fully remove vaults from the 1Password app on your device(s) for the specified platforms. For example, any password changes or new items wouldn't be able to sync to the vault to the 1Password app on those platforms, as the vault itself would not be present there on each device until the App Access setting is configured to allow that platform once more.

  • rob29384059
    rob29384059
    Community Member

    @ag_max that's great, thank you. So my original request would go a long way to addressing the concern about keeping 2FA TOTP codes in 1Password.

    Separate vaults for 2FA TOTP codes, removed from the plugin via App Access and restricted to separate platforms.

  • Absolutely, happy to assist. Your latest feedback has been added to our internal issue.

    Thanks again for taking the time to share this.

    ref: 30639144

This discussion has been closed.