security for desktop app

asukulu

When logging in to the website you need password, secret key and optional 2FA but if a hacker etc is control of my pc all they need is my password which they might know by watching me enter it when i open the app. Also the extension asks for a pin which would be even easier to open. ISnt there a way to secure the desktop app so that it requires 2FA? if not why not? I dont feel very safe using it tbh. Im thinking about deleting the extension altogether.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

GreyM1P

Hi there @asukulu

1Password can't be any more secure than a device that's compromised. You should keep up to date with your computer's built-in malware protection (Microsoft Defender) and make sure it runs routinely to check for problems. 1Password has to work on the understanding that it's running on a device that isn't infected, and making sure it's not infected is a job for Microsoft Defender, or some other anti-malware software if you choose to use something else.

This article from Microsoft may help as a starting point: Getting started with Microsoft Defender - Microsoft Support.

Please let me know if you have any questions, or would like any further help.

— Grey

asukulu

That’s not even an answer to my question. You say “ 1Password has to work on the understanding that it's running on a device that isn't infected”. But I can see no reason why it should not work on the understanding that it could be infected. That’s the reality. Why can’t users have the option to open the app with TFA only? Passwords are redundant. Would be a lot more secure. I’m actually at the point where I’m going to remove any banking details etc and on,y use it for logging into websites that I don’t care about my data being hacked. It’s safer to have my banking details on a piece of paper in a couple of different locations. Or even on a hidden safe app on my phone.

GreyM1P

@asukulu

But I can see no reason why it should not work on the understanding that it could be infected. That’s the reality.

It shouldn't be. Anti-malware protection, such as what's built into every modern device sold, is designed to make sure that's the case. Users of devices should have the reasonable expectation that their device isn't infected. Having an infected device is not, and should not be, considered normal or acceptable by anyone. If someone else is in control of your device, that's not something that 1Password can protect against. If someone can see everything you can see and everything you type, then there's no way to keep a secret from that person.

Why can’t users have the option to open the app with TFA only?

In short: because a one-time password generated by an authenticator app doesn't contain enough key material to decrypt your data. All of your 1Password data is encrypted on disk and can only be decrypted using an unlock key which comes from your account password and Secret Key.

1Password unlocks using encryption, not authentication. When you unlock, 1Password doesn't just check that you are who you say you are (which a one-time password would do), because that could be circumvented – your decrypted data would have to be somewhere on disk. When you enter your account password into the lock screen of 1Password and press Enter, 1Password takes that account password and performs a series of functions to generate an unlock key, then tries to decrypt your data with that unlock key. If the unlock key doesn't work, that means the account password was wrong. Only the correct account password will generate the right unlock key and decrypt your data.

Even, hypothetically, if 1Password silently decrypted your data every 30 seconds and re-encrypted it using a new one-time password so that you could unlock it with only a one-time password, there are only 1 million possible 6-digit numbers, meaning someone could perform an offline attack against your data in a very short amount of time, trying all numbers from 000000...999999. Extending this thought experiment further, if someone did have remote access to your computer, and could see everything on screen and on disk, it would be trivial for them to do this attack and decrypt your data. That's why 1Password doesn't use one-time passwords for encryption. We only use them for authentication at the signing-in stage, and encryption protects the actual data.

Two-factor authentication on your 1Password account prevents unauthorised people from gaining access to the encrypted version of your data. When you sign in, then enter a one-time password or use a hardware security key, 1Password downloads your encrypted data, then your account password and Secret Key decrypt it. The one-time password doesn't have any role in encryption.

You can find out more information about 1Password protects your data here: About the 1Password security model. I'll be happy to answer any questions you might have about it.

asukulu

It’s ok I figured out that if I remove a device then you need 2fa on next log in. I’ve also regenerated security key. I’ll just be doing that from a different device after I use 1Password on my pc