How do 1password prevent leakage from device
I have read the whitepaper of 1password and I think the most possible and easiest way to steal a creadention is from a client device.
I also see a chapter in the whitepaper called Malicious processes on your devices. But I still have some question about this.
According to the paper we know the secret key will local stored and the credential db will be cached locally too. The password will be the only things to protect the db.
But the paper also said Depending on client and client platform the Secret Key may be stored on the device using some of the protections offered by the operating system and may be lightly obfuscated.
For the Secret Key,
1, Could you tell me the store mothoud use on windows and android and chrome extension?
2, Will the TPM on windows and Keystore on android help this?
3, Do we have some hardware based solution to prevent software and memory attack now?
For the password, windows and android both offered unlock by biometric authentication now,
1, What is the cryptography design for 1password can be unlock by password or bio-auth?
2, Is password also stored in local when enable bio-auth?
3, Will we support fido or piv protocol for unlock 1password in future? I think hardware security module is an enhanced way to protect local key.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
