Feature request: Require biometrics whenever using 1Password
TouchID is really convenient and take 2 seconds. I only need to get a password from 1password at a rate of less than once an hour. My request is to effectively require TouchID every time I retrieve a credential from 1Password and not leave the vault unlocked. Note that the existing activity timeout setting is broken for me. If the timeout were based on 1Password app activity, then 1Password would be able to implement this reliably. Note that other (older?) versions of 1Password seem like they might have some better settings here.
My goal is to protect against computer take over scenarios (both local and remote) by requiring TouchID as active 2FA rather than leaving things unlocked.
This would make the practice of storing 2FA codes in 1Password much more secure- TouchID would act as the master 2FA.
Others have shared these types of concerns before, for example here: https://1password.community/discussion/124865/is-my-vault-vulnerable-to-remote-attack-malware-if-i-leave-it-unlocked-in-whilst-at-the-computer
Note that the response says "yes, it's riskier". In my opinion the job of a security app such as 1Password is to let users determine their risk tolerance and setup things accordingly- can this feature be implemented for those of us that desire it?
1Password Version: 8
Extension Version: Not Provided
OS Version: Mac
Browser: Chrome
Comments
-
Hello @gdmint! 👋
Thanks for the suggestion! Can you tell me a little more about the specific threat that you're trying to protect against?
Why not lock your Mac whenever you step away from it? If 1Password is locked, but your Mac is not, then someone can just walk by when you're not at your desk and install a keylogger to grab your account password the next time that you unlock 1Password. I've personally set a hot corner so that I only need to move my mouse to the left-hand corner of my Mac to lock it before I step away: Use hot corners on Mac - Apple Support (CA)
Note that the existing activity timeout setting is broken for me. If the timeout were based on 1Password app activity, then 1Password would be able to implement this reliably.
I'm not seeing an issue myself with auto-lock. Would you be able to post a list of steps that I could follow in order to reproduce the same issue on my end? I'd be happy to file an issue on your behalf to have our development team take a look.
I look forward to hearing from you.
-Dave
0 -
The threat model is not stepping away. It is while using it:
1) someone grabs my laptop and runs away with it
2) a remote attacker gains access to my laptopIn the 2nd scenario, obviously with enough time 1Password will be unlocked at some point. But the idea is that either it will seem like their attack is not working or the attacker might be discovered before they are able to steal credentials.
0 -
With respect to reproducing the timeout issue: the way forward would be for 1Password to be specific about what system API they are using for this check. But it's always going to be a cat and mouse game: the OS may change how the API works, and the programs I am running may change. 1Password can't control this. It could control a timeout based on its own activity.
0 -
Thank you for the clarification. I've filed a feature request on your behalf to have our product team look into expanding auto-lock options to require biometric unlock on each fill/save action.
With respect to reproducing the timeout issue: the way forward would be for 1Password to be specific about what system API they are using for this check. But it's always going to be a cat and mouse game: the OS may change how the API works, and the programs I am running may change. 1Password can't control this. It could control a timeout based on its own activity.
1Password for Mac depends on macOS to tell it when the system is idle, are you running into an issue where your Mac is idle but the auto-lock feature isn't triggered? Are there other apps on your Mac that are preventing macOS from going idle?
-Dave
ref: PB-36586895
0 -
Thank you for putting in the feature request! Yes, auto-lock isn't triggered. You need to tell me exactly how 1Password determines whether or not the system is idle for me to be able to look into this issue.
0 -
I'm not sure if that information is publicly documented anywhere, that being said, our team can certainly help troubleshoot the auto-lock issue to narrow things down and make improvements as needed. As a start, so that I can better understand the situation, can you please tell me the following:
- Can you post a screenshot of the following screen so that I can see your current auto-lock settings: 1Password app > 1Password > Settings > Security.
- If you leave your Mac unlocked, and prevent it from sleeping or showing a screensaver, then does 1Password eventually lock? Or does it never lock?
I look forward to hearing from you.
-Dave
0 -
Hmm, it seems to be locking now. This seems to have happened at some point after I changed the Mac setting to Start Screen Saver when inactive to 5 minutes and changed the 1Password "Lock after the computer is idle for" down to 1 minute. It seems to be locking before 5 minutes now. If 1Password can tell me how it determines the system is inactive, that would help me troubleshoot this when I see the behavior again.
0 -
Thanks for the reply. We reply on macOS to tell us when the system is idle. If you do encounter the issue again, then I recommend that you investigate to see if any of the other apps that you're using are keeping macOS from going idle. You could turn off all third-party apps aside from 1Password and then enable them one by one, trying to reproduce the issue each time, until you can narrow down on the app that is causing the issue.
Let me know if that doesn't work and myself and the support team can help further. 🙂
-Dave
0 -
"when the system is idle." What does this mean? What Mac OS API does 1Password use to determine this?
0