Feedback on trialling 1P

secret1
secret1
Community Member
edited September 19 in Lounge

Hi,

Long-term LastPass user trialling 1P, as I'd like to switch. I won't because:

  1. Secure Notes are insecure. Searching shows them in clear text as you type. Gaping vulnerability to shoulder surfing.

  2. Duo, nor any other "touch" 2FA services work with 1P individual\family accounts, only the business editions. So if want 2FA security on devices without Windows Hello or FaceID, have to endure the lengthy chore of manually typing a OTP code every time. 1P say "Duo requires above average technical skills and it would not work well for most families...is a product for businesses and it would be too expensive for us to support". Yet somehow LastPass manage to support touch-2FA just fine. It's common for lower-editions of products to offer no support, so one way to solve this and make 1P 2FA competitive with LastPass is via a disclaimer in your docs like: "This is an advanced feature for experienced individual and family users only, unfortunately 1Password only offer support for Duo in business\enterprise\teams editions at this time.". Currently you cripple 2FA in non business\teams\enterprise editions and this decision is extremely value reducing. Not including this feature stinks of cynical cannibalism-avoidance\revenue protection for your more expensive products, at the expense of your individual\family customers' convenience\security.

  3. Linux CLI security isn't great. Login to _headless _Linux requires a service account (can't use 1P GUI app). So must create environment variable for service account's OP_SERVICE_ACCOUNT_TOKEN . But that permanently exists, so always logged in. Unlike LastPass's lpass CLI that auto-logs-out after a configurable period. The workaround of compartmentalising into a "for CLI" vault with only the passwords needed there, and an "everything else" vault is inconvenient, as requires too much micro-managing vaults.

  4. Service accounts can't read the default "Personal" vault, so must create a new one. But there's no way of setting the new vault to be default, so you are always nagged to choose which vault to save new passwords to, and new devices can't see anything until you point them at the non-personal vault.

  5. Auto-logout has fixed durations. Can't specify # of minutes like LastPass.

Sure 1P is more secure, but nobody really knows the exact extent. A perfectly secure system is one that nobody uses, and people like me won't use 1P until it's made competitive in these aspects. #1 and #2 in particular are absolute stone-cold deal-breakers.

1Password Version: 8.10.45
Extension Version: 8.10.44.34
OS Version: Windows 11
Browser: Chrome

Comments

  • secret1
    secret1
    Community Member

    Hi,

    I posted the below into this general forum early this week. It was side-lined into one of the least viewed forums (CLI) which it's only one-fifth relevant to. Soft censored? Let's try again.

    I'm a long-term LastPass user trialling 1P because I'd like to switch. I won't because:

    1. Secure Notes are insecure. Searching shows them in clear text as you type. Gaping vulnerability to shoulder surfing.

    2. Duo, nor any other "touch" 2FA services work with 1P individual\family accounts, only the business editions. So if want 2FA security on devices without Windows Hello or FaceID, have to endure the lengthy chore of manually typing a OTP code every time. 1P say "Duo requires above average technical skills and it would not work well for most families...is a product for businesses and it would be too expensive for us to support". Yet somehow LastPass manage to support touch-2FA just fine. It's common for lower-editions of products to offer no support, so one way to solve this and make 1P 2FA competitive with LastPass is via a disclaimer in your docs like: "This is an advanced feature for experienced individual and family users only, unfortunately 1Password only offer support for Duo in business\enterprise\teams editions at this time.". Currently you cripple 2FA in non business\teams\enterprise editions and this decision is extremely value reducing. Excluding this feature stinks of cynical cannibalism-avoidance\revenue protection for your more expensive products, at the expense of your individual\family customers' convenience\security.

    3. Linux CLI security isn't great. Login to headless Linux requires a service account (can't use 1P GUI app). So must create environment variable for service account's OP_SERVICE_ACCOUNT_TOKEN. But that permanently exists, so always logged in. Unlike LastPass's lpass CLI that auto-logs-out after a configurable period. The workaround of compartmentalising into a "for CLI" vault with only the passwords needed there, and an "everything else" vault is inconvenient, as requires too much micro-managing passwords into vaults.

    4. Service accounts can't read the default "Personal" vault, so must create a new one. But there's no way of setting the new vault to be default, so you are always nagged to choose which vault to save new passwords to, and new devices can't see anything until you point them at the non-personal vault.

    5. Auto-logout has fixed durations. Can't specify # of minutes like LastPass. There needs to be a "custom" option.

    Sure 1P is more secure, but nobody really knows the exact extent. A perfectly secure system is one that nobody uses, and people like me won't use 1P until it's made competitive in these aspects. #1 and #2 in particular are absolute, stone-cold deal-breakers.

    1Password Version: 8.10.45
    Extension Version: 8.10.44.34
    OS Version: Windows 11
    Browser: Chrome

  • Dave_1P
    Dave_1P
    edited September 19

    Hello @secret1! 👋

    Welcome to the 1Password community! The team usually tries to move a thread to the most relevant category that will get the appropriate eyes on it, not too many folks skilled in the CLI and Service Accounts hang out in the Lounge which is more of a general purpose space for discussions that don't fit anywhere else. In any case, I've merged your two threads together and left the merged discussion in the Lounge category.

    Thanks for giving 1Password a try, I'm sorry that it wasn't a complete fit for your use case. I'll respond to the points that you've raised below:

    Secure Notes are insecure. Searching shows them in clear text as you type. Gaping vulnerability to shoulder surfing.

    All information in 1Password is encrypted and concealed when 1Password is locked. Unlocking 1Password using your account password will decrypt that information and allow you to view and edit it. I recommend that you only unlock and use 1Password in a safe environment.

    Personally, I want Secure Notes to be visible when 1Password is unlocked since that makes the feature more useful and the information more available to me. That being said, I can see how an option to keep notes concealed (similar to how the password field operates) would be useful and I've filed a feature request on your behalf.

    Duo, nor any other "touch" 2FA services work with 1P individual\family accounts, only the business editions. So if want 2FA security on devices without Windows Hello or FaceID, have to endure the lengthy chore of manually typing a OTP code every time.

    Two-factor authentication is only required the first time that you add your 1Password account to a new device or browser. You're not required to type in the one-time password for 2FA each time that you unlock 1Password. You can read more here: Turn on two-factor authentication for your 1Password account

    You can also use a hardware security key if you wish: Use your security key as a second factor for your 1Password account

    Linux CLI security isn't great. Login to headless Linux requires a service account (can't use 1P GUI app). So must create environment variable for service account's OP_SERVICE_ACCOUNT_TOKEN. But that permanently exists, so always logged in. Unlike LastPass's lpass CLI that auto-logs-out after a configurable period. The workaround of compartmentalising into a "for CLI" vault with only the passwords needed there, and an "everything else" vault is inconvenient, as requires too much micro-managing passwords into vaults.

    Service accounts can't read the default "Personal" vault, so must create a new one. But there's no way of setting the new vault to be default, so you are always nagged to choose which vault to save new passwords to, and new devices can't see anything until you point them at the non-personal vault.

    Have you considered using the --expires-in <duration> flag with service accounts: Get started with 1Password Service Accounts Developer

    It's true that service accounts don't have access to a Personal, Private, or Employee vault. Are you specifying the vault that you wish to target when you run a command using the --vault flag?

    Can you tell me a little more about how you were wanting to use the CLI on a headless Linux deployment? Perhaps there's a different solution that might fit better or some other advice that I can provide.

    Auto-logout has fixed durations. Can't specify # of minutes like LastPass. There needs to be a "custom" option.

    Auto-lock in the 1Password app currently offers quite a number of options:

    image

    Out of curiosity, what custom value are you looking to use? This will help our Product team understand the need for a custom value field.

    -Dave

    ref: PB-42511406

  • secret1
    secret1
    Community Member

    Thanks for responding.

    1. "I want Secure Notes to be visible when 1Password is unlocked" - why only Secure Notes? Why not passwords and all other secret types? Why use a password manager at all? Let's just write them all down on a sheet of paper! Not much different to having them on-screen in clear text. "Only unlock and use 1Password in a safe environment" - your solution is either don't unlock or rent the CIA's hermetically sealed incident room? "filed a feature request on your behalf" - is this publicly accessible to track progress? If not, can you at least give the internal request number to give confidence this has actually been raised and to refer if needed.

    2. "Two-factor authentication is only required the first time that you add your 1Password account to a new device or browser." - should be every unlock\login, that's how LastPass works. Perhaps 2FA is relatively infrequent in 1P because it's more of a chore. No touch-2FA is either less convenient or worse security. Please treat your customers like functioning adults. Duo really isn't that hard to setup. Disclaim to the hilt if you must, but pls don't hard-code the exclusion of this feature. Hardware key is a bit 2000's. It's extra junk to carry round, when a smartphone is always with.

    3. "--expires-in" disables the service account completely after the given seconds, forcing you to create an entirely new service account. I just want auto-logout like lpass does, forcing you to type the SA password again after a period (it defaults to one hour).

    4. "Are you specifying the vault that you wish to target when you run a command using the --vault flag?" - yes, I can retrieve secrets fine from the command line. My point is that setting CLI up requires using a non-default vault, which it seems 1P isn't fully designed to accommodate. Extra work when saving passwords or starting to use new devices.

    5. "what custom value are you looking to use?" - I'm looking to use a text box that takes a minutes integer, like LastPass. Please allow customers the freedom to choose the appropriate auto-lock period they need. Right now, I need somewhere between 8 hours and 1 day. But my requirements vary from device to device and time-to-time, as will other customers'. Whatever fixed durations you choose will never suit all.