Secure Desktop
I like the Secure Desktop feature. I noticed something odd though (odd to me anyway). If I use the PassKey (in Firefox) icon and click on Open 1Password I get the new blank secure desktop to type in my password. If I click cancel it doesn't just all go away, but it opens a new opportunity to type in my password, but not in the secure desktop, but in my regular desktop.
I have been installing (and buying) 1Password for some of the computers for elderly people I take care of because they are most at risk. When showing them how to log in to 1PW we have "cancelled" a few times for various reasons. Mostly because they don't work at the speed i do. After a moment of catch-up conversation every one of them have started to retype their password, and that is how I noticed we are now no longer in a secure desktop. i don't have a real solution because I don't know much about software creation, but I think it would be pretty nice that if you click cancel to typing in the password, to clear everything out and make the person invoke getting into 1Password fresh again. A fresh attempt will open the secure desktop feature.
Thanks,
Peter
Comments
-
I'm not seeing this in Chrome. Maybe a FF specific bug.
0 -
I just tried this in Firefox 32.0.1 with plugin 4.2.5.b1 and after canceling the secure desktop it didn't open a second password-entry form. Can you give detailed steps so I can try to get what you saw? Here's my steps: boot computer, launch firefox, press key symbol, cancel secure desktop. At this point I do not see the insecure 1Password login form.
0 -
I can do it every time. Your sequence is not like mine, here is what we were doing -
Firefox is open.
Click the 1PW key icon and log-in properly, now ready to use for login purposes.
Use it normally from Firefox, this part does not matter.
Decide you want to go to the 1PW program itself by clicking on that choice in the 1PW icon.
You get a new desktop and opportunity to type in your password.
Click Cancel.
There is now the open vault screen on the unsecure desktop. (also logged out from using it in Firefox browser too).
You can cancel again, or as we did a few times, type you password on the unsecure desktop vault and it will open the program.I think it would be better for that vault screen to go away completely and a person would need to start fresh.
Thank,
Peter0 -
I understand what you are seeing now. The first part is the so-called "double unlock" problem. You had a vault unlocked in the 1Password browser plugin, but when you want to use the main app you need to unlock again (and you won't have to double unlock again so long as the main app stays alive.) It seems that it may require a major change to 1Password to make the double-unlock issue go away, so, alas, I don't expect that this will be fixed for a long long time.
The main issue that you are seeing is that when the main app starts, if you have the secure desktop feature enabled, the app will go straight to the secure desktop. But you are not required to unlock; for instance you may wish to cancel the unlock and use the main app menu to switch vaults before unlocking. (So I don't agree that the app should go away entirely.) In this case the main app shows a less-secure password form, and you point out that this seems be an insecure misfeature. Some of us have previously noticed this and have suggested that this should not happen when the secure desktop feature is enabled. For instance, I think @RichardPayne suggested that the password slot in this form should be replaced by a "go to secure desktop" button in this case. I vaguely recall that someone from 1Password replied that they choose to keep the less-secure unlock available in case somehow the secure desktop is not working. Anyway, they are aware of this behavior and have not told us that they will change it.
0