"Smart Idiot Syndrome"

esol
esol
Community Member

This message is going to sound harsh & "flamey", but I'm taking time to write this in the hopes of providing useful feedback to the management at AgileBits. To be very direct and blunt, AB is being damaged by the very people who have contributed to its success. Software architects and extremely smart experts are prone to this. I call it the "Smart Idiot Syndrome". As an example: in one company I've worked for we have a highly talented, highly paid security architect. They are glad to have this architect designing their software security. But its a disaster to put this guy in front of customers. Reading through this forum, I'm simply astonished at how careless AB is with the communications from people who really should not be talking to the public at all. What brought me here is Multi-Factor authentication. And what I read here from some very smart AB members is so arrogant that it crosses into ignorance. Apologies for the strong words- and I'll avoid mentioning names. Though I suspect these people have significant roles in the company, otherwise they would not have such a profound impact on the product definition AND be publicly "educating" customers why their requirements are all wrong.

Background: I'm already a LastPass customer- well I'm still in the trial period. I'm looking for password managers for my company. LastPass seems to come out on top on all the reviews out there. The only thing I don't like about it is they have a terrible UX. Their UX is bad enough that it will be an impediment to certain key users in our company from using the product. In one recent review, 1Password actually came in 7th place. But 3 things stood out: the reviewer commented that the UX was good, the feature check boxes had all the features I need, and it said that 1P supports MFA. I would not have come here if not for that incorrect check box. So- regarding all those arrogant/ignorant diatribes about MFA on these pages- AB management should really think about that point. Not that there aren't technical points to make as well. But as one of my mentors used to tell me often (when I was something of a smart idiot myself) -- "Do you want to be right? Or rich?"

So here I am trying to figure out how to enable MFA in 1P. (I love the UX by the way- its not perfect but it beats LP by a mile). My google searches take me to the various blog posts here on the topic. Posts where I am told all sorts of black/white truths about MFA by some very smart people, who have to clue what they are talking about. Funny enough, there many comments about how brilliant these AB experts are. I was going to write in refuting the troublesome assertions, but there are so many of them that I'm simply overwhelmed by the arrogance. Basically- every single place where your employees (whether they are founders, chief architects or whatever) are telling customers that they are right and the rest of the world are wrong- is a VERY BIG RED FLAG. The fact that these discussions go back many years and MFA is still not in the product and, well, it seems that AB may have a fatal flaw. Sorry, again, to be harsh. But I'm being honest- this is my nickel's worth of free advice.

I come here to find out, depending on which blog I read that: 1P "sort of has multi-factor" or has "1 1/2 factor" or "actually- not even single factor" authentication. That last one sent my head spinning. 1P doesn't authenticate at all, the blog asserts- its all about encryption. This is because it isn't a "Server" or a "Service". REALLY???? So when I type my password and that little vault door opens, I'm not authenticating myself to a piece of software? Does it really matter that software is running on my local computer, vs. some server somewhere else? That opening vault door sure tells me that this piece of software believes that my knowledge of my master password is sufficient to provide access to my encrypted data. These blogs go on to make many black/white assertions about the pitfalls of MFA. "We can't back up your physical phone" is one that comes up a lot. These blogs basically translate to "it can't be done 100% right, so we won't do it" "you want MFA but you don't really understand what you want" "we don't want to be inundated by dumb users who lose their phones" and- to distill it to the core message- "we know better than you". When multiple customers explain some well-stated reasons why MFA would still be useful to them, or simply express that they want it anyway- these inputs are flippantly responded to with "we know better than you" and then the really arrogant "but maybe we'll change our mind some day". OMG! Here's a feature 1P needs right away- the ability for you to immediately revoke the login passwords of the people writing these blogs as representatives of AB!!!!

I keep reading about how smart your security experts are. Well, I'm not buying it- sorry. I look at Facebook and Google. They have a few more "dumb users" than you guys have. Instead of writing about how impossible MFA is and how it adds no actual security and how users will just complain when they lose their phones- they have implemented real solutions that address the issues that you raised as black/white deal breakers. They were a little more creative than AB. You should go check them out- you can learn something. Nearly universally, customers are saying they want MFA. If AB wants to survive, they should start listening to customers and stop letting smart idiots tell them "we know better than you".

Again my apologies for the tone of this message. I've taken hours out of my time to evaluate the product and now a good hour or so reading your blogs and typing this message. You may note that I've said very little to nothing on the technical merits of your blog posts (other than the ridiculous assertion about authentication vs encryption). That's because those points are moot and I suspect your "experts" could debate me all day and probably win on pure technical merit. But does an "Agile" company really invest that much effort in telling customers they are wrong? Think about that!

Comments

  • esol
    esol
    Community Member

    One last comment- another gem from my mentor: "The enemy of the good, is the best". Your blog posts discuss the challenges of XOR'ing multiple keys so that the 2nd factor is part of the key. They talk about the challenges of cross-device dongles. These issues should be internal discussions. Mostly because they're missing the point. Most customers who want MFA don't want an encryption key constructed from multiple components. Thats old school (reminds me of the DES master password keys used by bank ATM networks in the early 90s). Your blog posts simultaneously claim that MFA does have value, and that it is just "security theater" or something like that. You have some really smart comments from customers explaining what uses they'd like to have for MFA. There are some smart ways Facebook & Google have addressed the pitfalls. Customers want MFA, but AB isn't listening. Its a shame.

  • RichardPayne
    RichardPayne
    Community Member

    Just because they have chosen not to implement the demands of some customers does not mean they are not listening.

    There are some smart ways Facebook & Google have addressed the pitfalls.

    For all of the threads you claim to have read, you don't seem to have understood any of it. Facebook and Google are fundamentally different setups to a 1Password vault.

    Facebook data is stored in plain text in their database. Authentication to their system simply controls who can access it. However, at all times the system itself can access the data.

    The 1Password does not have it this. It is not guarding data that it has access to by checking that you entered the right password. Without the correct password the system itself can not access the data.

    They have a few more "dumb users" than you guys have. Instead of writing about how impossible MFA is and how it adds no actual security and how users will just complain when they lose their phones- they have implemented real solutions that address the issues that you raised as black/white deal breakers. They were a little more creative than AB.

    If you understood my explanation above then the differences here should be clear. If you lose you FB second factor then there is the possibility to prove to FB that you own the account in some other way and for them to reset the authenticator. This would give you access to your data again. If you lose a second factor controlling the encryption of you vault data then you're screwed. The data can not be decrypted and if it could then the second factor would be worthless.

    When multiple customers explain some well-stated reasons why MFA would still be useful to them,

    Could you point me at some? Most of the justifications I've seen boil down to "someone told me 2FA is the only way to stop the baddies".

    or simply express that they want it anyway

    And there's the problem. Just because a customer wants something doesn't make a good idea.

  • esol
    esol
    Community Member

    Richard- You think I don't understand- I get that. Your response is full of the same errors I've been reading elsewhere here. Perhaps my error is in even comparing 1Password to these password managers. I would accept that critique. But if they are in the same space as LastPass and others, then the fact that they have a different implementation is a moot point. The points you make, in fact, show that you really don't understand what I'm saying. Do you work for AgileBits? A post like this would be cause for termination in any company I'm part of. But that will be my only contribution to a flame war here. In spite of the blunt tone of my message, I came here with good intentions of providing valuable customer feedback to AgileBits. If more private channels were provided anywhere, I'd use that instead of a public forum but I can't seem to find any contact information anywhere. Your response not only did not refute my original message, but reinforced and justified it. So narrow. Pity.

  • esol
    esol
    Community Member

    If you lose a second factor controlling the encryption of you vault data then you're screwed. The data can not be decrypted and if it could then the second factor would be worthless.

    Nobody who is asking for modern MFA is asking for this. You are stuck in an old way of thinking. Customers want solutions, not excuses.

  • RichardPayne
    RichardPayne
    Community Member
    edited January 2015

    I am not associated with Agilebits. I am a customer. The reason my post would be grounds for firing in most companies is because most companies have no back bone and will cave in to every idiotic demand; at least they pretend to. In reality they make noises and do what they want.

    I make lots of suggestions for things I'd like to see implemented in 1Password. Sometimes AB do it straight away, sometimes they say "maybe in the future" and sometimes the tell me I'm talking crap. I'd much rather have an honest discussion than have my ego stroked.

    Your response is full of the same errors I've been reading elsewhere here.

    Could you point out my errors?

    Perhaps my error is in even comparing 1Password to these password managers. I would accept that critique. But if they are in the same space as LastPass and others, then the fact that they have a different implementation is a moot point.

    It is in no way a moot point. Trains and trucks are both in the same space of haulage. Complaining that the train is missing the key feature of steering is silly. It doesn't need it. Its implementation is different.

    Your response not only did not refute my original message, but reinforced and justified it. So narrow. Pity.

    So my view is narrow because I disagree with you? Interesting.

    Nobody who is asking for modern MFA is asking for this. You are stuck in an old way of thinking.

    I'm confused. What precisely do you want. What is modern 2FA and how does it differ from old 2FA?

    Customers want solutions, not excuses

    And yet, when a solution is proposed, you dismiss it:

    Most customers who want MFA don't want an encryption key constructed from multiple components. Thats old school (reminds me of the DES master password keys used by bank ATM networks in the early 90s).

    Key splitting is the only workable 2FA system for encrypted data systems that I'm aware of. If that is not what you want then perhaps you could explain, in detail, precisely what it is that you do want.

  • esol
    esol
    Community Member

    Regarding the implementation difference, there are 2 schools of thought- 2 camps I guess with strongly held views. In one- cloud is king. Centralized storage and management give you effortless cross-device productivity. In the other camp, cloud is a dangerous & insecure place for storing anything of value. Both are correct- but with recent hacks in the news the cloud side is taking a lot of heat. So in the password management arena you have someone like LastPass with a cloud-centric solution vs. 1Password with a solution where your data is never transmitted to AB. I understand the pros and cons of both- and I would suspect you are solidly in the keep-my-data-out-of-the-cloud camp. So this comment isn't for you- its for 1Password product management- which side do you think will win out? I think the writing is on the wall. As a customer, I want my implementation of password management to do everything for me. I don't want to have to implement alternate schemes of keeping copies of my vault in various places, backing it up, making sure each one has the same strong+unique pasword, uh, er, encryption key. I just want to use strong passwords for all of my websites and to be freed from the burden & risk of managing that.

    There will always be a hyper-paranoid niche of users who will never put their passwords in the cloud. But does 1Password want to be the ultimate solution for this niche? Or the best solution for the whole world who want their password solution to be as effortless as possible?

    As to the security of the cloud: if my passwords are securely encrypted why should it matter if they are stored on the cloud? I should be able to post my vault on my facebook page or in a public dropbox without fear. This gets into the value prop of the cloud vs. local storage debate. There are tradeoffs.

    In their blogs, AgileBits themselves stated the main issue they get is people forgetting their master password. Of course, your MP should be strong, unique and changed often. Now I need to figure out how to not forget it, have secure copies of it stored (and updated) somewhere, and to make sure all my backup copies of my vault have the same secure password. AgileBits has blogs to give advice to users how to manage that. Yuck. I don't want to manage that. Thats what I'm buying software for.

    Now, lets say I've just signed up to a very secure web site. I'm sitting in my local Starbucks and just transferred a million dollars to a new trading account. I create a super strong password with 1Password and store it in my local vault. But in order to log into 1P I had to get the little yellow sticky out of my wallet with my super strong 1P password. I stuck it to my Macbook keyboard, logged in and went about my business. But I'm getting a little drowsy and get up to order a quad-shot Americano. I'm only away for a minute, but I turn around and see that my laptop is gone. I have no way to log into my new account- but my thief sure does.

    If 1Password were a cloud solution, I could simply log in and get my password from another computer- then go quickly change it before my thief realizes what he just got his hands on. But with 1P today I can't do that.

    And if 1Password had a good MFA implementation, they'd have a way to deal with my compromised master password. I'd be able to log in without it, and change it so the thief wouldn't be able to take over my account. If the thief tried to do that before I could get to another computer, a good MFA implementation would prevent them from changing key pieces of info.

    MFA at Facebook (and especially Google) isn't just about authenticating access to clear text in their database. Its about identity, chain of custody and reasonable allowances for delegation and assurance of continuity. Yes there are practices that the super secure-minded individuals can & should implement for that in their lives. But like I said, I don't want to do all that. I'm not so sure that AgileBits would claim they don't want or intend to be the solution for people like me. But their blog posts on the subject sure do say that.

    Its not just about encryption- thats why I said what you are discussing is "old". Encryption is old-hat now. 1P is probably a good vault solution, but there are lots of ways I can do that including free ones. I want password management- and that includes the scenarios where I need to effortlessly sync passwords across my devices. If my vault is so secure, that shouldn't be a problem- and well thought out MFA helps make that secure even in a world of key loggers and trojan horses. If AB is going to compete in this market, they'll have to embrace the cloud. You can bet that in their product meetings they are talking about that right now (if not already implementing it). My beef with these posts are the black/white statements about MFA-- that if you lose your phone you would forever be locked out of your data (for example). Thats true if your "multi-factor" is part of the key and not part of the authentication and only stored locally (and don't tell me again that you're not authenticating- you are). But it doesn't have to be- thats the narrow thinking. In cloud vs local, cloud is going to win. Don't believe me? Just wait.

  • RichardPayne
    RichardPayne
    Community Member

    Right, so you issue here isn't really about 2FA but with AB's entire business model.
    If you'd said that at the start then this conversation would been easier.

    So in the password management arena you have someone like LastPass with a cloud-centric solution vs. 1Password with a solution where your data is never transmitted to AB. I understand the pros and cons of both- and I would suspect you are solidly in the keep-my-data-out-of-the-cloud camp.

    Ermm, no, not really. My vault spends most of its life in the cloud. The difference is that my cloud provider has no interaction with my vault's encryption provider and vice versa. They can not, therefore, succumb to legal pressure to provide my data to anyone.

    So this comment isn't for you- its for 1Password product management- which side do you think will win out?

    That's a false dichotomy. Can both models not exist together?

    There will always be a hyper-paranoid niche of users who will never put their passwords in the cloud. But does 1Password want to be the ultimate solution for this niche? Or the best solution for the whole world who want their password solution to be as effortless as possible?

    Strawman. 1Password can store its data in the cloud and AB actively encourage it.

    As to the security of the cloud: if my passwords are securely encrypted why should it matter if they are stored on the cloud? I should be able to post my vault on my facebook page or in a public dropbox without fear. This gets into the value prop of the cloud vs. local storage debate. There are tradeoffs.

    I agree. However, the fundamental difference is how your Master Password is handled. In an authenticated online service model, the password or key must travel to the server at some point. Not only is this a risk in itself, but now an entity other than yourself has the ability to unlock your data. Lastpass is a hybrid model in that it downloads encrypted data and then decrypts locally. Their 2FA system is either doing key splitting, along with the associated risks or they're just protecting your registered account and not your vault data at all. This is really no different to using 1Password with a 2FA enabled Dropbox account since AB does not require online registration in order to use their software.

    There is some validity to your argument that this makes LP easier to use, but at the expense of flexibilty. That is choice for the user and I see no harm in AB and LP serving slightly different segments ofvthe market.

    In their blogs, AgileBits themselves stated the main issue they get is people forgetting their master password. Of course, your MP should be strong, unique and changed often.

    Disagree. Your password never leaves your device so why change it often? Strong and unique I agree with.

    Now I need to figure out how to not forget it, have secure copies of it stored (and updated) somewhere, and to make sure all my backup copies of my vault have the same secure password.

    Should be too hard to memorise the 6 or 7 words needed for a strong diceware phrase.

    AgileBits has blogs to give advice to users how to manage that. Yuck. I don't want to manage that. Thats what I'm buying software for.

    Are you telling me that LastPass automatically finds and updates all of your offline backups? I doubt that.

    Now, lets say I've just signed up to a very secure web site. I'm sitting in my local Starbucks and just transferred a million dollars to a new trading account. I create a super strong password with 1Password and store it in my local vault. But in order to log into 1P I had to get the little yellow sticky out of my wallet with my super strong 1P password.

    If you can't remember 1 strong password without post-it notes then I doubt you'll be dealing with million dollar accounts while out and about.

    I stuck it to my Macbook keyboard, logged in and went about my business. But I'm getting a little drowsy and get up to order a quad-shot Americano. I'm only away for a minute, but I turn around and see that my laptop is gone. I have no way to log into my new account- but my thief sure does.

    Then you get fired for gross negligence. Software can only do so much to protect the stupid from themselves. In your hypothetical scenario you left out that you also probably left your phone next to your laptop and have your phone's PIN written down next to your master password.

    If 1Password were a cloud solution, I could simply log in and get my password from another computer- then go quickly change it before my thief realizes what he just got his hands on. But with 1P today I can't do that.

    With 1Password you simply login to Dropbox and remove the vault from the stolen device.
    If the network is not connected that wouldn't work, but then neither would changing the nadter password in LP.

    MFA at Facebook (and especially Google) isn't just about authenticating access to clear text in their database. Its about identity, chain of custody and reasonable allowances for delegation and assurance of continuity.

    Which all boils down to aame thing in the end. Do you, the user, have the right access a certain set of data.

    Its not just about encryption- thats why I said what you are discussing is "old". Encryption is old-hat now.

    Not really. Encryption is a tool; one that all of the password management system rely on.

    1P is probably a good vault solution, but there are lots of ways I can do that including free ones. I want password management- and that includes the scenarios where I need to effortlessly sync passwords across my devices.

    Ignoring the fact that 1Password syncs pretty effortlessly using Dropbox, I get it. You want to sacrifice control of your data for slightly less setup work. That's fine, and it's a choice.

    My beef with these posts are the black/white statements about MFA

    That's because you're talking about MFA in a context which doesn't apply to 1Password yet. What your beef is actually with is their entire business model, but you cloyd that behind criticising their lack of MFA.

    that if you lose your phone you would forever be locked out of your data (for example). Thats true if your "multi-factor" is part of the key and not part of the authentication and only stored locally (and don't tell me again that you're not authenticating- you are).

    Pray, do tell; who are you authenticating with?

  • svondutch
    svondutch
    1Password Alumni

    in order to log into 1P I had to get the little yellow sticky out of my wallet with my super strong 1P password. I stuck it to my Macbook keyboard, logged in and went about my business. But I'm getting a little drowsy and get up to order a quad-shot Americano. I'm only away for a minute, but I turn around and see that my laptop is gone.

    Never write down your master password. This is the one password you should remember yourself.

    If 1Password were a cloud solution, I could simply log in and get my password from another computer- then go quickly change it before my thief realizes what he just got his hands on. But with 1P today I can't do that.

    Yes you can. Assuming your 1Password data is in your Dropbox, you can log into it from another computer.

  • prime
    prime
    Community Member
    edited January 2015

    To add to @svondutch‌. With Dropbox, you can use 2 step verification.

    I also agree with @RichardPayne‌ too, I don't really see the point of 2 step verification for this at all. You have to option to store all you passwords in a cloud (Dropbox) or not, and that has 2 step verification protection. To me, the user gets to pick if they want their passwords in a cloud or not.

    I have a 16 year old daughter who uses 1Password and she made a master password so good, I am extremely impressed. It might be better then mine. She also remembered as well.

  • RichardPayne
    RichardPayne
    Community Member

    @prime that's because she's young and her memory's good. Wait and see how it is when she's your age! :p

    Just to clarify, I'm not saying that 2FA is worthless in the 1password context. Jeff convinced me of that. There are still key loggers to considet. However, I agree with AB's position that it's too risky for the small benefit. If your PC is that compromised then you're already beyond screwed.

    That said, if they decided to implement a split key system then I wouldn't complain. I just wouldn't use it.

  • esol
    esol
    Community Member

    @svondutch I'm the only person in my (small) company with a Dropbox account. Most of them use iCloud, and most probably have some Google Drive storage without even knowing it. I'm waiting for Microsoft to add free OneDrive storage to the MS-365 business accounts (they've already added 1TB free storage with personal accounts, they are supposedly going to do it soon for business accounts). We'll probably standardize on OneDrive when that happens. So it will be difficult to get everyone configured & set up on Dropbox just for this. FYI the reason I'm here is that the user experience for LastPass is bad enough to prevent some of our users from using it. I do like 1Password much better from that perspective. LP also has an "enterprise console" for managing policies etc at a company level. I like that a lot, but I'd give it up for a solution that is more usable. Centralized (cloud) storage/management would make 1Password a no-brainer for me- but of course I'd expect that to include solid MFA. As is, I'll have to weigh the impact of 1P vs the usability of LP, or perhaps just use it personally and hold off rolling it out to others in the company.

  • esol
    esol
    Community Member

    @RichardPayne‌ - some good info. I actually like the product. As someone in the technology industry myself, I simply see a common mistake playing out at AB. They have very smart people who are True Believers in their application model (which drives their business model, not vice versa). IMO the bulk of the market is saying that model is wrong. When you are putting that much energy into telling customers, over and over (for years even) that what they want is wrong, well there's a reason 1P is getting lower review ratings that their competitors even when the others have terrible interfaces!

    This is really no different to using 1Password with a 2FA enabled Dropbox account since AB does not require online registration in order to use their software.

    For a singe user, the differences are small, yet significant- both pros and cons of a service model vs. local app model. For someone that has to roll this out to multiple users, the difference adds complexity & cost that I don't want to deal with. Its not even really an MFA issue I guess, except that I'd expect a service model to have solid MFA.

    There is some validity to your argument that this makes LP easier to use, but at the expense of flexibilty. That is choice for the user and I see no harm in AB and LP serving slightly different segments ofvthe market.

    There's segments of the market that are very security conscious, understand encryption, manage their safe lock boxes etc. These people are probably concerned about some of the issues you raised- discoverability (legal) for example. This category would include some powerful, rich & tech savvy people-- and also drug dealers and terrorists haha. Then there's everybody else- people who just want to make their digital lives manageable and keep hackers out of their facebook and online bank, and companies who need to find a way to make strong passwords manageable for their employees. Of course, AB can choose their market segment.

    Should be too hard to memorise the 6 or 7 words needed for a strong diceware phrase.

    Try telling that to my employees and business partners.

    Ignoring the fact that 1Password syncs pretty effortlessly using Dropbox, I get it. You want to sacrifice control of your data for slightly less setup work. That's fine, and it's a choice.

    I suppose thats the crux of it. In the trade-off between control of data and manageability for multiple users, I need manageability & simplicity first. I expect AB (or any service provider) to implement things as securely as they can, of course. As for law enforcement / discoverability - I don't plan on using 1P for anything where I'll some day be telling LE "sorry I just don't remember that password anymore" to prevent them from getting access. If my employees do, then I'd want to cooperate with LE and give them what they need. Of course, it doesn't have to be LE. It could be a lawsuit from a customer or competitor or whatever. In this case, I don't see hiding passwords as a viable strategy to avoid the consequences of legal action. If I were in the market for secure document storage for things like that, I'd understand that point and we do have some corporate documents stored, for example, in safe deposit boxes etc. Thats just not the product I'm looking for here. I'm looking for secure password management for myself and my employees, and I expect to have MFA as an added layer of security & support for lost/compromised master passwords. I'm not looking for something thats NSA-proof for the hyper vigilant and tech savvy experts. Even for myself, though I have the technical knowledge to manage that, I just want simplification.

    That's because you're talking about MFA in a context which doesn't apply to 1Password yet. What your beef is actually with is their entire business model, but you cloyd that behind criticising their lack of MFA.

    My beef with the product is lack of simple centralized management without requiring external tools & processes. My beef with the company is the blog posts here trying to tell me (customers in general) that my requirements are wrong. They are marketing to the masses but the mind-set of the blog posters here is geared toward the hyper-vigilant security savvy crowd. Probably my original post is a bit out of place (who am I to tell them their business). But I really am looking for a solution and was kind of flabbergasted by what I was reading here. I've seen this happen in companies before and it doesn't end well. Are they interested in my unsolicited free advice? Dunno. Given the views on this post I'm guessing it will stir some conversation. I'd delete the post if I were them haha. TBH, I would have sent a private email if I could find their contacts somewhere.

  • hawkmoth
    hawkmoth
    Community Member
    edited January 2015

    Of course, your MP should be strong, unique and changed often.

    @RichardPayne questioned the need to change the password often. I thought I'd toss in that AgileBits actually encourages users never to change their master password.

  • esol
    esol
    Community Member

    My ideal solution would:

    • Allow me to purchase licenses for my employees and invite them to sign up easily, with little intervention from me- but the ability to track signups. Employees could optionally get personal accounts to manage their personal identities separate from the company.

    • Provide me with a few training videos for the employees- an introduction, a more detailed setup video and a power-user video would be great.

    • Would be both simple to use and not unnecessarily obtrusive. 1P is better than LP here.
    • Would integrate well in the browsers and apps. This is where LastPass fails. At first I kind of liked the little asterisk they add to login fields. But after a while it was conflicting with the browsers own password management and causing confusion. For example there were some times where I wasn't sure if the strong password got set + remembered or not. It never actually failed where the password LP remembered was the wrong one, but there was confusion.
    • Should quickly & easily capture passwords to get everything under control-- then progressively encourage/enforce transition to strong passwords. LP is far ahead of 1P here. They get all the passwords out of your keychain and put them under control. Very cool feature and it worked great.
    • Would work seamlessly nearly everywhere. LP has a slight edge of 1P here- there are a few sites where I have to copy & paste passwords manually with 1P and I haven't encountered that with LP. I plan to post that info on another thread for product feedback to them.
    • Allow me to set company policies about: which sites to enable (though I'd probably just enable everything), password policies, etc. - and the ability to revoke access to the service at any time. This is why users should be encouraged to manage their personal stuff separately.
    • LP is actually moving toward a full identity management service- they provide a SAML identity service that can be used for SSO. This is interesting- not what I was looking for but potentially useful. I think some of the cloud apps I use support SAML auth.
    • Integration with various identity providers. Google, for example, though MS would be good too. We'll probably standardize on Google for identity management. When we get bigger we'll of course likely implement our own, but its nice to not have to deal with LDAP/AD for now. We currently use cloud apps from several different vendors- I don't really plan to ever bring these on-premise but eventually I'd like clean SSO with all of them. For now, a good tool for managing strong passwords across them is good enough.
    • Support for MFA in the administration of the service, and MFA for user's master passwords. Ideally, they ability to selectively enforce MFA policies. Of course, an MFA solution has to be a well thought out one, not one where you are forever screwed if you lose an access code or something. I'm not even interested in talking about split keys or anything like that. Its just got to work and be recoverable. I really like what Facebook and Google are doing around this.
    • A personalized domain would be good: mycompany.agilebits.com would be pl. But securityportal.mycompany.com would be even better (which would make SSL a challenge/cost but it would be doable).

    With the exception of that last one, this is pretty much a feature list of LastPass. They just don't have UX in their DNA (another common issue). 1P does and I'd give up a lot of the ideal solution just for the UX- since it will make a difference in whether it gets used or not. But its got to be easily manageable and not require people to become security experts and buy into a hyper-vigilant paranoid mind-set.

  • esol
    esol
    Community Member

    @hawkmoth - thats making it seem more like this isn't the product for me. On another thread, someone from RSA mentioned that today you work from the presumption that your systems are compromised (and of course 1P responded by explaining to them why they don't really want MFA). As long as I'm typing my master password into some device thats connected to the internet, it is vulnerable and should be managed as such. This forever-password idea is an artifact of AB's app/business model rather than a sound security policy.

  • hawkmoth
    hawkmoth
    Community Member

    I find it interesting, as I reread this thread, that it began as a rant and gradually turned to a much more reasoned discussion. I don't think I've seen that kind of progression before.

  • esol
    esol
    Community Member

    @hawkmoth haha guilty as charged. I came here trying to figure out how to enable MFA (since I read a review that said it was supported). I ready a couple of blog posts with great interest, hoping to learn something. Then as I read more it was dawning on me that what I was reading was a really condescending attitude toward customers based on a fixation on a particular app model that seems (according to customer requests) to be going away in favor of a centralized service model. The fact that the people writing these blogs were obviously very intelligent and experts in their field, told me there's an issue holding this company back. So I thought I'd share my POV in a rant...

  • hawkmoth
    hawkmoth
    Community Member
    edited January 2015

    I realize you were giving "advice" and not in the mood for engaging in any give-and-take, but you might think about starting your next thread with the attitude reflected in your next to last one.

  • RichardPayne
    RichardPayne
    Community Member

    For a singe user, the differences are small, yet significant- both pros and cons of a service model vs. local app model. For someone that has to roll this out to multiple users, the difference adds complexity & cost that I don't want to deal with. Its not even really an MFA issue I guess, except that I'd expect a service model to have solid MFA.

    You see, that is something that 1Password doesn't do well. Corporate environments are not it's stomping ground. I've raised this with AB before.
    However, I don't see that you'd automatically transfer to an external service model. Personally I'd be very nervous about having all of my corporate logins under someone else's control.

    What I suggested to them was a server suite that a company could install and run on it's own server. Effective it would been running its own password management service for the benefit of its users. The company then has direct control via their existing network security over who gets to access the system and where from.
    Of course, there's then nothing stopping AB, or even a third party company, using the 1Password Server Suite to setup direct competitor to LP on the public internet or running corporate services in a manner similar to Azure. Best of both worlds.

    At that point you would be looking at some sort of authentication system and MFA would be a sensible choice.

    Try telling that to my employees and business partners.

    Sure. Pass the thumbscrews and tin snips. ;)

    My beef with the company is the blog posts here trying to tell me (customers in general) that my requirements are wrong

    but your requirements are wrong, in the sense that they are misstated. What you need is a large, centrally managed system. This would indeed require MFA, but if you approached the question from a "does 1Password need MFA right now" angle then the answer is no.

    They are marketing to the masses but the mind-set of the blog posters here is geared toward the hyper-vigilant security savvy crowd.

    While the "masses" would undoubtedly benefit most from MFA, they are also the ones most likely to get screwed over if/when they lose their second factor. A lost second factor on the type of small scale system that 1Password currently is would render their data inaccessible. The security savvy guys feel more comfortable not taking that huge risk because they're on top of their firewall config, their OS and virus updates and they practice safe browsing.

    Would integrate well in the browsers and apps. This is where LastPass fails. At first I kind of liked the little asterisk they add to login fields. But after a while it was conflicting with the browsers own password management and causing confusion

    To be fair to LP, if you're using a third party password manager then you really should turn off the browser's password manager.

    They get all the passwords out of your keychain and put them under control. Very cool feature and it worked great.

    I have no idea what this means. If they're in a keychain then aren't they already under control?

  • Megan
    Megan
    1Password Alumni

    Hi @esol,

    This has been a fascinating conversation to read, I'm sorry that we haven't dropped in here with an 'official' response earlier.

    We can certainly see how the features you are suggesting could be very helpful to businesses. It's obviously not the model that 1Password is currently using, but that's not to say that this can't ever change in the future. It might sound cliche, but we actually really do appreciate your input.

    Thanks for taking the time to share your thoughts!

This discussion has been closed.