Virtual Keyboard vs. Secure Desktop

Hello,

Honestly, I don´t see why such a convenient feature as the virtual keyboard was removed at the expense of the Secure Desktop button.

  1. They can coexist without affecting the design.
  2. Even though the Secure Desktop has been proven to be a better option against keyloggers, a virtual keyboard is also a great defense against that sort of malware besides being the method of choice for so long to so many people for unlocking their 1P vaults.

Will the virtual keyboard be back, not only in Windows, but in the Firefox and Chrome extensions?

Thanks

Comments

  • MikeT
    edited April 2015

    Hi @SineSenus,

    It was removed because there is no need for it when there is Secure Desktop that provides better security.

    a virtual keyboard is also a great defense against that sort of malware besides being the method of choice for so long to so many people for unlocking their 1P vaults.

    A virtual keyboard is only a great defense if it was on top of Secure Desktop, not elsewhere. Not all keyloggers just listen to your keyboard typing, there are ones where they can record either via screenshots or video of your typing if they know a software has a virtual keyboard. This is what the Secure Desktop attempts to protect you from as it prevents other processes from doing anything like this.

    However, because Secure Desktop doesn't allow other processes to get in, there is no need to have that virtual keyboard support because they cannot get in. They'd have to infect your system on a different level and if they manage to do this, even a virtual keyboard won't help.

    They can coexist without affecting the design.

    This is something we're investigating because in this thread where it is difficult to unlock on the Secure Desktop on a tablet that doesn't show the virtual keyboard from Windows. The problem we found is that in order to bring up the virtual keyboard, we must prompt the user for permission to do this but it turns out, this cannot work under Secure Desktop. We'll keep investigating for a way to do this.

  • SineSensus
    SineSensus
    Community Member
    edited April 2015

    Thank you for your answer. You've made it clear why the Windows virtual keyboard was retired but, although I´m in the wrong forum, why there is not a virtual keyboard on the Firefox extension? I am forced to use a third-party virtual keyboard to enter the master passkey every time I want to use that extension.
    Thanks

  • RichardPayne
    RichardPayne
    Community Member

    Or you could just use your physical keyboard. It is much easier, and fully supported! :tongue:

  • SineSensus
    SineSensus
    Community Member

    Thank you Richard for not taking my concern so seriously. Good support.

  • RichardPayne
    RichardPayne
    Community Member

    As a fellow customer, it's not my job to take you seriously. Notice that @MikeT already did that (it is his job) an you ignored him.
    To summarise, if your system is compromised to the point where using your physical keyboard in a secure desktop is insecure then using a virtual keyboard is not going to help you. Providing a virtual keyboard is what jpgoldberg calls "security theatre"; adding things which look like they provide extra security but in reality don't.

  • SineSensus
    SineSensus
    Community Member

    Sorry Richard, I thought you were part of the AgileBits Team. Thanks a lot for your input, although I think a virtual keyboard does provide extra security, specially on a web browser addon. As for the @MikeT response, I didn't ignore it, it was clear and concise but he did not include anything about the Firefox addon.
    Thank you both.

  • RichardPayne
    RichardPayne
    Community Member
    edited April 2015

    Ah, I see your confusion. The browser extensions are not the thing that is presenting the vault unlock window. The extensions in v4/5 only contain the filling engine. The code that actually accesses your vault and asks you for you master password is a native code module. On Windows it is called Agile1PAgent.exe and is responsible for displaying the systray icon and the menu that is displayed when you invoke the browser extensions. The native code module and the JS browser extension communicate over a socket connection.

    In security terms it isn't any different to the main app.

  • SineSensus
    SineSensus
    Community Member

    Oh, I see. Well, thanks a lot for your help. :)

  • Hi @SineSensus,

    Sorry Richard, I thought you were part of the AgileBits Team.

    For future references, all AgileBits responses have an orange banner on the post itself as well as the AgileBits logo on the right side of the post.

    As for the @MikeT response, I didn't ignore it, it was clear and concise but he did not include anything about the Firefox addon.

    My apologies, I assumed the answers I gave would make it clear that it applies to both as the application and the 1Password extensions do not have virtual keyboards.

    Just to clarify, you can use virtual desktop for the extensions as well but you might need to enable it first. To do this:

    1. Open the main 1Password application, unlock and press the Preferences button on the toolbar
    2. Go to the Browsers tab and check the option next to Unlock on Secure Desktop

    Next time you unlock via the extension, it will prompt for the password on a secure desktop.

  • SineSensus
    SineSensus
    Community Member

    Excellent, thank you.

  • You're welcome.

This discussion has been closed.