How does the Teams code store the Account Key locally in the browser?
How does the teams code store the Account Key locally in the browser? I've poked around the JavaScript/HTML and all I can figure is that you are caching a copy of an obfuscated JavaScript (or similar) file and using that client side with the password to generate the access keys which actually get sent over the wire.
I only ask because the Teams whitepaper is woefully incomplete on these details and if we are to rely on client-side security for our Linux desktops and other browser-only devices, we want to know what we're in for.
Sincerely,
Stephen Olander-Waters
Enterprise Applications Architect
St. Edward's University
Austin, TX
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Linux Mint Rosa
Sync Type: Not Provided
Referrer: forum-search:teams browser store
Comments
-
Hi @Luyseyal,
Thanks for your question. Teams uses the Web Storage API, part of the HTML5 standard, to save the Account Key and any other cached information. This storage is domain-specific, and, in our opinion, a much better choice than traditional cookies.
You can take a look at how this works by visiting the sign in page for your Team, opening up the web inspector, and typing
localStorage
into the JavaScript console. You will get back an object containing email addresses and Account Keys that have been saved for that domain. You can even write to this object directly from the console, just like any other JavaScript object, and your changes will persist when you leave the page or close the browser.I hope this helps clarify how things work behind the scenes. Don't hesitate to let me know if you have any other questions about the security design of 1Password for Teams. :)
-Mitch
0 -
Ah, OK. I hadn't realized that was separate from the application-specific storage in the Settings/Cache page in Mozilla.
Thanks for the quick response!
-sw
0 -
Cheers! By the way, you can visually examine local storage in Firefox, using the built-in Storage Inspector. But you would need to be on the correct subdomain for any information to appear. I don't think there is a way to see all local storage at once — maybe someone will correct me. :)
0