[1pw browser] naming of clients.

My1
My1
Community Member

there isnt a subforum for the browser 1pw but I forst saw it on windows so I write it here.

trying to use 1pass in browser results in a bit of fun when looking at the signed in devices. It just lists the browser type and OS version Using different PCs with the same OS and browser (in my case win8.1 and firefox) gets really messy when you want to kick a certain device out but you cannot know how.
that's why it may be helpful to be able to assign the name and see when it was added to the account and last used.

best regards.


1Password Version: browser
Extension Version: --
OS Version: win8.1
Sync Type: 1pw account

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @My1: I hope you don't mind, but I've moved your post to the 1Password Teams category of the forums. We don't have a category specifically for 1Password.com in general, but the developers working on the web service will see it here.

    That's actually a really cool suggestion! You're right that it can be a bit inscrutable which "device" is which, especially with browser

    Can you tell me more about the circumstances where you're finding yourself needing to regularly deauthorize devices? That may help us get a sense for how it's being used. Thanks! :)

    ref: B5-1782

  • My1
    My1
    Community Member

    Okay. I didnt use the team category because well i am not part of any team.

    It isn't about having to regularly deauth devices
    But being able to kick a device into oblivion if needed, no matter whether it's often or not.

    Just by the way how do you store the acc key in the browsers, i mean directly on the client nakes the deauth fairly useless. How would that even work? I mean anyone could then technically just copy out the acc key, which entirely removes the point of deauth.

  • Thanks for clarifying! We'll keep that in mind. :)

    Just by the way how do you store the acc key in the browsers, i mean directly on the client nakes the deauth fairly useless. How would that even work? I mean anyone could then technically just copy out the acc key, which entirely removes the point of deauth.

    Great question. When you try to sign in from a browser that has been removed from the list of authorized devices, the Account Key will be removed from local storage and you will need to enter it again to sign in. Deauthorization effectively makes you enter your details again on that device as a new one.

  • My1
    My1
    Community Member

    so the key is stored in local storage, but the question is whether the key is secured in ANY way, because if not anyone can access the computer data directly (which sadly isnt rreally hard in windows), then they could grab the key out of whereever the browser stores localstorage and the deauth would be useless.

    also (another "by the way") I think a (optional) dynamic second factor for server authorisation wouldnt be bad. the acc key is great for the crypto but when someone can get the PW and key (which can happen. many OSes are full of zero day exploits, which isnt a surprise in such complex software system) a dynamic 2FA would limit the attack time drastically unless they can get into your servers, and while your average 6digit pin may sound like not much security, it's enough when it only allowed authing for a short time.

    but the way it is now, the attacker can wait for a time that's convenient (e.g. when the victim is sleeping) to get in and steam the passwords and do a lot of bad stuff because the victim cant react to the email at that time. not only that but an attacker could also regenerate the account key to make sure that the victim cant access the passwords anymore, which in short would be BAD.

    having a 2fa for at least once would increase the safety against that by A LOT because unless your servers are hacked an attacker can only act while the victim is also active making it far quicker for a victim to react if anything happens.

    also rather than the probably pretty hard password it is also easier to type in the 2FA code more often, which makes locking easier, or in case of U2F where you just plugin a stick to do stuff, and u2f is also safe against phishing and stuff because the domain literally is part of the key generated by the device, so it's perfect for a browser login.

    I am completely aware that 2FA gets useless when the servers are hacked but in all other scenarios it can be very helpful because it limits the attack time drastically.

  • The Account Key is a local secret so it's not meant to be protected locally against the device being accessed by someone else. If you deauthorize a device, the Account Key will be removed from local storage so you don't have to worry about anything happening to it. In general, the Master Password is what protects your 1Password data that is stored locally.

    As for two-factor authentication, we actually have that available for 1Password Teams users right now in beta. It uses Duo and works really well. You can enable it from the Beta tab on your team settings page. :)

  • My1
    My1
    Community Member
    edited September 2016

    well the problem is that the deauth CAN ONLY work when the browser is OPEN and has 1pw opened, which means that if the PC is off the deauth wont kick in until someone opens 1pw on the browser, which means that it's "freely available" for anyone with access to the PC, be it some virus or another person with physical access to the PC.

    also having 2FA in isnt bad, although I cant test it (individual account) but honestly why use something like duo where you essentially have to trust the 2FA process to someone else (duo generally isnt bad but for highly sensitive stuff like these I rather have a direct way), wouldnt it be better just to use good old standard TOTP? it's direct, it's OFFLINE, an OPEN standard ( https://tools.ietf.org/html/rfc6238 ) there are A TON of apps devices and whatever supporting it, I would essentially use a smartphone from 2011 take out the sim and use it as a 2FA device, or obviously the internet of things where one can create ANY kind of device which could do 2FA

  • That is correct. We recommend regenerating the Account Key from your profile page if you suspect the device may be compromised. To be clear, the Account Key will only be removed from a device that has been deauthorized if a sign in is attempted there. If you regenerate the Account Key, you will be asked to sign in on all your devices once again, which is a minor inconvenience if the device is compromised.

    Thanks for the feedback on two-factor authentication. We chose Duo because it's great for businesses, and that's why it's only available for Teams users. Some teams requested it specifically, and it's a widely-respected platform for MFA. I've personally not experienced anything easier than it from a user's perspective either — it works great for us at AgileBits. Multi-factor authentication may come to other account types in the future, and we're exploring other possibilities for that, but it's not on the immediate roadmap.

This discussion has been closed.