To protect your privacy: email us with billing or account questions instead of posting here.

1password.com Browser Security

hotpancakes
hotpancakes
Community Member

I'm just about to sign up for a 1P subscription (I already have a license), but I have a question regarding the security of 1password.com logins. Given that one must enter both a Secret Key + Master Key into a web form, I want to be 100% certain that the page being served is indeed from 1Password and not an imposter. Do the browser extensions do a validation of the 1password.com login payload?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @hotpancakes

    Great question. The answer at present is no: there is no code signing for the web app. We recently had a discussion about this here:

    Security of the 1password.com account creation process — AgileBits Support Forum

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • hotpancakes
    hotpancakes
    Community Member

    :( That's unfortunate. That would be the only thing preventing me from converting license -> subscription. Is the web interface necessary for any part of 1Password's operation? (I'm on MacOS and iOS).

  • It is currently, yes. The web interface is the only way to access the admin console. As far as routine 1Password operation though it is not needed, and once set up most people only rarely if ever login to the web interface (unless they're specifically looking to have access to 1Password through a web interface e.x. from a friend's trusted computer).

    Ben

  • To add, as is mentioned in that thread, we're looking into both

    1) reducing the need to use the web interface at all
    2) the possibility of delivering the web interface through a code signed application

    Ben

  • Just in the brainstorming phase at this point, and not sure it'll be possible on iOS, but yes: essentially.

    Ben

This discussion has been closed.