Logging in via a webpage vs via an extension page
When initially signing into the extension, I was surprised that it used a standard webpage (https://...) to do the login and somehow communicate back with the extension.
I would've expected that the extension would mediate all interactions with my master password and secret key using the extension directly (via chrome-extension:// url). Lastpass does this, which can help to feel like my internet skeleton keys aren't going to easily leak onto a webpage.
Would it be possible to have all interactions with your main website (even login) mediated by extension-served pages instead of delegating some of it to redirect workflows?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: chromeos
Sync Type: Not Provided
Comments
-
Hey @rboyer,
Welcome to the 1Password for Chrome beta and even better our Support Forum! To better answer your question, can you be a little more specific about your security concerns related to authentication? This is a fairly deep topic, and although I can answer many questions, depending on your concerns, I'll want to loop in a member of our security team.
Have you by any chance seen our Security Whitepaper, specifically the section titled "A modern approach to authentication", starting on page 13?
The best part of 1Password (well in my opinion at least) is that your Master Password and Secret Key never get transmitted to our servers, even when you access your account on 1Password.com. Which means your Master Password & Secret Key can't be intercepted during transport, it also means that even if we were to experience a data breach (from an internal or external threat), we don't have the keys to access your encrypted data. Most people don't realize we can and choose to do that, but doing so is one of the many reasons I trust 1Password with my entire digital life.
Would it be possible to have all interactions with your main website (even login) mediated by extension-served pages instead of delegating some of it to redirect workflows?
I can't give any guarantees yet, but we certainly plan to give users the most convenient way to use 1Password. In my mind, the more I can do from within the extension the better!
Let me know your thoughts and concerns, I'd love to continue this conversation with you. Cheers!
--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits0