Feature Request: switch to indicate that a field should be "mobile only"

dogeared
dogeared
Community Member
in Mac

The context for this request is in regards to OTP fields.

By having those fields available on the desktop, there's a security risk. It essentially turns two-factor into one-factor.

Here's a scenario:

I accidentally leave my laptop unlocked and 1Password is currently open.

A "bad actor" gets in front of my laptop and uses 1password to log into a website. I have two-factor OTP enabled on this website. Since that field is available in 1password desktop, they are able to log in.

If that field were not available in 1password desktop, two-factor would have saved me as a "last line of defense" in this scenario.

What I am asking is that you implement a feature whereby fields can have a "mobile only" checkbox. If checked, then that field will only show on the 1password mobile app.

This would make it so that I didn't need a separate OTP app on my phone.

1Password Version: 6.8.1
Extension Version: BETA-1 (681001) AgileBit
OS Version: OSX 10.12.5
Sync Type: cloud
Referrer: forum-search:field mobile

Comments

  • Ben
    Ben

    Hi @dogeared,

    Thanks for taking the time to write in. Technically by having both your password and OTP on the same device you have removed the second factor. Indeed, password+TOTP which are both available on the same device is more accurately referred to as "two-step authentication" vs "two-factor authentication."

    We appreciate the feedback, and I'll pass it along to our development team, but your proposed solution does not seem to solve the stated problem.

    Ben

  • dogeared
    dogeared
    Community Member

    The problem is addressed by not having the password and totp available on the desktop. On mobile, it's as safe as it ever is because you still need a fingerprint or master password to look at 1password.

  • Ben
    Ben

    @dogeared,

    I'm failing to understand how you see these scenarios (mobile vs desktop) as different. If anything, at least for me, my desktop is more secure as it never leaves my office and generally isn't exposed to anyone other than myself, whereas my phone is generally with me and thus could be more easily lost, stolen, or forgotten somewhere.

    On mobile, it's as safe as it ever is because you still need a fingerprint or master password to look at 1password.

    This is true on the desktop as well.

    Ben

  • dogeared
    dogeared
    Community Member

    Actually, not - at least not as I have it configured. As I described above, the scenario is I've inadvertently left my laptop unlocked and 1password open. 1password will remain open for minutes as will my laptop until one or both locks themselves.

    On my phone, each and every time I use 1password, I have to fingerprint in.

    I'd like to use 1password exclusively, but it seems like I'll need to switch back to a separate TOTP app. At least for now...

  • Ben
    Ben

    Actually, not - at least not as I have it configured. As I described above, the scenario is I've inadvertently left my laptop unlocked and 1password open. 1password will remain open for minutes as will my laptop until one or both locks themselves.

    I see. It is possible to configure 1Password to lock under a number of circumstances:

    I'd like to use 1password exclusively, but it seems like I'll need to switch back to a separate TOTP app. At least for now...

    Indeed. If we were ultimately to make a change here it would not likely be in the immediate future.

    Thanks again for the feedback. We will take it into consideration. :)

    Ben

This discussion has been closed.