Able to login to Chrome extension on Linux after deauthorizing the device
Hi,
I've just noted something I consider to be a security concern with the Chrome extension on Linux.
I deauthorized the Linux device (which appears as two devices on my profile - see screenshot) but was still able to log back in to the extension without entering my secret key.
Regards
James
1Password Version: Not Provided
Extension Version: 0.8.4
OS Version: Ubuntu 17.04, Chrome 60.0.3112.113 Official Build
Sync Type: Not Provided
Comments
-
I now realise why I am seeing two devices on my profile, one is the login to the 1password web service and the other is the extension.
The other issue definitely seems like a security risk to me though.
0 -
Hey @jamesbwte,
Welcome to the 1Password for Chrome beta!
When you deauthorize a device, the Secret Key stored for 1Password for Chrome or your web browser is not removed. However, deauthorizing a device will kill any active connection to the 1Password server, essentially signing you out. After reviewing our support documentation, it appears we need to describe how this works better across all of our clients.
If you suspect a device has been compromised, lost, or stolen you should assume an attacker could have obtained your Secret Key. Thefore, the best course of action would be to change your Secret Key immediately and deauthorized the device.
We highly recommend using a strong Master Password which is never stored on your device.
I hope that helps, but please let me know if you have any addional questions.
--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits0 -
Hi Andrew
Thank you for the explanation, I had the wrong impression of what deauthorizing a device does. I am really impressed with the level of support in the forums and I'm loving 1Password!
Just one more question: Is one's vault stored locally when using the extension?
Kind regards
James0 -
Hey jamesbwte,
You're very welcome! <3
Just one more question: Is one's vault stored locally when using the extension?
In its current forum, 1Password for Chrome doesn't store your vault locally. Instead, your 1Password items are requested from the server and decrypted (on your machine) as they are needed for filling or to display their details.
Our goal is to have a complete offline cache of your items stored locally so we can improve performance and allow 1Password to work when there is a poor or nonexistent network connection. We have an excellent idea on how to make this incredibly secure, which is by far the most important factor when having such a feature. Unfortunately, I can't guarantee when this will be added, but it's definitely in our plan.
Thanks again for joining us on this journey to completely revolutionize using 1Password!
--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits0