Inline Vault Unlocking

I really don't like the workflow of clicking on the inline 1Password icon and just being told I need to unlock it somewhere else. I think this would be a great place for some just-in-time activation. Either let me put my password in the small box that pops up, or make that click open the main 1Password frame and focus the password field so I can begin typing my password then.

There might be other good ways to handle this, but the point is that when I click that button, I want to use a password. If the vault is unlocked, it's just another click to fill one. If the vault is locked, I should be able to just type my password then use one more click without having to type the activation keyboard shortcut.


1Password Version: Not Provided
Extension Version: 1.6.7
OS Version: Ubuntu 17.10
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @shreve: Thanks for getting in touch! Can you tell me what you mean by "being told I need to unlock it somewhere else"?

  • shreve
    shreve
    Community Member

    Either I need to press the activation shortcut or click the browser chrome button and open a different window to enter my password there.

  • yozlet
    yozlet
    Community Member
    edited April 2018

    Seconded! It always makes me sigh when I see that pop-up (though, for me it asks for Command-Shift-X) and I then have to do the claw with my left hand. (I hate to imagine the accessibility implications here.)

    Why not just ask for my password straight off? Or, give me a little button within that popup to press first.

    I feel like there's an explicit design goal in forcing a key combo, but I can't work out what it is.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @yozlet: You've hit the nail on the head! ;)

    @shreve: But I owe you an apology for the wait, and also an explanation. Thanks for your patience!

    Indeed, this is very intentional, but I'm sorry that it isn't more intuitive: 1Password X doesn't allow you to unlock from within the webpage because that would make it trivial for a malicious website to impersonate 1Password X to get your Master Password.

    Put another way, if we get you in the habit of typing your Master Password right in the web form, there's a good chance you'll type it there any time without giving it a second thought. So 1Password X will always require you to unlock from the browser extension menu itself, since that cannot be spoofed.

    Again, I'm sorry that this isn't clearer, and that it is a bit of a hassle. But I hope you'll understand the reasoning behind this, and if you have any other thoughts about this or anything else we'd love to hear them! :)

  • yozlet
    yozlet
    Community Member
    edited May 2018

    *slaps forehead*

    As someone who's worked in web application security, I really should have worked this out for myself. (Back to school with me.) Thank you for the explanation!

    Now it makes me wonder if there should be a way for web extensions to work with the DOM and make undetectable layers over it. (Looking through the web extensions docs, I can't see an existing method.) It's not great that 1Password X additions are detectable by web apps, but as you say, the fact that they can't spoof full unlocking is a good defense.

  • AGAlumB
    AGAlumB
    1Password Alumni

    slaps forehead
    As someone who's worked in web application security, I really should have worked this out for myself. (Back to school with me.) Thank you for the explanation!

    @yozlet: You're welcome! If it helps, I had my own /facepalm moment with this initially. I'm just lucky enough to have a head start on you in this case. You can school me on other aspects of web development for sure! :lol:

    Now it makes me wonder if there should be a way for web extensions to work with the DOM and make undetectable layers over it. (Looking through the web extensions docs, I can't see an existing method.) It's not great that 1Password X additions are detectable by web apps, but as you say, the fact that they can't spoof full unlocking is a good defense.

    I'd agree with "good", but it's not a great user experience. I do hope that we'll have additional options in the future. If history is any indication, web browsers and their extension APIs will probably continue to become more secure and offer more tools for developers, so I'm hopeful. :)

This discussion has been closed.