Feature Request: Request Passwords (similar to Dropbox's Request Files)
Hello People!
I know you have the guests feature.. but in real life, clients don't want to spend time registering in 1password, then learning to use the software or webapp to finally send me "the damn password". They just want to send it via Facebook Messenger (but please keep it secure lol!)
Is it very difficult that you could create something like the Dropbox File Request feature?
1) 1password user creates a password request, it's nice if I can ask for a password, but it's great if I can set some fields like: host, username, password, port
2) 1password gives me a private link that I can share with my client
3) My client enters to a very basic page that only has a single form with the fields I created.
4) The submited data is saved on the vault I choosed!
I hope you guys can create this.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@aaronmx: We'll continue to evaluate different options, but we do not have plans to implement insecure sharing. After all, plenty of options already exist do do that... Sending a "sharing link" or anything else like that would involve obfuscation, not encryption; and even to send something encrypted securely you'd need to negotiate the keys between the two of your via another secure commutation channel. Otherwise it could just be intercepted.
There's nothing stopping you from setting up the guest account yourself though, and telling them the credentials. That helps them by removing some friction, and helps you by not compromising your own security. Keep in mind that guest accounts help you by compartmentalizing without sacrificing security. We'll see if we can come up with other solutions to these problems in the future though, without offering anyone a false sense of security. Cheers! :)
0 -
You're very welcome! Thank you for bringing this up. Hopefully we'll be able to make it easier in the future. :chuffed:
0 -
I feel like the (valid) concerns around "sharing" are being misapplied here. The request isn't to share data out of 1P, it's basically a new way to import data into 1P, one that doesn't require any sort of account setup, weird file formats, or insecure transmission channels.
This would actually be extremely useful. For example, I sometimes have customers that have their own sites that we need to log into. Currently, we don't have a clean way to get these credentials to us, and the transfer inevitably happens by splitting the bits of data and sending them over some combination of phone, e-mail, text message, whatever. To be able to send a 1P link that points to a form that collects the data and drops it into the right vault -- probably a triage vault so that we know to verify before using -- would be ideal.
I don't see this as much of a security concern, either. The only weak spot is that if a bad guy were to get hold of the link, he could give you bad data (e.g., the wrong set of credentials). The security problems with that are real but narrow, and the risk of it happening is very low. More important, it can be mitigated. For example, you might provide the option of a short pin on one or both ends, to be exchanged out-of-band, as well as expiration times, single-use flags, etc. You can also advise the user to simply share the links in a secure way, such as in a system of yours to which the person already has access. Regardless of the details, the feature is very useful, and I've seen it work quite well in things like data vaults used for highly sensitive data exchange.
Everything has some theoretical risk. This type of feature addresses a common situation users face, and it does so in a way that greatly increases security compared with almost every other "solution" currently being employed.
0 -
I feel like the (valid) concerns around "sharing" are being misapplied here. The request isn't to share data out of 1P, it's basically a new way to import data into 1P, one that doesn't require any sort of account setup, weird file formats, or insecure transmission channels.
@BobW: I understand that. No one is saying that wanting something like this is not "valid". But what you're talking about is — today — magic. Of course all technology seems like magic to someone who's never seen it before, so it may be that this problem will be solved in the future and we'll all wonder how we got along without it. But the reason Dropbox can do this is that they have the encryption keys to their users' data. We do not. In order for someone to send you a message securely via any communication channel — mail, email, telegram, telnet, SMS, etc. — they need to have the key to decrypt your message...and since we're talking about doing that securely, you can't transmit the key with the message. We're not going to offer "security" that relies on hope. A "bad guy getting a link", however unlikely (though, not really, since they're transmitted in the clear any time you access a website), causing a 1Password user's data to be compromised is simply not acceptable to almost anyone who pays us for 1Password to keep them secure. Sure, we could add something like that, and many people would use it not understanding the risk. Even one of them being the "unlikely" person whose data was compromised as a result is not something we're willing to accept. If you were that person, I doubt you would either. There are plenty of other solutions available for transmitting data insecurely. People don't need 1Password for that.
0