How are we suppose to from a public computer -> pincode or yubikey support

vigilliann
vigilliann
Community Member

Hi,

So I'm pretty pissed about your ideology guys. Yes this post will seem to be from some rant but I think if you go pass that you will understand that there is a real lack of features for a lot of use case.

1/ there is no section on your forum about your forum itself besides of lounge and there is no place either to discuss your actual global model of security. You are not anymore a platform by platform password manager but since you are asking or at least encouraging for a subscription then you are becoming a general cross platform, so it should be a place to discuss that and not under windows, mac or even the different kind of subscription like families or teams.

2/how the average user is supposed to login?
You ask for the user to enter a login + secret key + a password. Which is the same as for cisco login(which is bad actually).
So are you guessing that in every cybercafe, in every classroom, in every work room they use only TN monitor or that the screen are not in front of anyone else ?
This secret key is never encrypted with dots on your website. It would have been the least you could have done.
How does it prevent anyone to rewrite my secret key on a piece of paper? Didn't you learn anything about the famous post-it on the screen security breach ?
You are gonna say "yeah but you have your password" -> Gosh, really guys? So because you have some "basic" redundancy, it prevents you to implement some Serious security measures?
Or maybe your point of view is that you are enforcing people to buy their own equipment and to always travel with it?.... Don't you think it is a bit elitist? or not empathetic about the vast majority of people in the world? Maybe your platform is only reserved to the rich western occidental elite? (Yes I'm forcing the trait on purpose).

So I've read here that your CSO, is thinking that 2 factor is not necessary. Yeah ... what can I say to that non-sense. It's only ideology on his behalves.
Why is that? on the simple usecase I described before.
And don't think that your 2-factor on the phone is enough just because it offer some redundancy.
It is not.
Mailbox.org for example, have implemented a real 2 factor identification with a pincode + the yubikey output int the password case.
If you want to retrieve your account, nothing more simple, you enter your master password on a secure computer and you get access again to your account if you lost your yubikey for example.
That's how it should be everywhere.
You don't want to put in front of other people your secret key, it's something you should use on secure computers only and/or to retrieve access to your hijacked account or something like that. That's what it should be the behavior here.
And for the least, the secret key should be encrypted with dots!
Are you really making people buy their own equipment and exclude people who need to use cybercafes, shared work's computers, open-space computers,...? You are not developing an app for you and your usecase only or your work environment, think about other environment!
With the approach of mailbox.org, you get rid of -> eyes-peaking, camera problems, malware problems, remote desktop problems.
With your approach, it needs only one malicious guy with more or less no tech-skill to steal all your information and your phone if you activate the "pseudo" 2FA.

So I really don't know why you don't implement that.
The only argument I can be empathetic with, of course, is that you would need to delay for a few days other projects to implement that. But Don't dramatize it too much guys. You are a very efficient team -> you have developed in just a few days a project on github about the Troy Hunt project so don't get drama queen about that <- and all the sufficient APIs are out there for implementing that without any problem even free of charge!

So what's the real problem here? some ideology?

It's like the CON- PIN CODE ideology. You have stated many times that it wouldn't be secure enough because of malware and keylogger or anything like that. But again you seem to not projecting yourself into the real world. Somewhere outside from your routine of programmers or canadian or actually middle-high social class.
a Pin code is NOT less secure. Why?
Because you don't need to think it as a basic monkey guys.
Enpass does implement it as a one-time (acceptance) error shortcut. again it's not about being infected by a malware or a keylogger. The usecase is eye peaking.
At this stage of development of your platform, the only possible usecase is to get access from very secure computers and no public computers at all.
With the pin code + yubikey or something else approach, you just expose the pincode to the outside world. That's why pin code are useful. For shortcutting and for some security mitigation.
And every mitigation you can add to a vault is a good mitigation!

The only actual solution for the moment for me when I can't access to my equipment and I need some password, and yes my password are in general 64 char long so not possible to retype them, is to connect to a mail server with a true 2 factor auth client side and send the codes from my phone to this mailbox. Do you find that a good solution? of course not, but you don't let any other solutions to your users. Which is clearly bad. And your behavior where you always neglect the positive and constructive way to improve your platform is a really really aggressive behavior. Not accepting a development just because of internal debate inside the company about some ideology... Guys, I don't get you, are you really developing something for people or your marketers did only segment this product for high middle class people?

And don't answer to that post if it's to find new excuses because there are actually none since I'm myself working as in the same field and besides ideology there are no other good reasons since you've proven that your past excuses were not so true.

I can give you plenty of places where it is actually a bad emplacement to use your system as it is right now. most of the cybercafe in paris, brussels. most of the department in the transportation companies in benelux and france because you can't connect your equipment to the internal network for security reasons and you need to share computers, arms dealing society where again you can't bring equipment and when you are not a higher up member because of the sharing issues, nearly any police stations when you are just a policemen and not an inspector, and I can go on and on like that for hours.

Think about it and please stop those internal debate and do some actual ground work by let it tested by the beta testers or something.
And that post should be going into a dedicated area where we are discussing the threat models and not only business or families or anything else because it applies to anyone.
Best regards


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:How are we suppose to from a public computer -> pincode or yubikey support

Comments

  • vigilliann
    vigilliann
    Community Member

    And I want to precise that beside that huge problem I really like this app and the platform. the only problem is that it's only really useable on your own equipment .

  • AGAlumB
    AGAlumB
    1Password Alumni

    @vigilliann: Thanks for getting in touch! However, I do need to ask you to refrain from using abusive language. We need to keep the forums as friendly as possible for the wide range of people that visit. Be sure to keep that in mind in the future. We're happy to have you here, so long as you can adhere to the guidelines:

    Forum guidelines

    1/ there is no section on your forum about your forum itself besides of lounge and there is no place either to discuss your actual global model of security.

    Indeed, Lounge is a good place to discuss more general topics, so I'll move this there. :)

    2/how the average user is supposed to login? You ask for the user to enter a login + secret key + a password. Which is the same as for cisco login(which is bad actually).

    I'm not completely sure what you're referring to here, but I have to disagree that the Secret Key is "bad": it's a randomly-generated, 128-bit string. It's infeasible for anyone to guess it; they would have to get it from you. And since (like all 1Password credentials) it is not transmitted to the server, it also cannot be captured or stolen from us; we never have it.

    So are you guessing that in every cybercafe, in every classroom, in every work room they use only TN monitor or that the screen are not in front of anyone else ?

    If you're suggesting accessing sensitive information in a cybercafe, no, that's not something we can ever recommend. It's your prerogative since it's your data, but that isn't safe, as whomever is in control of that machine can collect your data as you access it, since it must be decrypted in order for you to make use of it.

    This secret key is never encrypted with dots on your website. It would have been the least you could have done.

    "Dots on [a] website" are not encryption. "Dots" are not used to mask the field when signing in the first time because you need to see what you're entering to know if it is correct. And a Secret Key is not easy to enter. But they are used on subsequent logins on an authorized device:

    How does it prevent anyone to rewrite my secret key on a piece of paper? Didn't you learn anything about the famous post-it on the screen security breach ?

    We also do not recommend using post it notes for password management. After all, there's an app for that. ;)

    You are gonna say "yeah but you have your password" -> Gosh, really guys? So because you have some "basic" redundancy, it prevents you to implement some Serious security measures?

    I don't know what you're talking about here. Can you clarify?

    Or maybe your point of view is that you are enforcing people to buy their own equipment and to always travel with it?.... Don't you think it is a bit elitist? or not empathetic about the vast majority of people in the world? Maybe your platform is only reserved to the rich western occidental elite? (Yes I'm forcing the trait on purpose).

    I don't think there's any need for you to be elitist or rude. It's simple: you can access your data whenever and wherever you want. It's your choice, and we can't stop you. But much like it's unsafe and unwise to drive without a seatbelt, neither 1Password nor anything else can protect you if you access sensitive information on a compromised machine. Maybe you won't get in a car accident. And maybe the computer at the cybercafe isn't overrun with malware. And maybe I'll win the lottery. But those are not bets I would take, and so they're not things we ever recommend to our customers. Thanks for understanding.

    So I've read here that your CSO, is thinking that 2 factor is not necessary. Yeah ... what can I say to that non-sense. It's only ideology on his behalves.

    1Password.com has supported two-factor authentication for years. Is it necessary? No. 1Password 's security is built on encryption, since that prevents an attacker from accessing your data even if they steal the database, unlike authentication. Is it a useful tool for protecting against some classes of attacks? Absolutely. But it doesn't have the security properties that most people seem to think it does — like making it safe to access sensitive information on public computers; that's risky no matter what.

    Why is that? on the simple usecase I described before. And don't think that your 2-factor on the phone is enough just because it offer some redundancy. It is not.

    Then don't use it there. Or use Duo.

    Mailbox.org for example, have implemented a real 2 factor identification with a pincode + the yubikey output int the password case. If you want to retrieve your account, nothing more simple, you enter your master password on a secure computer and you get access again to your account if you lost your yubikey for example. That's how it should be everywhere.

    No. That's security theater. If you can access it without the Yubikey, then the Yubikey is not protecting your account.

    You don't want to put in front of other people your secret key, it's something you should use on secure computers only and/or to retrieve access to your hijacked account or something like that. That's what it should be the behavior here.

    Yep. That's why we recommend only signing into your account on a trusted computer. If the machine is compromised, it can be used to collect your account credentials as you enter them, or anything in your account that you access.

    With your approach, it needs only one malicious guy with more or less no tech-skill to steal all your information and your phone if you activate the "pseudo" 2FA. So I really don't know why you don't implement that.

    How is this "guy" going to "steal all your information"? Even if you give them your device passcode (or don't use one), your 1Password data is encrypted. They'd also need your Master Password in order to decrypt it. Authentication is not involved at that stage; it's already been bypassed because they have your device.

    It's like the CON- PIN CODE ideology. You have stated many times that it wouldn't be secure enough because of malware and keylogger or anything like that. But again you seem to not projecting yourself into the real world. Somewhere outside from your routine of programmers or canadian or actually middle-high social class. a Pin code is NOT less secure. Why? Because you don't need to think it as a basic monkey guys.

    Sorry, this is not your personal soapbox or a venue for class warfare. You'll need to take that somewhere else. But a PIN code is less secure because it's limited to digits, and often very, very short. There is very little entropy, and even mobile devices can brute force these nowadays. Using digits, symbols, and letters yields a much greater number of possible combinations, and thus makes it more difficult to guess such a password.

    I can give you plenty of places where it is actually a bad emplacement to use your system as it is right now. most of the cybercafe in paris, brussels. most of the department in the transportation companies in benelux and france because you can't connect your equipment to the internal network for security reasons and you need to share computers, arms dealing society where again you can't bring equipment and when you are not a higher up member because of the sharing issues, nearly any police stations when you are just a policemen and not an inspector, and I can go on and on like that for hours.

    Yeah, that's not a 1Password issue. It's not safe to use anything sensitive in that environment. I understand that some people want or need to do so anyway, but it's risky nonetheless. The only thing you can hope to do is mitigate potential damage by using an account with only what you absolutely need in it, so that if it is compromised the damage is limited.

    Think about it and please stop those internal debate and do some actual ground work by let it tested by the beta testers or something. And that post should be going into a dedicated area where we are discussing the threat models and not only business or families or anything else because it applies to anyone. Best regards

    What are you suggesting we test?

    And I want to precise that beside that huge problem I really like this app and the platform. the only problem is that it's only really useable on your own equipment .

    Thank you for the kind words. To be clear, 1Password is usable just about anywhere. But again, we do recommend using it on a trusted device since doing otherwise puts your important data at risk. I hope that helps clarify.

  • vigilliann
    vigilliann
    Community Member

    You didn't listen anything I said. that's so wonderful how you meticulously avoided to speak about the elephant in the room.

    First a secret key is not secure. Why?
    Was I talking about transmitting data? no
    Was I talking about your servers ? no .

    I was talking about accessing your vault in a public places which everyone have to do. And I was talking about eyes peaking... Which obviously you avoided talking about.
    Why was I speaking about norm of screen and why I mentioned TN screen? did you do it on purpose?
    Even on a trusted device in a public place it's a problem of eyes peaking....
    You are all about security of the transmission of data blablabla but we are not talking about that here. We are talking about basic eyes peaking here.
    So no the secret key is not secure in that way, because it's basically a second password. Nothing else
    Where yubikey, is a generator of unique random password... mmmhh see the difference?
    And yes I'm begin rude but you are making me that way sicne you are obviously avoiding to talk about the subject I was speaking.

    And so no your screenshot is from somewhere you actually already logged to your vault.... I'm talking about somewhere you didnt ....And it' snot encrypted in dots. And yes I know it's not encryption, but give me synonym then... masked if you prefer? like the password field does it. IT is simple enough to implemented, don't you think?

    2 factor duo is not enough. why? because people are leaving their phones on their work desk most of the time. That's why. that's how phones get stolen. Not keys in general. Plus phone is valuable object, again not keys where you most certainly will keep in your pockets alongside the yubikeys.

    Pin code are not numerical pincode. Does enpass use it in a numeric way? no. It needs to be as a password but less big.
    The advantages:
    if someone see you type it they will only get the pincode not the master password and you can put different system in place to combine it with a time range of use for example or things like that.
    The pincode from mailbox is in deed numerical but it's combined with the yubikey output. And you didn't know about their system obviously because if you did you wouldn't have made the assumption that you can access your data as easily by your master password which you can not. To be able to access your account with your master password it's a whole different system after you activate the yubikey.
    and again the advantages:
    nobody will know your masterpassword by eye peaking. they will only know your pincode which is useless without the yubikey.
    So no it's not a security theater and there is absolutely no reason for assuming that.

    and just a not about the malware, to steal the entire vault from a webpage on a random computer, it would be a very specific set of line of code inside the malware to do that, so it won't be every malware. so that 's a no no as argument and again not the subject here. The subject was eye peaking.

    So you are assuming to only use trusted devices to access your vault ^^that's such a magnificent argument. I know that you partly said that for legal reasons, but guys really ? If you don't let people access their vault in the most secure way from a random device by at least protecting them from basic PHYSICAL threats then don't offer your product at all because it' useless in most case scenario or only if you are alone a room or at your place.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @vigilliann: Sorry, do you have a question? I'm not sure what you're looking for exactly.

  • FishingAddict
    FishingAddict
    Community Member

    brenty, your patience is amazing! I know that I am late this this post but though that I would end it by restating the most important concept that you tried to make above (several times). Hopefully this will simplify the conversation down to a TL;DR.

    The entire conversation above is moot if the OP simply would accept the FACT that security is simply not possible when using computing hardware that you do not own, manage, and trust. Using a cafee or any other shared computer will never be secure, an no amount of caution by the user, nor behavior of the the applications they use, can change that.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @FishingAddict: Thanks for the kind words. That's a really good point, and even though you credit me with making it earlier (or trying to), I think your comment is a very succinct way of putting it.

    It may be splitting hairs (which I don't have) a bit, but I think it's worth mentioning that it is probably more a matter of safety rather than security though. It's entirely possible that a shared computer is secure, if it is not compromised in any way. The likelihood of that being the case is debatable, but I think it's fair to say that it is unsafe to use a shared computer to access sensitive information in that there is inherently risk involved.

    I intentionally say "shared computer" because a lot of people are comfortable using the same one with their family members, coworkers, etc., and I think a lot of people will probably object to me saying this is "unsafe" when they trust these people. But I want to point out that even trustworthy people make mistakes, and if your loved ones inadvertently compromise the machine by installing something that seems innocuous, that can result in your security being compromised too, since you also use that machine.

    These aren't pleasant things to think about, and also none of us wants to believe that someone close to us could do us harm, even accidentally. But it's the reason why we can never recommend using 1Password in that kind of environment, or design it to be used that way. It just isn't safe. Certainly each of us is free to do as we please based on our assessment (and acceptance) of the risks involved though. We can't stop people from acting against their own best interest, but we believe firmly that we shouldn't be encouraging it.

This discussion has been closed.