Feature Req: Unlock Browser/Desktop App via Integrate Mobile App (Android iOS)
Hi
Sorry I did not know where else to post this:
Purpose:
My master password is ridiculously long, but I'm constantly moving around with my laptop, so its a pain have to constantly re-authenticate (without a TouchID), yet the security this provides is important.
Solution:
Provide another means of authenticating, using the mobile.
Criteria:
When opening the Desktop App or Chrome, approval is granted by sending a request to the mobile app. This would prompt on the mobile, either requiring the user to approve via dialog (in the status) or finger print sensor.
1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Welcome to the forum, @Kelv1n! Thanks for the suggestion. We do what we can to make strong security and privacy as accessible and user-friendly as possible, but due to the nature of what it IS, there are limitations. An un-passworded Excel spreadsheet of your passwords would be quite convenient indeed, or 1Password without any locking requirements; just open-and-go database with filling capability. But neither would be particularly secure.
What you're asking for is unlikely to be possible in a secure way, since 1Password is encryption-based, instead of authentication-based. Your Master Password is what creates the specific encryption key that allows 1Password to transform the encrypted data within it from gibberish ciphertext unreadable by human or machine into your actual data. Only you know this Master Password -- and that's how it should be, for obvious security reasons. With Touch ID on a Mac, we allow you to optionally use the existing fingerprint system to authenticate you and we store the key to unlock 1Password within the secure enclave on your Mac, so that it's never within accessible system memory. But even that process opens you up to potential theft (however unlikely) by someone being able to spoof your fingerprint. You might consider such a situation unlikely, and I would agree...but it IS something that anyone with enough know-how and a strong enough desire to compromise YOUR specific data could do, that they couldn't if you chose not to enable Touch ID for 1Password.
But with Touch ID, everything happens within the Secure Enclave on your device, which wouldn't be the case if you were trying to provide a token from a mobile device. That would likely involve storing a copy of your Master Password or its equivalent somewhere on your device, or it would require Apple to allow access to the Secure Enclave from external devices. Obviously I can't speak for Apple, so I'd be guessing at best if I told you I had any idea how likely a scenario I thought that might be -- but they haven't done it so far, and their overall moves have been toward tightening, not loosening, security for users. We do give a significant amount of control to 1Password users over how tight to set their own security settings within the app, including how long a Master Password to create, as well as numerous other options...but there are some things we avoid offering as options because as a security app we just can't recommend or even offer options that significantly compromise users' security -- especially ones that may not be easily understood by less-sophisticated users. That said, we'll always continue trying to provide the best combination of convenience AND security...and we'll continue to appreciate all suggestions we receive from people who are thinking along the same lines. Thanks again! :)
0
