Feature Request: Access Log API for 3rd Parties
Hi,
I understand it's difficult to create an effective access log for accessing the actual 1Password API.
But what about a different approach: 1Password providing an API for websites/apps that logs each time the user logs in to their service. Host this data away from the 1password database to make it hard for an attacker to compromise.
The basic idea is that an individual can get a quick overview of when a particular service was last accessed, and from what location.
It would require a third-party to integrate the service, but I think the 1Password brand is now strong enough, and security is now on enough peoples radar, that they could be encouraged to do so as a service to their customers.
The way I see it working: If my bank were to adopt the API, they would post to a 1Password endpoint each time they logged me in. Now, within 1Password, I can look at a 'recent logins' area, and confirm everything is as expected. 1Password could also run heuristics on the data to notify of anything looking particularly untoward.
Justification for this feature is that, if a password has been compromised successfully, you would have no way of knowing if you don't use the service often. This provides an overview of all your online activity that you can occasionally audit for anything unexpected.
It would give a user valuable feedback even if their master password was compromised.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Access Log
Comments
-
Hi @Foxing
Thanks for taking the time to share your perspective on this. With more and more services implementing device authorizations where if you log in from an unrecognized device they'll email/text you I'm not sure I see where the value of this would outweigh the significant development time required to build it as well as marketing efforts to get 3rd party services to implement it? We have a hard enough time getting banks to let customers use password managers, let alone convincing them that they should ping an API on our servers every time one of their customers logs in. :)
Ben
0 -
Well – it's certainly a service I'd appreciate!
I believe if it were centralised and standardised, consumer pressure on third parties would bring it to fruition. The current solution of sending out a ton of emails each time you log in doesn't seem great from a UX perspective.
Also, by centralising the data, you can look for patterns that contradict other activity.
My point is that it's all very well saying 'protect your master password', but what happens when that fails? Would you necessarily even know? It's a single-point of failure after all. It would be nice to have some signals for when it has failed.
Some kind of secure auditing would surely be a great service to offer your users – and to differentiate your company.
0 -
I don't think we're in a position at this point where we'd be able to take that on, but it is certainly an interesting idea and perhaps something we can consider as our staffing levels continue to increase and we have more resources available.
Ben
0
