chrome extension and many computers

I use computers at different offices. I sign into chrome at each computer. I have the 1Password chrome extension. At every computer, it asks for my secret key. Once I have signed into Chrome and the chrome extension has my secret key, shouldn't that work across all computers that I have chrome extension signed into? Why do I have to use the secret key again at each? This is a major inconvenience. I would think my password would be enough each time


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:chrome and secret key

Comments

  • @Radman2020, blaxxz is correct in that the secret key makes up part of your credentials and is there to protect your data. I don't know what security Google has in place for a user's data but I don't see us placing that level of faith in it. I saw a query just recently where it was being asked whether restoring from a backup onto a new mobile device should retain the secret key and I am firmly in the position that it shouldn't.

  • It isn't as if signing into chrome opens up 1password. You still have to sign into 1password with your 1password password. It is the additional secret key that is also required that doesn't make sense (at least as non optional). This means I have to write down the secret key or put it in electronic form which may not be secure. Lastpass for example doesn't require this. You still have 2 levels of security (chrome password and 1password password) which may be enough. Not against having a third level as an option. But having it mandatory is a burden and actually compromises security because I have to carry it around. What happens when you travel? Do you have to take your third password (secret password) with you? How do you take that easily and securely?

  • Greetings @Radman2020,

    This should only be happening once as you initialise each client, 1Password X being a client just like 1Password for Mac/iOS/Windows/Android. The scenario you describe isn't one I've ever experienced because if I need to I have either my iPhone or MacBook with me and I'm not setting up 1Password X on any device that I don't own or trust. Should I need to set up a new device then all the relevant details can be sourced from any copy of 1Password already set up and in the case of 1Password for Mac and iOS (possible the others as well) both clients can generate a QR code that the other can scan. That won't work for 1Password X though as it is still only an extension and limited in what a browser will let it do.

  • lost you... So I am sitting in a hotel in Hong Kong working on a presentation. I need full access to all my resources. I sign into chrome with my password to chrome and get access to my google mail, Drive etc. I go to sign into 1 password and it requires a password... great. Now it needs the secret code.. which I am saying I wish it didn't need... but you are saying I can access a QR code instead of having the secret code written out?

    thx for working through this with me.

  • littlebobbytableslittlebobbytables

    Team Member
    edited January 2019

    Hi @Radman2020,

    Sorry, it looks I may have only caused some confusion when I elaborated.

    The QR code, which you can find both on the Emergency Kit PDF and even after signing into your 1Password account in the browser can also be generated on the fly by either 1Password for iOS or 1Password for Mac. On the Apple side where I have more experience both clients will allow you to scan (or generate) the QR code to populate all the fields except for the Master Password. All of this though does assume access to a device where things are already set up. For me I always have my iPhone at hand.

    This doesn't apply to 1Password X as it only exists inside the browser. By the time you could scan the code you've already supplied all the details 1Password X needs to set everything up.

    It isn't that we place limits on the number of devices you can use but there is the belief that people are only using trusted devices under their control. After setting up maybe a handful of devices it is assumed things settle down and it's more about using the client than initialisation. It sounds like you're hopping from device to device which I would say isn't the use case envisaged when everything was being designed. 1Password on a mobile device though would still supply access to the secret key in a secure way as carrying a PDF or printout wouldn't be secure, on that I'm in definite agreement with you.

  • Ok.. I'm losting you.. not sure what 1Password is vs 1Password X.. but to clarify. I use android. I always have my phone. If I am at a new computer at one of my offices and I need to generate the secret key, how do I do it securely and easily? I guess the issue then is I have to copy that long password manually to the computer which is a pain.

  • Greetings @Radman2020,

    Your 1Password account consists of encrypted data on our servers that describes the contents of your vault(s). To do anything meaningful you need the client to connect to our server. The clients are a combination of dedicated applications e.g. 1Password for Mac, 1Password for Android and so on and 1Password X. This is a standalone extension we initially designed to add support for platforms like ChromeOS and Linux, places we didn't have a native application. It may only be an extension that resides in Chrome but it has to perform many of the same tasks that the native applications do. It is this section of the support forum that you posted your query. The native clients can do anything that the operating system allows them to do, 1Password X is limited by what the browser will let it do.

    If you don't have 1Password set up on your Android device our support page Get the 1Password apps will help in how to do this.

    Once you have 1Password for Android set up you can always access your secret key with the following steps.

    1. From the main 1Password screen select the Settings option from the bar at the bottom of the screen.
    2. Select the 1Password accounts menu option.
    3. Select the 1Password account listed.
    4. Long tap on the secret key to reveal a small menu. It has two options, Reveal and Large Type. Both will allow you to view the secret key from this device.

    Yes the secret key will still need to be manually typed if you're trying to set up 1Password X on an entirely new computer but your mobile device will always mean you have access to it.

    Maybe I'm wrong but your use case seems unusual. The vast majority of our users are not jumping from computer to computer in this manner. What I don't see is a clear and obvious way to make your use more convenient that wouldn't weaken the security the secret key is meant to be providing. Somebody else may but whatever it is it cannot be at the cost for the majority of our users.

  • Reasonable. I probably have 10 offices I go to. Frankly, over time, I can get the master key set up on all of them. Just letting you know that your competition Lastpass doesn't have the security of the secret key in addition to their password. This is a security plus for 1password. For them, I would say that not having this as an option is a negative. For you, not having the ability to forgo the secret key for those of us that don't need that level of security is a negative. There are always pros and cons. I could make an argument that if 2 passwords are good, why not have a third? (and therefore, why not the option at least for just one).

    Anyway, for those trying to discern between different products, I have to say that the 1password interface is incredibly cleaner, more streamlined and straightforward than Lastpass. 1Password is much more of a pleasure to use.

    Having said that, Lastpass can be free for people that don't need advanced functionality. Also Lastpass allows printing of a list of passwords. You may see this as a security risk. But it is a critical thing for people to have. If something were to happen to me, my wife needs all my passwords. I have seen this scenario. With Lastpass, you can print out all passwords and put them in a secure location, such as a safe deposit box. I know with 1password, you can print out any one password, but not the list of all. Please let me know if I am in error. For me, this is a dealbreaker. I have a friend who's spouse passed away and it was a long complicated process to try to get into accounts that were password protected that she didn't have access to because there was no list of passwords available.

    1. With a Family subscription, you can set up both yourself and your spouse with the ability to recover the other's data.
    2. One thing you could do to reduce the nuisance of manually retyping the same Secret Key so often is to use a Yubikey that allows storing a static string in one of its slots. Then entering the string becomes as simple as plugging in the key and pressing the button. If you lose the key, it won't have anything on it that obviously identifies it with your 1Password account, and you can change the Secret Key using the web client. This might be easier than what you're doing now.
  • @Radman2020, a third password you say... hmmm :lol:

    Security is tricky. It's definitely a tightrope, where you have to balance security versus friendliness. Airtight security that's impenetrable for anybody not insanely gifted is useless if us mere mortals have no chance of figuring it out and it can go the other way where by trying to make something super easy to use you actually weaken the protection. I'm not saying we've got the balance right and things could change as we learn better what works and what doesn't but I am always reassured that we have a security team who question everything and whose position is about the safety of our (and your) data.

    Printing is definitely a weak point with 1Password. 1Password for Mac, the native application, does have a way of printing an entire vault but the formatting doesn't even whisper compact let alone shout it.

    As gedankenexperimenter mentioned, with either a 1Password Families or 1Password Teams account we allow a way for those that can control the overall account to assist other members of the same account. It's a recovery process that doesn't involve anybody at 1Password and we're still very much in the position that we cannot reset a Master Password for anybody, not even at the urges from an entity in an official capacity and we intend to keep it that way. We cover this on our support page Recover accounts for family or team members. For it to be effective though in the event of somebody passing away access to the registered email address would need to be possible before recovery. For that you would probably want to use the shared vault just for the email accounts as well as any other shared items. One small positive with this approach is you wouldn't need to worry about keeping a hardcopy current. That or both partners could keep a hardcopy of their Emergency Kit somewhere safe with the Master Password recorded as well to also allow full access and like above that would only need updated as when those key details changed.

    Now I could be wrong but I don't think a Yubi key will help here @gedankenexperimenter. I don't speak from personal experience, I've not owned a Yubi key so far but as the issue here is with setting up new devices the secret key will always be needed and assuming the same device is used for each subsequent visit (per office) it should remember the secret key for the user. The Yubi key would only be another layer on top of that. It is quite possible I've misunderstood some aspect to the key though.

  • Now I could be wrong but I don't think a Yubi key will help here @gedankenexperimenter. I don't speak from personal experience, I've not owned a Yubi key so far but as the issue here is with setting up new devices the secret key will always be needed and assuming the same device is used for each subsequent visit (per office) it should remember the secret key for the user. The Yubi key would only be another layer on top of that. It is quite possible I've misunderstood some aspect to the key though.

    I see the confusion. I'm not talking about the OTP or U2F capabilities of the Yubikey here.

    It is possible to program some Yubikey models to emit a static password when it is inserted and the "button" pressed. They have two "slots", so you can use slot 2 (activated by a "long press") to store the Secret Key to a 1Password account, and thus not need to have it memorized, or need to type it out manually each time it's entered. I've tested this out on one of mine, and the only tricky bit is that it can only store 38 characters, so I had to leave the hyphens out.

  • Hi @gedankenexperimenter,

    I'm going to consider that my something new for today, thank you :smile: I stand corrected, it seems a Yubi key could be potentially used to help minimise setting up new copies of 1Password X.

This discussion has been closed.