UI design deficiency with login page (login failure)
I tried logging into my 1Password account on a different computer and I kept being told that my email or secret key were incorrect. In fact, neither was incorrect. It turns out that I had to change the login url to .ca instead of .com.
Can the UI/Web design team update the login page to account for this issue, please? So, if a login fails, update the dialog to suggest changing the location url, in addition to double-checking our email and secret key?
Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@Boosh: No. But it's a really good question and I'm glad you asked it.
While I'm really sorry for the confusion you had about your sign in address, we're not going to have our website leak information about our customers if we an help it. In fact, both the Secret Key and Master Password you entered would be incorrect in the case you describe. If we changed it to tell you, "Oh, sorry, you have an account but the sign in address/password/key is different", that not only tells someone that you have a 1Password account under that email address but also give them guidance as far as what was wrong and where to focus their efforts. Not cool.
In reality, the website isn't checking any of your credentials; the web app running in your browser on your machine locally uses those inputs to generate a cryptographic verifier, which is not reversible, to be sent to the server for comparison. That way we never have to know anyone's credentials, and there is not even risk of them being intercepted over the internet because they are simply never sent.
And, in the particular scenario you're talking about, 1Password.com has no way whatsoever of knowing anything about 1Password.eu; they're completely separate, and that's sort of the point, since some folks want to use a server that is exclusively within the EU (or must for regulatory reasons). So this isn't something we can reasonably make easier for you without risking our customers' privacy (even in a very small way, it's not okay; we take this very seriously) and also negating the purpose of having separate servers in the first place.
Again, I am sorry for the inconvenience, but when in doubt, you can always refer to your Emergency Kit for the correct sign in address. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Thanks for the very interesting and detailed explanation. I never thought about the security implications of the login page in that way. I was thinking of it from a usability standpoint. Good to know.
Thanks.
0
