Is it possible to stop auto-locking when browser closes?

2»

Comments

  • jjo5555
    jjo5555
    Community Member

    I know you are trying to help and I appreciate it but none of that helps. Having to authenticate every time I open a browser now means I have had to add my clear text 1Password password to a keyboard/clipboard shortcut just to make my life easier. So this security feature has just become a huge weakness.

    I'm trying to understand the thinking here. The browser has already been approved using three factors, Secret Key, Password and 2FA. surely I can now decide whether I want a reprompt or not?

    I moved to this solution becasue I thought you were a mature security company but this all feels a bit "beta" "feature not yet available" to me.

  • ag_yaron
    ag_yaron
    1Password Alumni

    The main thing here is that you are restricted by the company's policy, @jjo5555

    If this was your own personal computer, you could have installed the desktop app, which would remain unlocked and running in the background and kept the extension unlocked.
    Since you can't do that, you must use the standalone extension - which is completely terminated when the browser closes.

    If we were to keep it unlocked when you close the browser, that means we were keeping your Master Password somewhere on your hard drive, which is a critical security flaw. Yes - your Secret Key is kept locally in the browser, as it does on every device you install 1Password on, but your Master Password is never ever kept anywhere on the device itself. If we keep both your Master Password and Secret Key on the device itself, an attacker could easily decrypt your 1Password database on a whim.

    If you keep your Master Password in plain text somewhere on the computer, you'll be doing what we're trying to avoid for security purposes, but that is up to you.
    I do recommend considering changing your Master Password to something that is easier and quicker to type in, that would be a much better approach to this.

    Also, I'd ask the company's IT if you can get permissions to install the desktop app of 1Password, as it is a security oriented app it might be approved and will allow you to install the Classic extension.

  • jjo5555
    jjo5555
    Community Member

    you could have installed the desktop app

    Which presumably needs authenticating every reboot as well? If not why can't you do this for the browser?

    it might be approved and will allow you to install the Classic extension.

    It would be approved as I'm the CISO and evaluating this for use across our 6000 users. But the fact it needs IT intervention and the fact that you are calling it "classic" which is code for "legacy and it's going to be trashed", does bode well.

  • jjo5555
    jjo5555
    Community Member
    edited April 2021

    Wow. I just installed the Classic extension as you suggested and I see no advantage:
    I still have to log in at every user session - why can't it be linked to my windows login - I have authenticated and have already approved this device?

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited April 2021

    Which presumably needs authenticating every reboot as well?

    Yes, you need to reauthenticate when the desktop app locks up, which is also triggered by an idle auto-lock timer or by restarting/shutting down the computer.

    It would be approved as I'm the CISO and evaluating this for use across our 6000 users. But the fact it needs IT intervention and the fact that you are calling it "classic" which is code for "legacy and it's going to be trashed", does bode well.

    In such large implementations we'd actually recommend using the indepedent extension and let it lock often. But for the purpose of clarifying, the Classic extension is indeed named so because all of our efforts are now focused on the independent extension, as we're working on allowing it to integrate with the desktop app as well (just like the Classic one does now), so that users won't have to unlock it with every browser relaunch. However, it would still require you to install the desktop app in any case.

    I still have to log in at every user session - why can't it be linked to my windows login - I have authenticated and have already approved this device?

    Restarting the device will require you to re-authenticate. We never leave the apps unlocked when the system is down. You can, however, utilize your operating system's features and tie them to 1Password, such as Windows Hello to unlock with a pin code, or Touch ID on Mac OS to unlock with your fingerprint, making it way easier and enjoyable.

    If you'd like to know more about why we designed things like this, I highly recommend a deeper dive into the security aspect of it all:

  • jjo5555
    jjo5555
    Community Member

    Which is all great but would be a nightmare to roll out to my 6000 users. Will likely stick with your competitors who allow authorisation periods and less interaction.

  • ag_yaron
    ag_yaron
    1Password Alumni

    We'll be here if you change your mind :+1:

This discussion has been closed.