Double verification for certain items

One thing all password managers have yet to implement is a per-item client-sided encryption mechanism using a password/key completely unbeknownst to the password manager itself.

Let me explain what the feature would look like first.

The feature would essentially allow users to make an item "password protected", but this password would not be their account's password nor their account's secret key, it would be a password of their choosing unique to that item. Said password would then be used to encrypt the item's data.

On 1Password's side, the (client-side encrypted) item would be encrypted again using the existing mechanism, the difference being that unlike with normal items, the items that are password-protected are encrypted on the client side, which means they would not be compromised even if somebody else gained access to a user's 1Password account.

This would allow users to protect very sensitive items and make it significantly harder for a malicious actor to gain complete access to a user's information even in a scenario where they gain physical access to a user's device or if 1Password is ever breached.

These items would of course be impossible to recover should the user forget the item's password, as such, it may be a good idea to hide the password protection unless a setting enabling the feature is toggled by the user with a warning mentioning the risk of forgetting their password.

When a user would try accessing the item, they would always be prompted to enter the item's password.

This would be useful for securing the following types of items:

• Bank account credentials
• Credit cards
• TOPT (while I agree with some of the points made in https://blog.1password.com/totp-for-1password-users/ and I have hardware security keys for accounts I want true MFA on, it is an undeniable fact that if the feature exists, people will use it, even if it's not always the best decision, and a malicious actor with physical access to a device in which the user is already authenticated on 1Password with would allow them to do a lot of damage)
• Important credentials, such as the 1Password's credentials that are added automatically upon account creation as part of the "Starter Kit"

Right now, the only alternative I have is to create a "Document" item and upload a password-protected archive, but that's not the most portable or ideal solution.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Hello @Dave!

By default, when you create a 1Password account, an entry "1Password Account" is created with the tag "Starter Kit".
This entry contains:

• Your 1Password password
• Your 1Password secret key

Let's say somebody gained access to your computer or your phone, and your account was unlocked.

They would effectively have access to everything they need.

LastPass had a feature to protect against this which was basically an optional checkbox on each entry labeled "Require master password re-prompt", which, if enabled on a specific entry, forced the user to re-enter the master password (even if you had already logged in) to view the item's details.

This would make it so even if a user gained physical access to your account, they'd have to re-enter your password (which they do not know). Securing very important logins (e.g. 1Password Account, bank account, private documents, etc.) would be an excellent way to ensure that physical access to a device does not guarantee access to every logins.

This may seem like a stretch, but given how many phones are stolen every year, it's not that unusual.

Anyways, what I was suggesting was implementing something similar to what LastPass has (per-item configuration that lets users configure whether password should be re-prompted to view the credentials), but while allowing users to set an arbitrary password.

To be honest, the per-entry password suggestion can be ignored, but the ability to require master password re-prompt on items of one's choosing would be a very welcomed security feature.

2FA recovery codes are not something you use very often. I don't see the need for another password.
You already have password in you computer and phone then another password for 1password app..And your asking for another password?
Why not just zip it and attach.

A simpler example: I have a screen time app called ourPact to which I log in to give my daughter extra screen time.

My daughter knows my phone passcode, which on the whole I’m fine with as it allows her to check things and use apps which are on my phone.

Knowing my passcode however gives her access to 1Password passwords as it is the fallback for faceid so she can give herself more time whenever she finds my phone unguarded!

Having the ability to set an additional passcode/password for certain items would add this extra layer of security for these scenarios. Apple screen time does this by having a separate passcode to your regular phone one just for screen time.