Browser AddOn bypassing 2FA and/or Yubikey protection of 1PW Account-Management website. Why?
Hi,
when using your browser addons (all browsers do have the same behavior) I can click within settings at accounts & vaults or integrations and it redirects me to my 1Password account-website 'without' entering any more credentials (no password, no Secret Key) and even setup no 2FA check!
Actually my 1PW account is protected by 2FA with a Yubikey.
But as described above, it is useless, as it directly goes to my account-management website without the need of 2FA verification.
Isn't it possible to protect those direct links from the browser addon to your account-mgmt. website with a password and make 2FA available as I have activated it?!
I would feel much safer if there was additional query protection here. Just like within your main-app. All the links to the 1PW Account websites are protected with my credentials.
Maybe you can change it in future as for me it feels a bit 'open' and unsecured.
1Password Version: 8.10.22
Extension Version: 2.1.8
OS Version: macOS 14.2
Browser: all browsers
Comments
-
Hey @dragon1 👋🐲
What you're seeing here is actually completely intentional behavior, rather than what appears to be a security "loophole" -- let me explain a bit further:
1Password is primarily based on encryption, not authentication; This means that after you've already authenticated a device the first time (via two-factor authentication) and download your data, at that point it's your account password that ultimately protects your local data, as that is how it's encrypted and decrypted.
Authentication and encryption in the 1Password security model
Two-factor authentication protects against the download of your data in the unlikely event someone got ahold of both your account password and Secret Key, but since there's a local cache of your data on a trusted device (in this case, both the extension and desktop app you're signed into) two-factor authentication doesn't come into play at that point - the data's already there on the device, and only your account password can decrypt it.
TL;DR -- Once a device is authorized the first time, two-factor authentication is no longer required, unless the device is subsequently deauthorized through 1Password.com, or the browser/app's locally cached copy of the secret is cleared.
1 -
Hi Blake,
thanks for your detailed feedback. Got it...
But wouldn't it make sense to protect the account-management website? It does not need to be that open.
Those who do access account settings maybe want to have another point of security - because it's the account-management website where you can add/delete security-keys, team members and so on.In general it would feel more safe, to have an additional layer of security over there.
I understand what you mean - but my point is, that sometimes I do feel more safe, when not everything possible will be made possible.
Hope you got what I mean as I'm not a native speaker - sorry for that.
0 -
But wouldn't it make sense to protect the account-management website?
Your 1Password account has always been (and will continue to be) protected by your account password, secret key, and when it comes to new devices, the two-factor authentication code you'll need.
You would have to be already signed in to your 1Password Account within your browser (or in this case, the extension) to access your account management settings the way you're mentioning, so there's no security benefit to additional two-factor authentication when it comes to changing settings on an account.
1
