What is the reason for requiring administrative privileges?

The latest update of 1Password required admin privileges in order to install, given the fact that the application is installed and runs from %AppData%/Local/1Password there is no security requirements for this. What changes were implemented which necessitated the change to the update process, or what code requires access to other parts of the system? 1Password worked flawlessly without admin privileges, and the new change just became a headache for my organization as IT will be required to update the application each and every version.

Can you please justify this change? And can you provide a solution for those of us who run with limited credentials?


1Password Version: 7.3.705
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided
Referrer: forum-search:administrator password

Comments

  • The change is to better protect 1Password's files, @Inari. The concern isn't about security requirements specific to %LOCALAPPDATA%, but instead locking down the 1Password directory specifically from other processes running in the user context that could potentially cause harm. We have some future plans to avoid the obvious pitfalls here for business users – my teammate Mike took a deeper dive on the whys and wherefores of this change and included some discussion of those future plans here, if you'd like to learn more. :+1:

  • Inari
    Inari
    Community Member
    edited August 2019

    Thanks for getting back to me quickly @bundtkate. You may not be the person to direct this too, but given the post you provided is locked, here is my own 2 cents:

    I appreciate the efforts of 1Password in order to better secure their products, but I believe that the team is going in the wrong direction and doesn't quite understand how UAC works. If the intent of 1Password is to create an elevated service which runs in the background as essentially the updater functionality, then I believe that 1Password is barking up the wrong tree. One of my reasons for using 1Password at work and at home is the fact that it's a lightweight application which runs in isolation. IT has signed off on the use of the program because, up until now, has been a zero-conf and hands-off product for them that met all the requirements for security. Necessitating services to handle updates in this fashion just adds to additional startup time, more memory usage, and various other issues which are numerous.

    Given the frequency of updates of 1Password, I feel it would be better spent actually fixing the root of the problems than attempting to migrate the application to a UAC required installation or a Program Files based install. The reasoning behind it from the posts you provided me seems like that either the application or installer code isn't up to snuff to handle simple non-"edge cases" such as "file in use". In addition, the need to secure the directory is important, but the application should be capable of handling hijacking through many different means. The app is cloud driven, with a local cache, meaning that there should be no reason that the extremely low probability of a hijacking of the directory should necessitate such a knee-jerk reaction, and possibly upset a large portion of your user-base.

    There are many different applications, from vendors small and large, that are capable of handling these kinds of situations on a regular basis - including some of which are in your market, and I implore you to consider an alternative course of action to keep your application as barrier-free as possible.

    I love 1Password and so does my employer, and we would like to keep that love going.

  • MikeT
    edited August 2019

    Hi,

    There are many different applications, from vendors small and large, that are capable of handling these kinds of situations on a regular basis - including some of which are in your market, and I implore you to consider an alternative course of action to keep your application as barrier-free as possible.

    We have for months and even re-reviewed Microsoft's own security guidelines, but most of them can be bypassed by simply replacing the main file instead. By preventing the file replacements, the attacks can be mostly mitigated. It is not a one-for-all fix but it helps a lot.

    One of my reasons for using 1Password at work and at home is the fact that it's a lightweight application which runs in isolation.

    That's also the reason 1Password can be easily compromised; with no restrictions to its app directory, any files can be replaced by any running processes that you may not be aware of and you're compromised. This is just to add an extra line of defense but it is not a full solution.

    If the intent of 1Password is to create an elevated service which runs in the background as essentially the updater functionality,

    That's not the intent, we don't plan to do a background service at the moment. However, it is too early to confirm anything about what we're doing in a future 1Password version. The plan was to register something with Windows to fork an elevated 1Password process that will then check for an update and replace files, nothing more than that. It does not run all the time, it doesn't eat any memory nor anything more than what 1Password does, it's just instead of 1Password running the check, it's Windows with the elevation.

    The app is cloud driven, with a local cache, meaning that there should be no reason that the extremely low probability of a hijacking of the directory should necessitate such a knee-jerk reaction, and possibly upset a large portion of your user-base.

    1Password for Window isn't a cloud-driven app, just because we happen to offer the 1Password.com subscription as an option, doesn't make it a local "cached" app; we still support standalone vaults but it's a full Windows desktop program with full encrypted database store entirely on disk. There is no cache and 1Password integrates with Windows on deeper levels including using registry for some basic features as well as many Windows APIs such as Hello, EFS, ProtectedData, and so on. It's designed to work offline completely and if compromised, your whole data is at risk. The cloud has nothing to do with this.

    It's not a knee-jerk reaction, this is a legit issue that has been proven with code sent to us. It's our job to ensure we do everything we can possibly do to protect your data.

    I would say that almost all users will be upset if we were to do nothing because this specific change may upset some users. This was in beta test for a month with a lot of users using it and while we fixed all of the reported issues, there wasn't any major concerns with it.

    However, we have temporarily halted the update for now and will try to seek a smoother transition due to some reports.

    The reasoning behind it from the posts you provided me seems like that either the application or installer code isn't up to snuff to handle simple non-"edge cases" such as "file in use".

    The post were directed to various questions in the same thread and some confusion over file in use which isn't related to this. In this case, the security improvements is to protect against not just DLL hijacking but any type of redirection/file replacement attacks from any random running process.

    With that in mind, we have various approaches we want to try to address this but they will take a lot of time; this lockdown approach is the one that works the best for the bang right now. It is possible we may remove this in a future update if we finish the other approaches that protects your data better.

  • Since you were right I was probably not the best person to give this feedback to, @Inari, I went ahead and grabbed Mike. This is one of those things where yes, I mostly get what's going on, but I didn't feel I could provide the level of depth you were likely looking for. I hope he was able to better clarify.

    I also wanted to add that if your priority is for something light and low-maintenance, you might consider 1Password X. Since it runs entirely in your browser, it is definitely a different experience from the desktop app. All the same, it sounds like it may be something that better fits your needs regardless of what happens with the desktop app in the future. You can check it out here:

    https://support.1password.com/getting-started-1password-x/

    And, of course, if you give it a try and have questions, feel free to ask. :+1:

This discussion has been closed.