"unlock on secure desktop" after timeout

Digging around I learned of the automatically "unlock on secure desktop" feature setting. Which, from my reading, sounds like added security. Don't know why it isn't automatically set to automatic though.

I have it set to automatically open to "unlock on secure desktop". Though I've noticed after a timeout. When you click on the bottom taskbar 1Password tab to put in your MP. You see the "unlock on secure desktop" icon in the upper right of the screen like it would without checking the automatic "unlock on secure desktop" box in the settings.

I don't know if it has to work that way. But would be nice if it would still be set to automatically "unlock on secure desktop" after it times out. As I had that set to open up on secure desktop automatically, but it appears to goes back to manual mode after a timeout. So the automatic setting it kind of pointless if you have to manually set it to that most of the time anyways.

Comments

  • If by "timeout" you mean the timed autolock (configured in 1Password preferences) then you can't have it automatically use the secure desktop because doing so would prevent the user from doing whatever they're doing at the time. Also note this is only the case if the 1Password app is open when it locks. If it is minimised to the systray when it locks then clicking on the padlock icon to re-open the app will trigger a secure desktop unlock.

    If this isn't what you are talking about then could you provide some more precisely defined steps for the problem?

  • It's the timed autolock I'm referring to. As I mostly put the MP in after an autolock timeout. I liked the automatic open on secure desktop option, but inadvertently discovered that was pointless if you mostly put a MP in after a timeout since you have to manually go in secure desktop mod anyways. This "secure desktop" feature should be advertised more if it actually is more secure using it than without.

    I'm still messing with it, but it also did appear to timeout when it shouldn't. I've done some adjustments in the settings to check it out and will look at it again later on. But I had problems too of it locking out sooner than it should. As for example, I had the notepad open. And I was adding things, and then going and looking elsewhere for data to then add into the notepad. So I was going back and forth for a while, and then the 1Password timed out suddenly as I heard it close even though I had been using the notepad before it would have timed out. And so after that timeout example, I put the MP in and opened it up, and all that stuff I had put in the notepad was gone as it didn't save apparently because it timed out before I closed the notepad that saves it even though I had been "using" the notepad that should have kept resetting the clock.

    There was a time for example that I "heard" it close like a minute after putting the MP in. I checked it and saw it had closed to confirm it. That was just one time though.

    But I'll shorten the timeout so I can easily run some tests on it. As since that time the thing timed out and I lost my notepad data I had been working on. I've been closing things out frequently, like the notepad, just so I know it's being saved if I plan on working on a certain notepad for a while.

  • Can you confirm the settings you have on the Security tab in Preferences. Is the timeout setting the only auto-lock active?

    I'm not too sure what Notepad has to do with this? Are you using the term "notepad" for something within 1Password or do you actually mean the Windows application "Notepad"?

    It's the timed autolock I'm referring to. As I mostly put the MP in after an autolock timeout. I liked the automatic open on secure desktop option, but inadvertently discovered that was pointless if you mostly put a MP in after a timeout since you have to manually go in secure desktop mod anyways.

    Like I said, are you leaving the 1Password window open? If you are then on what criteria should it trigger a secure desktop unlock (if clicking the button is not acceptable to you)?
    If you're closing the app window then after it locks you're clicking on the systray padlock to re-open it then it should automatically present the secure desktop unlock.

  • svondutchsvondutch

    Team Member
    edited February 2015

    Don't know why it isn't automatically set to automatic though.

    Because it does not work everywhere. Older operating systems do not support it.

    I had been "using" the notepad that should have kept resetting the clock.

    When the app is running, then it will lock after X minutes of not using the app. In other words: it does not lock after system inactivity. It locks after inactivity in the app.

  • Because it does not work everywhere. Older operating systems do not support it.

    What Windows operating systems support 1Password to automatically open everytime in "secure desktop" mode? The only time I've noticed it automatically open up in "secure desktop" mod was when you were first opening the program up, or if it timed out "in the browser" and then "in the brower" it asked for you to re-enter your password and you could tell it was on "secure desktop" mod. If the program times out that you have down on the taskbar, and then you click on the tab in the taskbar, then it won't be set automatically to open in "secure desktop" mod.

    When the app is running, then it will lock after X minutes of not using the app. In other words: it does not lock after system inactivity. It locks after inactivity in the app.

    What does "inactivity in the app" means? Like what action would trigger an "activity"?

    I figured if you say have notepad open and typed something in there. Then that would reset the clock. For example, I had notepad open and I was going back and forth with a website reading text to then type into the notepad. Now this took a while going back and forth and I had a short duration for 1Password to time out. And so I had instances of hearing the program "time out" while looking at the webpage when I had just been in the app typing in the notepad.

    Now in those cases when the program timed out, it also didn't save the new text I had been typing. So I had to start that all over. After dealing with that a few times, I got to where I just close the notepad out frequently if I plan on having to spend time gathering info to type in there.

  • MikeTMikeT Agile Samurai

    Team Member

    @baker:

    What Windows operating systems support 1Password to automatically open everytime in "secure desktop" mode?

    Windows Vista and above has support for creating custom desktops. This is not a feature we created just for 1Password, we're using a method from Windows to power the secure desktop environment for 1Password to prompt for your master password.

    If the program times out that you have down on the taskbar, and then you click on the tab in the taskbar, then it won't be set automatically to open in "secure desktop" mod.

    Ah, I see what you mean now. I suspect there is a limitation to how much we can automate this and it requires an action from the user, such as pressing the 1Password icon on the browser and the safe unlock button on the main desktop.

    The problem is we have to be careful with this type of automation, we need to make sure that the unlock prompt did in fact came from your action in the 1Password application, not out of nowhere. Suppose you have a malware installed and you have the desktop app minimized to the system tray or the taskbar, and you suddenly get the prompt out of nowhere that looks like 1Password but could be from this malware. You could in fact be entering your master password into this duplicate screen from the malware.

    What does "inactivity in the app" means? Like what action would trigger an "activity"?

    It means the 1Password application has to be frontmost, you're nagivating around the app, editing and saving changes.

    I figured if you say have notepad open and typed something in there.

    NotePad is a completely different app from 1Password application and does not have any impact on how 1Password operates.

    When you say NotePad, are you talking about the NotePad application from Microsoft or are you talking about a Secure Note item you created within the 1Password application?

  • @MikeT

    Yeah, pretty much from my limited experience is the automatic "open to secure desktop" works other than when it times out in the bottom taskbar, and you click on the 1Password tab. Then it's like normal where you have to manually set it to a secure desktop. Luckily I tend to be fairly aware of things, and noticed the "Unlock On Secure Desktop" icon in the upper right corner in those instances to know something wasn't right with the "automatic" function.

    There may be other people not aware of this and signing into a timed-out session thinking they are automatically on a "secure desktop" when they really aren't. I normally put my MP into a timed-out session from the bottom tab, so even though I had it set to "automatic" I was still having to do it "manually" like 90% of the time anyways.

    NotePad is a completely different app from 1Password application and does not have any impact on how 1Password operates.

    When you say NotePad, are you talking about the NotePad application from Microsoft or are you talking about a Secure Note item you created within the 1Password application?

    Sorry, I didn't explain this. What I meant by "notepad". Was I had a saved "login" box open for edit. And I was adding text into the "notes" part under the "login" box.

    I was having to go back and forth to read and type into the "notes" part. And had at different instances heard the 1Password make its time-out sound while looking elsewhere. And so when it timed-out, it had lost any new text I had typed into the "notes" part. So after that happening several times and losing a bunch of time of wasting typing in the "notes" part, I extended the time-out length and started closing out the "logins" box frequently if I thought I might have to be editing in one for a little while just so it would save the data frequently.

  • MikeTMikeT Agile Samurai

    Team Member
    edited March 2015

    Hi @baker,

    There may be other people not aware of this and signing into a timed-out session thinking they are automatically on a "secure desktop" when they really aren't. I normally put my MP into a timed-out session from the bottom tab, so even though I had it set to "automatic" I was still having to do it "manually" like 90% of the time anyways.

    That's a very good point, thank you for sharing it with us. We'll see if we can improve this and one way I can think of is to do the secure desktop prompt automatically the moment you enter the master password field. With this automatic mode, the button on top right should say Switch to regular unlock for people who may experience issues unlocking via the secure desktop mode.

    as I had a saved "login" box open for edit. And I was adding text into the "notes" part under the "login" box.

    Ah, you were editing a Login item and typing in the note field of that item. That should reset the clock.

    Unfortunately, there isn't an easy way to securely and temporarily store the unsaved data when locking the app, we have to absolutely lock your app regardless of what's going on because if we wait for your action, it could stay unlocked forever. Imagine someone editing the item and then leaves the room, it may not lock on its own if it sees someone is editing an item.

    However, that doesn't mean the process couldn't be improved, so we'll keep this in mind as we work on improving 1Password. Thank you so much for hanging in there with us as you explain how it is getting in your way. We do understand and hope to improve this in the future.

  • It sounds like when I typed into the "notes" field, that it wasn't resetting the time-out clock. Because I know I didn't leave it idling for enough time to time out when I was doing long edits.

    But I'll have to do more testing on it when I have time. To compensate, I had extended the time-out length, and started closing things out frequently to save it so I didn't have to worry so much about it timing-out sooner than it should.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @baker,

    I'm testing it here as well and it is extending each time I've typed in the note field. I have it set to auto-lock after a minute.

    1. Unlock the application, double-click on a Login item to edit it, and then do nothing. It auto-locked in 60 seconds according to the stopwatch app I'm using.
    2. Unlock the application, double-click on a Login item to edit it, started the stopwatch, as it hits 30 seconds, I typed in something and left the window. It auto-locked at 90 seconds instead of 60 seconds.

    So, it appears to work as expected. Maybe there's something else that's causing 1Password to auto-lock prematurely. Do you close browser windows often?

    If you can reproduce this, can you give us the steps by steps of what you're doing between the editing in 1Password and what you're switching to.

  • Thanks. I'll do testing on it when I have some time in the future and report back.

  • MikeTMikeT Agile Samurai

    Team Member

    Thanks, I'll chat with the development team to see what else we can do to improve this.

  • @MikeT

    Windows Vista and above has support for creating custom desktops. This is not a feature we created just for 1Password, we're using a method from Windows to power the secure desktop environment for 1Password to prompt for your master password.

    Firstly, XP handles this just fine.
    Second, either way @svondutch's argument is invalid on that basis you have dropped XP support. Therefore all supported versions have secure desktop capability.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @RichardPayne,

    You're correct, I misread that the process responsible for it was only for Vista and above but it was on XP as well.

    We'll keep it in mind for future versions for 1Password.

  • svondutchsvondutch

    Team Member

    What does "inactivity in the app" means? Like what action would trigger an "activity"?

    @baker Mouse clicks and keyboard presses in the app keep it alive. If the app does not receive any mouse clicks and keyboard presses, then eventually it will auto-lock itself.

  • svondutchsvondutch

    Team Member

    XP handles this just fine

    @RichardPayne It should work everywhere but believe it or not, some of our customers are running Windows 2000, and our Secure Desktop feature is unreliable there. This is why we do not default to Secure Desktop. It is an option. The option is turned off by default for compatibility reasons.

    Everyone should remember that while Secure Desktop adds some protection against keyloggers, once such malware is on your computer, you are pwned and not really in charge of your computer anymore. There isn't much we can do against malware running in the same security context as you yourself. If your computer has been compromised by a keylogger, it is no longer your computer.

    https://blog.agilebits.com/2014/08/21/watch-what-you-type-1passwords-defenses-against-keystroke-loggers/

  • What are good protections to block a keylogger malware from getting into the system? I believe those are different than what anti-virus looks for.

    I recently found there is Malwarebytes Anti-Exploit, which claims that it "is your essential protection against zero-day exploits targeting browser vulnerabilities." "Protects browser components, including Java and Flash. Defends against drive-by download attacks. Blocks unknown and known exploit kits"

  • some of our customers are running Windows 2000

    And yet I've had bugs, rightly, ignored because they are not replicable on Windows 7. I thought the whole point of dropping support for old platforms was to give the product a chance to move on and be modernised without being burdened by the lack of features in older platforms.

    Supporting an OS that was dropped by the vendor 4.5 years ago seems crazy to me.

  • svondutchsvondutch

    Team Member

    What are good protections to block a keylogger malware from getting into the system?

    @baker

    1. Keep your system and software up to date
    2. Pay attention to what software you install and where you get it from
    3. Use Windows Defender (and Microsoft Security Essentials if you're running Windows 7)
    4. Understand what software can and can’t do for you. 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race.

    And yet I've had bugs, rightly, ignored because they are not replicable on Windows 7

    @RichardPayne What bugs are those? I would love to look into them.

    Supporting an OS that was dropped by the vendor 4.5 years ago seems crazy to me.

    @RichardPayne We're not supporting Windows 2000. However, the Secure Desktop feature is pretty intrusive and if it doesn't work, it can cause lots of confusion. This is why we do not default to Secure Desktop. It is an option.

  • What bugs are those? I would love to look into them.

    I'll have to dig them up. The one I can remember was the "conceal passwords" option not working. I doesn't work on XP but it does work on Win7. Interestingly it doesn't work under WINE either which makes my think that there's some oddity in the way you're calling the Windows API.

    We're not supporting Windows 2000. However, the Secure Desktop feature is pretty intrusive and if it doesn't work, it can cause lots of confusion. This is why we do not default to Secure Desktop. It is an option.

    Fair enough, although you should probably lead with that rather than the point that some customers are still on Windows 2000! ;)

  • I'll have to dig them up. The one I can remember was the "conceal passwords" option not working. I doesn't work on XP but it does work on Win7. Interestingly it doesn't work under WINE either which makes my think that there's some oddity in the way you're calling the Windows API.

    Ooo, scratch that. You already seem to have fixed it, on XP at least. It wasn't that long ago that I retested to submit a WINE bug report so it must be a recent change that fixed it. I'll have to check on WINE when I get home too as I may be able to close the bug report if it's fixed there too.

  • AlexHoffmannAlexHoffmann

    Team Member

    Sneaky svondutch, sneakily sneaking fixes into the software ;)

  • Unfortunately it's still broken on WINE, but as before, that it their problem not yours.

  • AlexHoffmannAlexHoffmann

    Team Member

    Yeah, it still bugs me, though.

This discussion has been closed.