@TheDave: It certainly could, but that's not a great user experience -- otherwise GPG would be popular. And the other challenge is storing the keys securely. Not all PCs have a good way to do it. And the technologies most commonly used for that have weaknesses as well.
This way the private key will never "travel" between the two devices.
For even additional security, in the mac world, the public key could be sent through Near Device Communication used by Airdrop (apologies, I'm not sure about the real name for it)
This feature, if securely made the way TheDave suggests, would improve so much security for many reasons.
Because we have to use the MasterPassword often :
Bottom line, it would be a great improvement in security.
@danmeyer: We're getting way off topic here, as the feature which is the subject of this discussion already exists -- as indicated in the title: "Windows Hello / Fingerprint reader support [Available now in 1Password 7]".
While you got the name right, AirDrop isn't available going to and from Windows (or Android) devices; it's limited to working between any combination of macOS and iOS devices. That's because it's built into the OS, and that's good for security. We're also unlikely to develop our own AirDrop-like protocol because: 1) our focus is on password management, not general-purpose inter-device communication; 2) since we don't control the underlying hardware or OS, there are real limits to how secure and seamless we could make it.
And, apart from that, the rest of your comments don't make me wish that we would do something like this; quite the contrary. Making it easier for people to forget their Master Password is not something we want, because it is needed to decrypt the data, and frankly having it stored only in the brain of the person whose data it protects is a good thing.
It's certainly your prerogative to not use a complex password, but considering that it can be done and the security of your important data depends on it, I hope you'll reconsider. There are some suggestions in this guide that may help you:
And we never recommend changing any password on a regular basis. That just makes extra work for you and has a lot of potential pitfalls. Maybe that's why you'd have trouble using a complex one and remembering it. A long, strong, unique password you created five years ago is no less than one you create today. It does not need to be changed, unless you give it away, you recorded it somewhere and it was stolen from you, or you'd reused it somewhere else that was compromised. That goes for your Master Password, or the password for any website.
What you're proposing would not really be an improvement in security, and would result in many more people (potentially in the thousands, given that millions of people use 1Password) getting locked out of their own data or having it stolen. No matter what, if your location (someone looking over your shoulder) or your device (malware) is compromised, you're at risk either way. And we do not want to give 1Password users a false sense of security, and lead them to believe that it's safe to access sensitive data under those circumstances. That's the definition of "security theater", and it's something we want to avoid no matter what. We have no plans to do something like that.
„Making it easier for people to forget their Master Password is not something we want,“
I will admit to part of that being selfish. I feel horrible each and every time I have to tell someone they're out of luck, that their data is irretrievable without their Master Password, and that we cannot reset it for them. It makes me sick. But I think it's fair to say that it feels much, much worse to the person losing important data. I lost a hard drive probably two decades ago now, no backup, and I have never forgotten it...
@brenty many thanks for your detailed answer.
It seams ok to use the facial recognition of iPhoneX to unlock the 1Password App. I infer from this, that if computers had such elaborate face recognition cameras built in, it would be ok to use them the same way to unlock the 1Password software.
My question is: why can't we use the facial recognition of iPhoneX to unlock the iPhoneApp, and then allow the iPhoneApp to send something, not compromising security obviously (a public key or other), to the ComputerApp to unlock it ?
@brenty This isn't true at all, this exact technique is used in several popular instant message solutions. PGP and family is a great example of how to design difficult to use encryption that excludes most typical users and instead displays all of the rough edges to the non-technical people.
1Password can be much smarter. The goal is to allow 1Password on my phone to unlock 1Password on my Windows desktop. I propose that to do this, the devices could talk over a local network. As you note, the unlocked device (iOS) would need to get a secret derived from my master password to the Windows desktop. This would require the devices to previously handshake, and know (and verify) each other's public key. Luckily, 1Password has a nice safe way for devices to exchange data: They could use 1Password. Each device could store their own public key into my 1Password vault, meaning that once devices have completed the initial handshake, my iOS device and Windows computer could know to trust each other and could communicate securely to enable an unlock.
There would still be some technical support load as device-to-device communication over a network is not always trivial (generally needing broadcasts, known IPs, or some other discovery mechanism), but given that I can control my media player on my computer from my phone with 100% reliability, I would argue that the functionality is possible to implement in a user friendly way. For 1Password.com users you could even use the 1Password service to help (either with discovery, or passing messages).
Ultimately I just keep 1Password on my desktop unlocked a lot as both the annoyance and the threat from typing my master password repeatedly is worse than the risk of keeping it unlocked (or put another way, if I assume malware is going to access 1Password, it likely won't make a difference if 1Password is unlocked for 13 seconds or 45 minutes, but if someone is going to shoulder-surf my password then the more times I enter it, the more likely they are to be able to observe my fingers, to count the keystrokes, etc).
@TheDave: With the risk in mind that I may be overlooking something obvious, I don't think your vault would be an adequate place to store that public key. In this case, 1Password on your PC is locked, meaning that data it needs to verify its identity to your phone is encrypted and unavailable. That key would need to be stored somewhere that's not restricted when 1Password for Windows is locked and then we're back to asking ourselves where is an acceptable place to store that.
More likely, I'd think that might be a component of Windows Hello down the line. You can already set your PC to unlock when a mobile device you own is nearby, for example, so that at least hints at some possibilities if not a full-fledged and workable idea. I don't think that's currently part of Hello so not something we can integrate with now, but it gives a glimpse at what might be possible one day, depending on what direction Microsoft goes with Hello.
For the moment, I do exactly what you do – 1Password is all but perpetually unlocked on my desktop. I hate even moving the thing to clean it, so it doesn't go anywhere and the biggest threats to my data at home are my cats. They can't type so I figure I'm pretty safe. If I'm leaving long enough I'm worried, I lock my PC and that locks 1Password. As you say, the jig is essentially up if your device is compromised so trying to plan for a compromised device is more of a loss to convenience than a boon to security.
The public key would only be read from the vault when initially verifying devices. With the underlying goal being to allow an iPhone to unlock 1Password on a Windows PC, the two need a trusted communication channel. This can be done any number of ways, but ultimately you need an out of band way to verify that there is no MITM so that this channel can be trusted enough to distribute the master password over it in subsequent unlock events.
The initial handshake would require both devices to be unlocked manually, and signed in to the same 1Password account/vault, the devices would handshake over TCP and exchange public keys, but would also verify that these public keys were the same ones added to the shared 1Password account as an out-of-band "Verify your partner is who they say they are" step. This relies on the fact that these public keys can only be written by a device which is signed in. Once verified though, the public keys can be stored unencrypted on each device.
@TheDave: What specifically did I say that wasn't true? Perhaps I made an error. Anyway, it's certainly a nice idea, but the rest is a bit handwavy...and then you're volunteering us again to develop additional network stuff to support. Messaging apps and music players are much, much lower stakes than this, so I think that's sort of a glib comparison. And again, if you're in such a hostile environment, attackers could "shoulder surf" your data either way. The risk of users forgetting their Master Passwords because they don't enter them regularly is very, very real, not a hypothetical. I don't like the idea of trading data loss for the sake of your convenience. Sorry. We'll certainly continue to evaluate technologies in this area, but I don't see the human problem going away -- at least not until SkyNet takes over, and then all of this will be moot.
@brenty I was referring specifically "It certainly could, but that's not a great user experience -- otherwise GPG would be popular" -- My suggestion is to create a trusted relationship while avoiding the whole annoyance of requiring the user to manually verify/trust their partner.
Ultimately I get it, unlocking one device from another is complicated, it would be awesome to see 1Password lead the pack here, but it obviously isn't a business priority to make it happen -- That's okay too.
@TheDave: Thanks for clarifying! I figured you might have something else interesting to say. Anyway, we're in agreement that it would be a cool feature if done in a secure and user friendly way. I just think that neither of those are as easy as they might seem on the surface, and I want to be sure we don't overlook the ripple effects of people getting used to not using their Master Passwords (which, to be fair, is also a business concern on some level). Thank you for your feedback on this!