Automatic logged in into 2 different teams without giving master password

srcoder

So, today I started using this alpha... Wh00twh00t, kudo's, love and everything else(sorry, couldn't resist)

I find it disturbing that I was all data from all teams is automatically loaded into the extension without authenticating(with Master password) for both separately.

To reproduce:

• Install extension
• Have access to two teams
• Login into the main one
• Search in both teams without authentication for the second
• See 1password entries for all 1password teams in the 1password plugin

Side note: My Master password for the second team was in my main fault because of reasons and divers the Master password for the first team.
There is a good reason why I didn't want this to be the default.

Explain to me how on earth it can be possible to access decrypted passwords for any team I didn't authenticate explicitly with my master password.

Expected behavior.

• Install extension
• Have access to two teams after at least one successful login with email/password(/secret-key)
• Login the first
• Search only the first teams faults
• Login the second(maybe an option to use one MP for both teams the next time)
• Search thru both team faults

It gives me goose bumps because now I have the feeling that without the MP it's possible to login in any team!

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

beyer

Hey @srcoder,

Welcome to the forum, I'm delighted to see you made it over here!

I sincerely apologize for the goose bumps. In @dteare's first announcement, he states:

We automatically log you in to all your 1Password Accounts. You simply log in to your main account and every 1Password Account you have stored there will be added automagically.

Which is exactly what happened in your case, the browser extension found a Login item for your second Team account and added it when you first signed in. This idea is similar to how I can log in to my multiple 1Password accounts by filling the credentials using the 1Password browser extension on the appropriate sign-in page (e.g. https://my.1password.com). This has been done to help users with multiple 1Password accounts get up and running as simply as possible. We are extremely interested to hear your feedback on this feature, and I suspect @dteare will stop by this thread and chime in on the more technical details when he's available.

Personally, I love this feature! But if you don't want your second Team account to be added, a quick fix is by moving the sign-in address from the website field to a note on the Login item for your second Team account.

--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits

srcoder

Hi @beyer,

Thanks for the quick reply and pointing out that note.
As you can see this can look a little scary at first.

I can still add some extra feedback, I uninstalled the extension, moved the item to trash(to test), re-installed and still got assigned into both accounts. So, I think I've to fully remove the item before it won't sign in

I think something to pick-up in a next release, there is also no way to sign out/disable the second account(as I can understand now).

AGAlumB

Thanks for the quick reply and pointing out that note. As you can see this can look a little scary at first.

@srcoder: Glad that helped! :)

I can still add some extra feedback, I uninstalled the extension, moved the item to trash(to test), re-installed and still got assigned into both accounts. So, I think I've to fully remove the item before it won't sign in

Correct. When you sign in to your first 1Password.com account, 1Password is using the account details saved there for others (if present) to sign into those automatically as well. So this won't happen if you don't have the account credentials for other accounts there in the first place.

I think something to pick-up in a next release, there is also no way to sign out/disable the second account(as I can understand now).

Not sure it's something we can promise for "the next release" (which for all I know Dave has already PR'd), but this is definitely one of the many features we'll be adding as well over time as it's developed. Thanks again for the feedback, and be sure to let us know if you encounter any bugs with the alpha! :chuffed:

dteare

Thank you for sharing your thoughts on this issue, @srcoder. I thought this was a pretty awesome feature but given your initial reaction it's clear we need to do some work to make it more clear what's happening.

It's a good point that we should skip items in the Trash when performing this magic, and you're absolutely right that we need to provide a way to control this in the future. I have some ideas there and just need to decide which one I like the most.

Thanks again for your feedback! <3

srcoder

yw!!! If I find something else, happy to let you know... Thanks again for the invite.

AGAlumB

Hey, thanks for participating in the alpha! We really appreciate your passion and feedback! :chuffed:

srcoder

Nice solution since 0.8.0 === "resolved"

beyer

Thanks, @srcoder! There are still a few items on our list to make it even better, but I'm glad to hear you're happier our new method of adding additional accounts. We made a few trips back to the drawing board, but Dave (and the rest of the team) did some awesome work here. This was a feature we are selflessly passionate about as everyone here has multiple team accounts plus an individual or family account for our personal items.

We greatly appreciate your continued feedback. Have an awesome week. :)

--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits

srcoder

hmm, here I'm again.

Now you have to unlock via the *.1password.com for all other locked accounts after unlocking the main account after adding them manually :chuffed:

Added it to favorites for now, which is also fine...
I see when unlocking with the MP for the other account it unlocks that one.
Also see you are logged in into 1password automatically on edit :+1:

• edit: added solution

beyer

@srcoder: Correct, but only if you have different Master Passwords on your accounts. This is due to us not storing your Master Password and no longer looking at 1Password items to sign in accounts.

For people who opt to use the same Master Password (which is common), all of their accounts will be unlocked at once (after they are added the first time). There are arguments to be made for and against using the same Master Password across accounts, but I'll quote Dave and say "it is what we recommend in most circumstances". Especially if you are storing the Master Password for one account in another already anyway. Either way, it's up to you to decide. :)

--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits

srcoder

Yeah, very true! But if you are using different for both, you shall have your reasons than!

And indeed not scanning and storing should be the way to go(it's much more straight forward security wise, on the same page as Dave).

Thanks for the additional information!
That's why we still have this secondary piece of security which is called the "Secret Key"

beyer

You're welcome! One of these days we can hopefully get up a more recent blog post about our feelings on using the same Master Password across multiple accounts. :) :+1:

--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits

srcoder

Please quote me if you must ;) Thanks again

beyer

Ha, I'll see what I can do. :) :+1:

--
Andrew Beyer (Ann Arbor, MI)
Lifeline @ AgileBits