FF 1.6.3: Do not have to enter Secret Key every session on public computer?

XIII

Not sure whether this intended, but at the very first login to 1Password X (for Firefox) I chose the option "Public computer" and expected to have to enter my Secret Key at every next login. However this is not the case; I only have to enter my password (so also not my email address).

What's the intended behaviour?

---

1Password Version: 1Password X for Firefox
Extension Version: 1.6.3
OS Version: macOS 10.13.4
Sync Type: 1Password.com

beyer

Hey @XIII,

Great question! In our "About 1Password X security" article we write:

Only use 1Password X on trusted computers. 1Password X is sandboxed from untrusted web pages, but it assumes that you trust your web browser and your other browser extensions. It stores your Secret Key in local storage and is not meant to be used on a public computer.

I stand by that 100%. You should not use 1Password X or any 1Password client applications on untrusted or public computers. That being said you've run into a confusing situation because we use the very same login form for 1Password X as you see when logging into your 1Password.com account to access the web client. We really shouldn't allow users to add an account to 1Password X when that box is checked. I've gone ahead an opened an issue for the rest of my team so we can get this UX changed.

In the meantime, if you're looking to add an extra layer of protection to your 1Password.com account, I highly recommend checking out our new two-factor authentication.

I hope that helps, but please let me know if you have any questions and have a great weekend!

-Beyer

XIII

brenty

@XIII: Seriously, great catch! Thanks for bringing this up.

ref: b5x-353