Feature request: Unlock in Secure Desktop

In 1Password 4, I loved the feature of "unlock in secure desktop" because then I could be sure no other (medium-integrity) app could snoop on 1Password's keyboard input. Would this feature be added to 1Password 7 later on, or has it been phased out?


1Password Version: 7.0.532
Extension Version: 4.7.1.3
OS Version: Windows 10 Pro 1703 (Creators Update)
Sync Type: Dropbox

Comments

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Smileybarry,

    Thanks for requesting this.

    Yes, at the moment, this is on our list to add in a future update. I don't want to say for sure because we may find a better solution and more integrated than Secure Desktop.

    ref: OPW-1224

  • @MikeT Awesome! Thanks. :smile:

  • MikeTMikeT Agile Samurai

    Team Member

    👍

  • bkhbkh

    Yes, at the moment, this is on our list to add in a future update. I don't want to say for sure because we may find a better solution and more integrated than Secure Desktop.

    I'm delighted to hear this. With all the recent rhetoric about avoiding security theater, I was concerned that AgileBits would be moving away from defense-in-depth mitigation techniques such as Secure Desktop, under the rationale that if your local machine is compromised (the only reason to want Secure Desktop) then you theoretically have already lost all your secrets.

  • MikeTMikeT Agile Samurai

    Team Member
    edited April 6

    Hi @bkh,

    if your local machine is compromised (the only reason to want Secure Desktop) then you theoretically have already lost all your secrets.

    That is true and no, Secure Desktop does not protect against a system compromise. All it takes is to hijack the original Windows file that handles Secure Desktop and you're compromised fully. There is nothing that can protect you in this case.

    All Secure Desktop does is protect you against keyloggers running in your user account that does not have admin privileges. It does not protect you against anything else.

  • bkhbkh

    Thanks for the clarification. By "compromised" I didn't mean they have admin, just that they had malware running. Someone could argue that if they have malware running then you're already in trouble, and in this case perhaps mitigations are giving a false sense of security. I think there is value to protecting against certain subsets of attacks, even in cases where the protection is neither absolute nor comprehensive. I recognize that reasonable people can argue both sides of that viewpoint.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @bkh,

    Someone could argue that if they have malware running then you're already in trouble, and in this case perhaps mitigations are giving a false sense of security.

    It is. Imagine a fake UAC prompt asking for your admin passwords or imagine a fake secure desktop view asking for your 1Password master password? All of which is entirely possible if you don't pay close attention all the time.

    It's just that at some point, you'll be spending more time on trying to defend against something already easily bypassed by a different attack point where you'd be better off protecting the system on a higher level. In this case, having a better security habit of updating the OS, running an AV, content blocker, network firewall, and so on.

  • I just upgraded from version 4 and was disappointed that this is missing.

    One other benefit that hasn't been mentioned is that the Secure Desktop gives a very clear visual cue to me and prevents me from accidentally typing my master password into some other (not necessarily malicious) window if focus ends up in that other window while I'm typing my master password. My master password is long and complex enough that I look down at my keyboard instead of at the screen while typing it, so this is not such a far-fetched scenario.

    I hope whatever solution you come up with for the future considers this. Thanks!

  • brentybrenty

    Team Member

    @eatcookies: That's a really good point! We don't want to give people the impression that Secure Desktop can protect them if their machine is compromised, but you're right that it could help prevent someone from entering their Master Password into the wrong place, say in the web browser. We'll continue to evaluate this as we work on future updates. Thank you!

  • Like others, after upgrading 1Password for Windows to version 7, I was disappointment secure desktop support was not included. I realize it's not perfect, and can be subverted in many ways. But, as a Pentester, I drop keyloggers and migrate into users processes all the time. Until 1Password adds Secure Desktop support I cringe every time I enter the master password.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Dingofest2,

    Thanks for letting us know and yes, we do understand that. It is still on our list to implement as soon as we can.

  • Hey @MikeT

    Wondering if there's any movement on the Secure Desktop feature request?
    Any idea when we can expect it. Is v7 realistic or is this a future v8 feature?

  • bundtkatebundtkate

    Team Member

    @Dingofest2: We try not to share ETAs until something is all but heading out the door. We may plan to have a given feature in the next update, but later find something super urgent comes up or that what we thought would work just doesn't. We've learned from attempting to make promises in the past that what we envision for the future rarely turns out to be wholly correct. What I can say is that we're not even thinking about 1Password 8 right now – 1Password 7 is only months old, after all – so anything we're considering now we're considering for a 1Password 7 update at some future date, but anything more precise than that would be a wild guess at best.

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 13

    Hi guys,

    1Password 7.3 Beta 2 is now available with Unlock using Secure Desktop feature.

    /cc @Dingofest2 @eatcookies @bkh

    We will continue to improve on this, we'd like to find a way to blend both Windows Hello and Secure Desktop as well if possible.

  • Thanks for the notification, Mike. I've upgraded to 7.3.612 and am looking forward to being able to launch 1Password after a PC reboot without all those other processes stealing focus right while I'm in the middle of typing my master password.

  • MikeTMikeT Agile Samurai

    Team Member

    Let us know how it turns out, it should definitely work better in that situation.

  • bkhbkh

    It is nicely effective in making sure the focus isn't stolen while I'm entering the master password.

    Are there plans to make it configurable as a default in preferences/settings? If not, I'd like to propose that for the list of requested features, as it's a minor nuisance to have to click the shield each time.

  • MikeTMikeT Agile Samurai

    Team Member
    edited 3:15AM

    Hi @bkh,

    Are there plans to make it configurable as a default in preferences/settings? If not, I'd like to propose that for the list of requested features, as it's a minor nuisance to have to click the shield each time.

    Yes and you don't need to click the shield, press Control + Enter in the master password field to bring it up.

    For now, we just need to make sure Secure Desktop is working as expected before we build more on top of it.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file