Using 1Password with Station

Are you aware of the Station "browser"?

I really like the idea of separating long running apps like GSuite out of Chrome/Safari etc. and into a dedicated browser. One of my frustrations has been lack of integration with 1Password though. These apps are some of my most important and the ones I use regularly. GSuite will routinely challenge credentials and it is tedious to go to 1Password and copy and paste when you are very used to the 1Password mini integration.

The app has started to pop up dialog boxes about integrating with a Password manager which seems enticing. But it is asking for credentials instead of following an OAuth2 type of flow where I feel comfortable that I am giving credentials that are only passed to AgileBits servers. You can see their knowledge base article about 1Password integration here.

This approach feels dangerous to me when I have so much in 1Password which I do not want to risk exposing. Do you have contact with the Station team? Do you have any opinions about this kind of integration with 1Password?

thanks,
chuck


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @cclark,

    I can't say I've ever heard of Station or remember anybody here at 1Password mentioning it. I very much feel this is a case of use at your own risk.

    If you want separation what about separate Chrome profiles where you can add the standard 1Password extension?

  • cohixcohix

    Team Member

    @cclark Station is embedding a copy of the 1Password command line tool in their application and are using it to create a faux 1Password extension. We have been in contact with them, where we advised them that we cannot recommend that our users use something like this, but alas the feature exists. Since this involves entering your 1Password credentials into an application other that 1Password, we cannot recommend that you do so.

  • Thank you for the feedback. Station is a great app and I really enjoy using it but given everything that is in my Vault I can't see proceeding with entering my credentials even if I believe there is nothing malicious under the hood and it is passed straight through to the 1P CLI. Thank you for the clarification.

    I'll reply to them as well and I hope they can find a way to enable an extension to be embedded.

  • I'm glad @cohix jumped in as I wasn't aware that he'd been in contact with them.

  • They use other chrome extensions natively (like GMailius) so it would be nice if they supported the actual 1password browser extension (where it would connect to the copy of 1password on the machine) rather than trying to use the cli

  • ag_anaag_ana

    Team Member

    Thank you for your feedback @nickmoline! With things as they are right now, we cannot recommend using this other application, as cohix said. Perhaps if they hear some feedback directly from their users about this, they will be more likely to consider this change. We have been in contact with them already, but I think every bit helps :)

  • I have just run into this issue myself. Does 1 password offer an oath2 type flow where a 3rd party like station could be granted access to a subset of our 1password data in a safe and officially supported manner?

  • ag_yaronag_yaron

    Team Member

    Hey @mrmachine ,
    Our command line tool will allow 3rd parties to integrate 1Password into their apps: https://support.1password.com/command-line/
    There are some systems and apps out there that integrate with us in that manner, however we do not officially support or endorse any 3rd party apps, so use at your own risk.

  • Isn't that what station already does? So you provide a mechanism for 3rd party integration, but it is unsafe and do not recommend anyone use it? And there is no official and safe way for 3rd parties to integrate?

  • ag_yaronag_yaron

    Team Member

    Allow me to clarify @mrmachine ,
    Our command line tool is very safe, but the 3rd parties that use it and implement it in their systems might not be. Therefor, as a user, you need to be vigilant and make sure you trust the company before you input your 1Password's credentials into their app. They might be legit and will retrieve your data from our servers properly, or they might use your personal information for other purposes. This can happen with any such API of any service.

    Since we are very security oriented, it is important for us to warn users and make them aware of the risks.
    I hope that clarifies things :)

  • ag_yaronag_yaron

    Team Member

    P.S.
    If you are specifically interested in using 1Password in a Chromium based browser that is not officially supported by us, you most likely can still use the 1Password X extension in it, as it works on most Chromium based browsers and is an official 1Password extension.

  • Thanks. So to reiterate and confirm "there is no official and safe way for 3rd parties to integrate"? Something like an oath2 flow where the 3rd party would be granted only limited access to selected items? Is it technically impossible because the master password and access key would always be required by the 3rd party app, and would always grant full access to all items? But 1password does have the ability to "share" items (though I am not very familiar with how it works).

  • ag_yaronag_yaron

    Team Member

    @mrmachine The integration to our API is safe. The question is, will the 3rd party record your email, Master Password and Secret Key and use it maliciously or will they actually just mediate between you and us in a legit manner.

    Our command line tool was meant for power users and businesses that need to manage a lot of data (or a lot of users), but we have seen apps implement it as a way to allow random users to access their logins and passwords. This is not an oath2 or a similar method, this is full control and access to the data that is in the user's account. The moment you enter your email, Master Password and Secret Key, there's full unlimited access.

  • So, no. 3rd parties can only integrate via CLI with full access. We must trust the 3rd party with our master password and access key if we want to use a 3rd party integration (via CLI, the only method possible for them to use).

    Is it technically infeasible to allow 3rd parties restricted access to selected logins via oauth2 or app specific password or token?

    Or is it just not yet implemented because there is no demand for granting restricted access to 3rd parties?

  • ag_yaronag_yaron

    Team Member

    @mrmachine It is currently not possible since we have not build such a system due to lack of demand.
    Even if there was demand, I'm not 100% sure we would develop something like that since that is not the purpose of 1Password, but that's just my personal opinion and logic :)

    Are you asking as a developer or as an end user? If you're asking as an end user, what exactly do you want to have/do and where? What password management needs do you have that aren't met by 1Password?
    If the only reason for asking this is so that you can use other browsers that are not officially supported - then this is covered by our 1Password X extension.

  • I am asking because I saw the 1password integration in station app and I was hesitant to provide my master password and access key to a 3rd party. I am personally happy with 1password mini and copy paste when necessary, but they obviously felt that an integration provides some additional benefit, and I think you hinted other apps also may be providing integration via CLI. If such a method of integration is not safe or recommended, and another safer method is possible, then I'd rather see it used by 3rd parties so I and other users don't have to do our own research on how and why such an unsafe integration exists at all.

  • ag_yaronag_yaron

    Team Member

    Thanks for the clarification @mrmachine .
    I saw some business apps in the past that have integrated our CLI but they are aimed at their specific employees so no trust issues there. Since we are talking about a browser here, then there certainly should be some doubt, and unless you completely trust the team behind the browser, I would have to advise against inputting your 1Password credentials there. Instead, I suggest you install 1Password X in that browser and enjoy a worry-free experience if it works. :)

This discussion has been closed.