To protect your privacy: email us with billing or account questions instead of posting here.

1Password.com sign in restricted to 1Browser [feature request]

prime
prime
Community Member
edited June 2017 in Memberships

Since some people are worried about the website (family-name.1password.com), how about having a setting where this website only works in the 1Password browser?

Just an idea for people who worry about attacks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Prime - Are you referring to 1Browser? Basically the sign in page only allows you to access the account via 1Browser? Just want to make sure I'm understanding your request 100% :wink:

  • prime
    prime
    Community Member

    @Frank yes, the 1Browser. I just think, people like me, who will never use this to log into a computer that isn't theirs. Just a little extra security.

  • Hmmm... @prime, that's definitely an interesting suggestion. I wonder what @brenty thinks about that... I'll mention this but it would be difficult to implement at this stage across the board. I do appreciate the suggestion!

  • prime
    prime
    Community Member

    @Frank thanks! Now the downside to this, if a person don't have the emergence kit printed out, one would be royalty screwed if they delete all the apps off of all devices. A safety idea is, if a person turns this on, it prompts "you must save the emergency kit before turning on" or something.

  • Thank you @Prime :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: Hm. Sort of similar to Travel Mode in the sense that it could be enabled through the website to restrict access to the account...

    But this does pose the risk of locking you out of your account if something happens to your devices. That's a pretty big deal breaker for a lot of people I think, since it renders the 1Password.com web interface useless to them in an emergency. For example, if my bags are stolen while traveling, even if I can get to my Emergency Kit (maybe with my passport, or with a relative back home), I'd need to get a new machine to setup the 1Password app on.

    I don't think this is something we'll do, since with this setup, the web interface would really only be useful for admin functions (since it would need to be done within the app). We'd also need to add a built-in browser to the desktop app expressly for this purpose...and frankly we'd rather simply make it possible to access admin functions (vault creation is an example of this) through the app itself, without using a built-in browser.

    But the final nail in the coffin, at least for me, as things stand today, would be that this would pretty much break Travel Mode. For example, if I can only access the web interface through the app, enabling Travel Mode there either presents a security issue (since I'd have to do this through the app itself, rather than separately in a web browse — preferably on another device), or gets me locked out of my account (if we try to compensate by disabling the built-in browser in the app with Travel Mode to prevent it from being used to circumvent it).

    And it also bears mentioning that any browser we build into 1Password itself will also have the same bugs and vulnerabilities which affect the standalone browser, and in many cases we'd have to patch this ourselves when fixed, which would result in some delay before we issued our own update, and before users themselves installed it. This obviously isn't the case on iOS, as we're just using a webview offered by the OS itself, but given that not everyone even updates iOS right away, I'm not sure how many people would be better off with this approach. Ultimately I'm not certain how we could verify that it was 1Password's browser and not another masquerading as it, but I'm sure the web guys could come up with some cryptographic way of doing this. The user agent would be a bad idea. :lol:

    Anyway, the best way to be sure you're logging into the real 1Password.com is to do the following:

    1. Manually type https://1password.com into the browser
    2. Verify AgileBits Inc. "green" EV (Extended Validation) certificate in the address bar
    3. Click "Sign In" in the top right
    4. Complete your Sign In Address (if necessary) and login

    Admittedly, that's a few more steps than it should be. But unfortunately while the open web is a great thing, one of the drawbacks is that it's very much a playground for attackers too. (I know you probably know all of this already, but I did want to include it here for anyone else who might be wondering what they can do today to protect themselves.)

    That said, I think that it's still an interesting idea, even if it isn't feasible given the way things work today, perhaps there may be a different way of accomplishing the same goal (maintaining account security) in the future. Cheers! :)

  • richardevs
    richardevs
    Community Member
    edited June 2017

    @prime So I look again at your idea and finally understand it I think, so this will be an optional thing where people care about security wants to have their 1Password pages only be present at 1Browser, so to say, add an extra layer in the browser to make it verify the server identity.

    But personally I would say if a man really cares that much, he should just check the EV certificate like @brenty said, for these reasons:
    1) Having another software ( Here by 1Browser ) in development might cost Agilebits too much. ( More bugs, more hackable stuffs )
    2) If you turn this option on to stay secure, but being a person who don't know about computer that much, you will have a hard time verifying the software's integrity.

    In my opinion, I think there is a better way to do this, is to issue a personal certificate and then let 1password.com verify it every time you log in, since fake websites would not have those data, anytime your certificate was not brought up, it is a fake one.

    But anyway, these are all for computer experts in real life, and it is not that practical in my mind. Experts should be way relax by just checking the integrity of the SSL certificate.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2017

    @richardevs: I hope you don't mind, but I moved your comments over to the existing discussion non this topic, so we don't get too far off on the other. :chuffed:

    @prime So I look again at your idea and finally understand it I think, so this will be an optional thing where people care about security wants to have their 1Password pages only be present at 1Browser, so to say, add an extra layer in the browser to make it verify the server identity.

    That was my understanding, but I'll wait for prime to confirm this.

    But personally I would say if a man really cares that much, he should just check the EV certificate like @brenty said, for these reasons:

    That's fair, but this really sucks on mobile devices. ;)

    1) Having another software ( Here by 1Browser ) in development might cost Agilebits too much. ( More bugs, more hackable stuffs )

    Yeah. Maybe if someday we're all able to get to the point where all of this stuff is automagically updated in the background that could work.

    2) If you turn this option on to stay secure, but being a person who don't know about computer that much, you will have a hard time verifying the software's integrity.

    I think there's definitely a cool idea there, even if there are problems with the current imagined implementation. :)

    In my opinion, I think there is a better way to do this, is to issue a personal certificate and then let 1password.com verify it every time you log in, since fake websites would not have those data, anytime your certificate was not brought up, it is a fake one.

    I'm not sure how many people would be both technically savvy enough to manage that and want to go through that hassle, but it's certainly an interesting idea!

    But anyway, these are all for computer experts in real life, and it is not that practical in my mind. Experts should be way relax by just checking the integrity of the SSL certificate.

    Never hurts. Cheers! :sunglasses:

  • prime
    prime
    Community Member

    @brenty @richardevs

    So I look again at your idea and finally understand it I think, so this will be an optional thing where people care about security wants to have their 1Password pages only be present at 1Browser, so to say, add an extra layer in the browser to make it verify the server identity.

    Yes, that's my idea. I know that if I had this turned on, I deleted all my apps from all of my devices, and didn't have the emergency kit, I would be 100% screwed.

    Just an idea. :)

  • pervel
    pervel
    Community Member
    edited June 2017

    I wonder if this is even technically possible without resorting to security through obscurity? At least on iOS I don't think you can do much with the Apple browser component that the app has to use. On macOS and Android you could probably do it though. How do you envision this be implemented?

  • I think you've hit the nail on the head, @pervel. 1Browser essentially is Safari (WKWebView). There really are only two browsers on iOS: Apple's Safari, and 3rd party apps that implement Apple's APIs for web browsing.

    Ben

  • prime
    prime
    Community Member

    There really are only two browsers on iOS: Apple's Safari, and 3rd party apps that implement Apple's APIs for web browsing.

    @Ben
    Is this why when I logged into my 1Password.com account on Firefox using my iPad and iPhone, the email I got from 1Password saying it was Safari and not Firefox?

  • Yep. :)

    Ben

  • prime
    prime
    Community Member

    Thanks @Ben! I never knew this!

  • No problem. :+1:

    Ben

This discussion has been closed.