Alternative way to unlock 1Password for Chrome

eviljim
eviljim
Community Member

It'd be nice if there was a way to have an alternative way to unlock the vault like there are on most of the other apps.

On Android and Mac, I use fingerprint login. Before Android had fingerprint support I used a PIN I think? It's been a while but I think I had some alternative to logging in with my full password - which is somewhat long intentionally.

It'd be nice if fingerprint was supported but since I don't have fingerprint on the computers I would use this on it's not a huge thing to me personally. I also have zero idea if that's even possible in an extension currently or ever.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • mkasu
    mkasu
    Community Member

    I think a PIN would definitely help. Or saving the password, with a "yes I'm aware of the security risk" question. On my desktop workstation which already has encrypted HDD etc. I wouldn't worry being constantly logged in so much.

    I think fingerprint scanner would be overkill for Linux, as there's probably dozens of different solutions with different drivers/API etc. I'd rather have them work on more immediate solutions :chuffed:

  • beyer
    beyer
    1Password Alumni

    Hey @eviljim,

    Welcome to the 1Password for Chrome beta – I'm excited to have another member on our "beta crew"!

    It'd be nice if there was a way to have an alternative way to unlock the vault like there are on most of the other apps.

    Heck yeah, it would be! I'd freaking love to see some different ways to unlock 1Password for Chrome. My Master Password is well over 20 characters. It wouldn't be wise for me to publicly post the exact character count, but let's just say I give the Secret Key a run for its money.

    Adding alternative unlock methods is going to be a challenge, but if it can be done securely we aren't against trying. Our current implementations of using biometrics to unlock our 1Password apps rely heavily upon a trusted relationship between 1Password and your operating system. This is going to be a heck of a lot harder on 1Password for Chrome, because it's both a browser extension and it can be run on a wide-variety of operating systems. We have a lot of important functionality (like creating and editing items) to build first and then we can look at some alternative unlock methods.

    One day I hope to just think 1Password and see my password fill. But until we can link brain and computer, we will try to do everything we can to make your life easier. <3

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • eviljim
    eviljim
    Community Member

    @mkasu , I think if they implemented fingerprint support it'd have to be done through Chrome APIs, so while the end user might need to worry about getting things to work with chrome, agilebits would just be working against a single API. Though I have no idea if such an API exists, or will ever exist, or how secure it could be made.

    Actually I looked it up (I know my workplace has an extension that talks to a U2F security key) and was completely wrong. It looks horrible. https://wicg.github.io/webusb/ . Maybe eventually libraries can be built atop this but for now it seems it'd be a huge to-do, certainly not worth the effort IMO.

    So I guess maybe supporting a PIN would be nice :blush:

  • beyer
    beyer
    1Password Alumni

    @eviljim: There's a lot of neat ideas that we are happy to look at when the time is right. On this subject, I do believe Chrome has some U2F support built in, but that, of course, is used for a second factor. In the end of the day, we need to focus development on our core-features, and then we'd be happy to look at some of these options. We have a few cool ideas, but it wouldn't be right for me to share them until we are committed to developing them.

    Stay tuned for greatness and thanks for taking the time to help make 1Password better!

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • srcoder
    srcoder
    Community Member

    After you authenticate using your well crafted Master Password, it would be nice to unlock with a PIN.
    This way people will be happier to quickly unlock the extension but also feel happy re-entering their MP after locking their PC's.

    So, you would have two settings, quick lock timeout an a grant lock timeout.

    Also entering the PIN wrongly will immediately ask you for the MP.


    1Password Version: Not Provided
    Extension Version: 0.8.0
    OS Version: Not Provided
    Sync Type: Not Provided

  • beyer
    beyer
    1Password Alumni

    Hopefully, you don't mind @srcoder that I've merged your new thread here. The more organized I can be, the better I can gauge user interest in certain features. Adding alternative unlock methods isn't something we are ready to tackle yet, but it's a possibility in the future. I appreciate you taking the time to expressing interest, it really helps us out!

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • srcoder
    srcoder
    Community Member

    @beyer that's fine with me!

    As for U2F, I also make use of https://www.yubico.com/ keys.
    For 1password, still the fixed password variant, but would love to see real U2F implemented.
    Love the fact that you can revoke them remotely, if configured correctly(using the U2F implementation that is).

    Maybe this could be something to consider.

  • berto
    berto
    Community Member

    I'm using a yubikey and would love more 1P features that utilized it! I think using U2F as a quick way to unlock the chrome plugin vault would be great.

    I understand U2F is intended to be a second factor, however if you squint isn't a secondary pin a much less secure second factor? Before I had an iPhone with TouchID I'd have to enter my master password and subsequent unlocks would give me one chance to use the pin. Sounds like a variation of 2FA.

    And master pw + U2F is truly "something you know + something you have," vs master pw + pin being "something you know + something else you know" (one of which is pretty easy to steal looking over the shoulder).

    As an aside: when I started going between Mac and Linux I decided I didn't even want to know my 1 password, so I know the first 13 characters and the rest is a random string stored on my yubikey. 8-)

  • beyer
    beyer
    1Password Alumni

    Thanks for your input folks! I can't go into any details on our super secret plans, but as you imagine we've certainly looked at the possibility of implementing U2F. You both might find SoftU2F that GitHub released this week interesting if you haven't heard about it.

    Personally, I think the Yubikey is a cool piece of tech, and I do have one. I store the Secret Key for my personal 1Password account (minus the last 5 characters which I have memorized) on it. This means I could lose everything but my keys and still access my 1Password account, which is super helpful when I'm traveling.

    I promise to kick around these ideas with everyone the next time we sit down. Have a great weekend! :)

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • srcoder
    srcoder
    Community Member
    edited July 2017

    We're not on MacOS you know, that's why we're in this Topic :-)

    But thanks for sharing anyway lol

  • beyer
    beyer
    1Password Alumni

    @srcoder: Silly me! I should've worded that better. I wasn't suggesting SoftU2F as a solution; I just thought it was an interesting development on the U2F front. It's my understanding that Github created SoftU2F due to so few people purchasing and using a U2F device.

    I'd love to see the metrics on that, but it's interesting Github users (which many our developers) aren't buying U2F devices. There are very few online accounts that are "mission critical" to me, but Github is certainly one of them.

    In v0.8.2 we've extended the maximum auto-lock time out setting to 300 minutes, which I hope helps everyone who can safely increase it. The door isn't shut on alternative unlocking methods, in fact, I included it in last week's wrap up with the rest of the team.

    Stay tuned and thanks for being awesome!

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • srcoder
    srcoder
    Community Member

    @beyer Yes, it's indeed good to see some progress, we build e-commerce websites mostly and will implement it for the developers when they want to login on production(as it works out-of-the-box in Chrome for Linux)...

    Keep up the good work guys!

  • beyer
    beyer
    1Password Alumni

    Will do, thanks! <3

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

This discussion has been closed.