What is the purpose of having a full install of the app to use a browser extension addon?

Hi,
So I am using two password managers and will be using only one soon. In evaluating the two managers I have a question for Agilebits.
The other password manager does not require me to download and install a full desktop version to use a browser extension or addon. Why does 1Password require the user to download a full desktop version of software in order to use 1Password mini?? Is this a secuirty enhancement and if it is, what does this security provide? If not, why can't a user just install a browser extension or addon of 1Password mini, log in, maybe a two factor Authentication step, and immediately use your vault??
Installing a full desktop version of the 1Password software to connect to 1Password mini seems like a Vulnerability, please explain??
Thank you.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited January 2018

    You've asked a question that is really close to my heart, @myhost316!

    There are a number of security reasons for our design promoting native apps.

    Web pages are hostile

    We consider web pages to be very hostile environments, and so we want to put as much distance between them and the bulk of your secrets as possible while still being able to fill in just the right information into any given page. So our browser extension is very "thin", and most of the work is performed by 1Password Mini/Helper.

    It would be possible to have a "thin" browser extension talk to a remote service, but then that remote service would have much more information about your browsing behavior than you might wish. By having 1Password talk to something running on your own machine, when you look up a login for ISecretlyLoveNickelback.org we don't need to know that you have an account on such a shameful website. (Our native apps will fetch entire vaults instead of requesting individual items by domain name, but the browser extension must query by domain name if it is going to get only the item it needs.)

    Locking 1Password outside of the browser

    It's also very hard from a JavaScript program running in a web browser to "forget" something. These means that while we could have a browser extension that appears to lock when you ask it to, some of that locking in the extension may be more cosmetic than real. We want locking to be real.

    Native apps can do more

    Native apps can have richer importers and exporters. They can have sophisticated password security audits. They can be used for managing and sharing much more than just passwords. Your ability to manage your data and share just those items that you wish to with other members of your family and team is much more powerful with native applications, which can use the full power of your operating system environment, including securely storing data locally.

    The X-ception

    I should note that despite we feel about the dangers of operating in web pages, some browsers have their process separation model sufficiently well-developed that we have begun developing a "thick" browser extension that still maintains the kinds of security and privacy requirements that we insist on. So we have recently introduced 1Password X, which is a rich 1Password browser extension for Chrome that does not rely on anything else running on your machine.

    Five years ago, something like this would have been unthinkable for us. Browsers had neither the cryptographic tools we need, nor the efficiency, and certainly not the security architecture that would have allowed us to build this in a way that lives up to our standards. 1Password X is new, but if you want to try it may be exactly what you are looking for.

  • myhost316
    myhost316
    Community Member

    @jpgoldberg Thank you for the detailed response. Something that Agilebits should consider is developing a thick browser extension for all of the browsers and here's one reason. At my work our operating systems are locked down from unapproved software installations unless installed by a system administrator. However most of the browsers installed on our systems are able to have browser extensions or add ons installed and enabled. I'm not able to use 1Password because of the requirement to install the native app in order to use the browser extension. I am sure that I'm not the only one that suffers from this issue. I'm going to try the 1Password X extension for Chrome and see if that works.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thanks @myhost316!

    We do hope to eventually bring 1Password X to other browsers, but we felt most comfortable with Chrome's process and "page" isolation.

    If you would like to ask your IT people to talk to us about getting 1Password native clients approved in your organization, we'd be happy to talk to them.

This discussion has been closed.