Prevent direct access to Administrative Console

Is there a way to prevent automatic access to the Admin Console when clicking on settings -> accounts > account-name in 1Password X for Chrome ?


1Password Version: 7.2.581
Extension Version: 1.13.1
OS Version: Windows 10 Pro for Workstations 64bit
Sync Type: 1Password

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @mukkacow,

    At the moment I don't see a way with the current implementation. Can you help me understand the scenarios you're trying to protect against please and I'll see about filing an issue. Ensuring we fully understand is important though as patching in one place may not protect in full if we're not seeing the full picture.

    Unless you've deleted it's worth noting one of the Starter Kit items created with a new 1Password account is a Login item for your 1Password account. That would allow somebody with access to log into the account as well as view the current password. I think it works as a good example of why altering the UI (User Interface) in one place may not address the underlying issue if we only look at it from a very focussed point of view.

  • mukkacow
    mukkacow
    Community Member

    Hello @littlebobbytables! Thank you for replying to my post. The scenario looks like this:

    On some occasions I have to use 1Password on shared-user workstations that intentionally cannot be locked and it Is not possible to change the Windows user. I am aware that it would be enough to lock 1Password Chrome Extension to make sure that the password is required to login to the console but for extra security it would be useful an option that always forces you to enter the password if you wish to access the web console on which you can manage billing and personal settings, etc. ...

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's an interesting idea, and something to consider, but I do think it's important that we don't offer "security theater", and having 1Password "require" the Master Password even when it does not need it, since you've already entered it yourself, really strikes me as unwise.

    I don't think it makes sense for us to design around a use case that's inherently insecure in the first place: i.e. accessing sensitive information on a public/shared/untrusted machine. There's little stopping another user from capturing your actual Master Password in that case, and I'd argue that us having 1Password X require you to enter it again to access the admin console when you've already entered it to unlock would just give you a false sense of security in an insecure environment. Food for thought.

This discussion has been closed.