Feature request: Unlock 1Password X with something else than master password.

It would be nice if it were possible to set something else to unlock 1Password X than just the master password. I have a bunch of ideas that I think would work quite well:

  • Pin
  • U2F
  • TOTP

That would all make it a bit easier than to type the passphrase everytime while still keeping security quite high (mostly on U2F and TOTP).


1Password Version: Not Provided
Extension Version: 1.14.3
OS Version: Ubunutu 18.10
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @olikami: We almost certainly won't ever offer a "PIN" option, since that's just shorthand for "a weak password composed of only numbers". While U2F and TOTP second factor options are interesting, they're for authentication. Certainly it comes up from time to time though, but I'd be curious: would you be okay with only being able to use 1Password when connected to the internet? Arguably that's less onerous with 1Password X, since you'd necessarily be using a web browser. But most people expect to be able to access their data offline, and since 1Password's security is based on encryption, it's less compelling. Interested to hear what you have in mind though. :)

  • olikami
    olikami
    Community Member

    Thanks for your message.

    Maybe I wasn't all that clear what I meant by PIN (and all the other options as well). I understand that I need to have a passphrase for security and I'm happy to enter that every once in a while (say like every 2 weeks). But on my ipad and android I have the option to use the fingerprint, face id or a pin to unlock the safe (after initially setting it up).

    I thought after initial setup the unlock (which I have to do quite often since it locks after 10 minutes) could be done by PIN, or more optimally by TOTP or a security key. Just like it's done on ipads and android with face id and fingerprint respectively.

    As for the online question: Yes, I do think it's important to be able to access the data offline. I would probably not notice too often, but sometime there is simply no internet access and I need to access my data (mostly for other data than passwords, such as licences).

  • gazu
    gazu
    Community Member

    I like the idea @olikami but PINs on a computer reduce security.

    Personally on mobiles I use a PIN (biometric unlock for lock screen and PIN for 1Password) but the security on an iPhone is far superior to that of a Linux desktop - you have the secure enclave, full-disk encryption, wipe after 10 attempts etc.

    On a computer Ubuntu doesn't offer the same protection and an attacker who has access to your RAM (or swap file equivalent) could swipe your master password. This necessitates storing your master password in memory; something many people disagree with.

    Therefore on balance a PIN is generally less secure. Your better option would be locking your screen.

    The reason (I presume) brenty is asking about being able to access your data offline is because if 1Password were to to use U2F or TOTP you'd get no security benefits. These technologies are only useful for online-only data access where a server is controlling access to your vault.

    The second you use U2F or TOTP offline you get security theatre. If an attacker has access to your offline desktop he can emulate the acceptance message that a U2F code or TOTP key produces ... and in he goes to your vault.

    1Password is based on encryption and not authentication.

    Again, your better option would be locking your screen.

  • Again, your better option would be locking your screen.

    I have to agree with gazu that this would be the better option.

    Ben

  • Marshall Rose
    Marshall Rose
    Community Member

    [ @Ben - i wasn't sure which of the threads regarding yubikey to add this too, but i'll chime in here... ]

    i want to be able to use the physical presence of a yubikey in order to be a 2FA when i go to unlock 1P on my desktop, i.e., i want to have to enter a passphrase (what i know) AND have a yubikey plugged in (what i have). ideally, i'd like to be able to use a fingerprint instead of the yubikey (again, something what i have) if the device (i.e., a mbp or mobile device) has a fingerprint reader.

    does that ask make sense?

    thanks!

    /mtr

  • @Marshall Rose fingerprint unlock (Touch ID, Windows Hello, fingerprint unlock on Android) is great for the convenience of not always having to enter one's Master Password. One is much more likely to have a strong Master Password if they do not have to type it in each and every time they want to unlock 1Password; fingerprint unlock provides that convenience. We currently do support YubiKeys for adding a layer of authentication to your 1Password account (based on the TOTP standard currently, not U2F). Your fingerprint is great for local authentication, for an already-authorized device, but not so much for authorizing with an external server (in other words, for use as a second factor, as you mention).

  • Marshall Rose
    Marshall Rose
    Community Member

    I use the fingerprint sensor on my pixel 3, which is very nice. I've been using it on my iPad too. I have TOTP on my 1P accounts, as you suggest.

    But, I'd rather not have to do the TOTP fingerwork... I'd rather be able to plug in a nano5c ...

  • As it currently stands, once you've authenticated a device with your OTP, you shouldn't need to authorize it again, unless you manually opt to deauthorize a particular device and then are forced to enter a OTP again, so at least you shouldn't have to enter it very often at all.

    U2F is certainly an exciting technology, so we will see what the future of 1Password holds in that regard. :smile:

  • Marshall Rose
    Marshall Rose
    Community Member

    agreed. i am happy with the TOTP support!

    i'm trying to minimize my own work, by being able to plug in a dongle and not having to think about it (not something security folks would like to read, of course...)

    to be clear though: what we have now is really useful and good!

  • Thanks for the feedback @Marshall Rose :)

    Ben

This discussion has been closed.