Feedback and suggestions

Note: this topic applies to both Membership and iOS, so I wasn't sure which forum to post it in.

I noticed that there are a couple of important options that 1Password has, which seem to be hidden inconspicuously within the UI. Namely, these are:

1) 2FA. Unless someone is intentionally looking for it, the 2FA setting is not immediately obvious to locate. It's nowhere to be found in the 1Password apps, and I doubt most users would ever find it unless they were purposefully looking for it. IMO, there is no reason not to have this option available front and center, especially for new membership users who have this feature available to them.

2) "Always show lock screen for Password AutoFill" (iOS app). I don't know why this setting is buried in the "Advanced" settings, nor do I see why it should be disabled by default. To me that was very odd.

3) Why is there no Feedback/Feature Request forum?

Thanks! :)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • there is no reason not to have this option available front and center

    @jlanis 1Password offers 2SV (not 2FA) - there's a technical distinction between the two but that's not relevant here.

    If a hacker compromises 1Password's servers (or your computer) then 2SV (or even 2FA for that matter) will do absolutely nothing to protect your data.

    For a long time 1Password resisted implementing 2SV because it doesn't protect users like they think it does. It gives users a false sense of security.

    • Does 2SV make sense for your email account? Yes
    • Does 2SV make sense for your bank account? Yes
    • Does 2SV make sense for a password manager? Not really

    It was introduced to keep the people happy who (wrongly) assumed it gives better protection.

    • If a hacker breaches your computer then your master password protects your data.
    • If a hacker breaches 1Password then your secret key and master password protects your data.

    2SV doesn't factor in anywhere.

    The only time 2SV would 'protect' you is if a hacker had your master password and secret key but not one of your devices (and assuming he hadn't hacked into 1Password: in which case 2SV becomes redundant). If somebody has a user's master password and secret key then they've got far bigger problems.

    For most people, it's a hindrance. People lose access to their authentication device and it doesn't provide any meaningful security.

    "Always show lock screen for Password AutoFill" (iOS app). I don't know why this setting is buried in the "Advanced" settings, nor do I see why it should be disabled by default.

    Because the lock screen in and of itself doesn't provide any protection whatsoever.

    • With the option OFF you must be authenticated by FaceID or TouchID before AutoFill works
    • With the option ON it will do nothing unless you've got a PIN enabled for 1Password

    Therefore turning it on when you've got FaceID or TouchID enabled is purely cosmetic and adds zero security hence why it's in Advanced Settings. Maybe this should have an explanation underneath it stating that it's only of use if a PIN is enabled.

    Why is there no Feedback/Feature Request forum?

    That's a good point

    Probably because the preference is that users post on here so that clarification/explanation can be sought/given in respect of any feedback or queries.

    It's a nice idea though and something I'd like to see considered.

  • jlanisjlanis
    edited April 6

    1Password offers 2SV (not 2FA) - there's a technical distinction between the two but that's not relevant here.

    Regardless of the technical term, 1Password itself literally calls it "Two-factor authentication". See: https://support.1password.com/explore/membership/

    If a hacker compromises 1Password's servers (or your computer) then 2SV (or even 2FA for that matter) will do absolutely nothing to protect your data.

    This is not entirely accurate. The 1Password documentation clearly states it provides extra protection, even if it's a small amount and/or you think it might be redundant. Every bit helps! :)

    It's also interesting you think it's pointless, when it's clearly advertised otherwise.

    With the option OFF you must be authenticated by FaceID or TouchID before AutoFill works

    This is not entirely accurate either. If this setting is turned Off, and Face ID for Password Autofill is turned off, then Autofill will work without Face ID. I tested this myself. :)

  • Regardless of the technical term, 1Password itself literally calls it "Two-factor authentication".

    I agree, it's the wrong term.

    1Password do admit this in forum posts but the target audience of the help pages aren't technical gurus. ;)

    This is not entirely accurate. The 1Password documentation clearly states it provides extra protection, even if it's a small amount and/or you think it might be redundant.

    It is entirely accurate. Look through staff posts on this forum a couple of years back and you'll see that they all concur with what I'm saying.

    I've stated what protection 2SV gives and how it has clear benefits for other services.

    The "1Password documentation" is simplified for lay people. One such example is that it states your master password is never stored in memory, which another person pointed out is incorrect.

    Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. We're planning to write a more detailed explanation of our developing thoughts on it, but let's discuss the difference between authentication and decryption.

    When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

    1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

    There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. Your data is yours. Even if AgileBits were to get abducted by aliens tomorrow, you would still have access to your data since we never store it on our servers.

    However, one disadvantage of this design is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an authentication process, but unlocking your 1Password data is not an authentication process at all. Because there is no 1Password "server", there are no (additional) steps we can insist on as part of a (non-existent) login process.

    1Password is decrypting data stored locally on your system, it is not authenticating against some service. So in truth, we don't even have 1 factor authentication, as there is no authentication in the first place. So typical approaches to MFA won’t work.

    However that doesn't mean that it is impossible for us to do something that looks like MFA. There are roughly two approaches (each simpler than PKI). One of them is key splitting. That is the result of processing your Master Password doesn't actually get you a working key to decrypt further, instead that result would need to be XORed with another 128-bit key. So it is simply a case of storing that other "half" of the key on some other device. 1Password would need to be able to read that device, which may be tricky on iOS, but it isn't insoluble.

    The other approach would be to move the keyfile. 1Password (on the desktop) has a file called encryptionKey.js. That file contains an encrypted key, which is what gets decrypted by the key derived from your master password. That file (and some backups of it) are part of your 1Password.agilekeychian (which is actually a folder bundle, which looks like a single file on the Mac). It would be possible for us to allow that file (and its backups) to reside on some device or location. Both that file and the Master Password are required to get any further.

    We are more inclined to do key splitting rather than having a movable keyfile.

    The real technical difficulty is getting this to work on every platform. Again, because this is all about data decryption and not authentication, we can't just implement this on one platform (if it were to be anything other than just for show). So while this isn't insurmountable it means that even the "simple" approaches that I described would be tricky.

    But the real reasons that we haven't put in substantial effort in that direction is because for every case where someone reports that their computer or device has been stolen, we get probably a hundred more of "I forgot my Master Password" or "I damaged my data and didn't have usable backups". My fear is that key splitting or keyfile moving wouldn't just double the rate of people getting locked out, but would increase it much more. The threat of data lose becomes very substantial.

    Again, because we aren't running a system that people authenticate against, there is nothing we can do the help people recover their data if they damage a key or forget their Master Passwords.

    Now of course we could make it an advanced option with lots of warnings, but we know that people will always dial up security settings to 11 whether it is in their interest or not. Remember that 1Password is a mass market product. It's great that security geeks use and respect it, but we don't want to give our users rope to hang themselves with.

    I'm just spelling out why, to date, we have resisted calls for MFA. It's harder to get right for a decryption system than for an authentication system, and we think that it might do more harm than good.

    None of this is written in stone. The threat landscape, patterns of usage, and device capabilities change. So while there are no immediate plans add this, we are leaving the door open in the design of our new data format.

    This is not entirely accurate either. If this setting is turned Off, and Face ID for Password Autofill is turned off, then Autofill will work without Face ID. I tested this myself.

    Again, it is entirely accurate.

    Here's a fuller explanation by staff.

    I think you're misunderstanding this setting though: "Always Show Lock Screen for Password Autofill" is mostly cosmetic. By default, it's off so that you don't have to wait for the 1Password animation when using the Autofill feature. You will, however, always see 1Password come up briefly, even with this disabled, when using a Login that has a TOTP code which needs to be copied to the clipboard. It's a bit difficult to understand at first since this is all very new and we don't all have a good frame of reference yet, but hopefully that helps clarify.

    I don't mean to argue with you @jlanis so I'm going to bow out gracefully. :)

    I've given you the technical explanations but I appreciate they're complicated and not everybody has an understanding of how they work. This is something that 1Password do well in hiding from users (rightly so) because, when explained, they cause undue alarm.

  • ag_anaag_ana

    Team Member
    edited April 7

    Hi @jlanis! And welcome to the forum :)

    @gazu provided some excellent answers (thank you for that!), but here are some more details.

    Regardless of the technical term, 1Password itself literally calls it "Two-factor authentication". See: https://support.1password.com/explore/membership/

    We do indeed call it Two-factor authentication because that's the term that most users would look for in our knowledge base if they are interested in the feature. The difference between Two-step verification and 2-factor authentication is subtle (Google even says in their documentation they are the same thing), so Two-factor authentication is certainly the safest choice for us when it comes to naming this.

    The support website is also not the right place for in-depth security explanations (we have the white paper for that), or for extended discussion. In there, we include information that is relevant to fix a specific issue, or instructions on how to enable a certain feature. The clearer and more concise the documentation is, the better. For anything else, we have the forum and emails :)

    If a hacker compromises 1Password's servers (or your computer) then 2SV (or even 2FA for that matter) will do absolutely nothing to protect your data.

    This is not entirely accurate. The 1Password documentation clearly states it provides extra protection, even if it's a small amount and/or you think it might be redundant. Every bit helps!

    Both of you are right. As gazu said, 2FA makes a lot more sense for logins such as email accounts and banking websites. Because your data is only encrypted with your Secret Key and Master Password, however, 2FA doesn't protect you if those credentials are stolen from you, and an attacker also got a copy of your data.

    So yes, every bit helps, but 2FA plays absolutely no role in the encryption of your data (which is what ultimately protects your 1Password data).

    I hope this helps!

  • jlanisjlanis
    edited April 7

    I believe @gazu was correct when he said:

    2SV would 'protect' you is if a hacker had your master password and secret key but not one of your devices (and assuming he hadn't hacked into 1Password)

    This makes sense. At the end of the day, 2SV only helps under very specific circumstances which is probably redundant given the way 1Password works. Perhaps it is better to provide more transpanrecy on this subject for every day users, so you are not giving them a false sense of security. Most users will not bother to read your white papers, you simply can't expect them to. But you can be at least be more upfront and transparent about your security features. Don't you agree?

    Perhaps someone else could chime in on the "Always show lock screen for Password AutoFill" option. I do not agree with @gazu that it is purely cosmetic because I tested it myself and I stand by what I said earlier. And even if it is purely cosmetic, then why not leave it out all together? This goes back to being transparent and upfront about your security features and what they're actually doing.

  • LarsLars Junior Member

    Team Member

    @jlanis

    Perhaps it is better to provide more transpanrecy on this subject for every day users, so you are not giving them a false sense of security. [...] Most users will not bother to read your white papers, you simply can't expect them to. But you can be at least be more upfront and transparent about your security features.

    We'll take it under advisement. And indeed a great deal of behind-the-scenes discussion and continual readjustment of exactly what and how much to make very explicit for users goes into every bit of the in-app documentation as well as our support pages. That's precisely because we're quite aware most users won't ever bother to read even our basic security documentation let alone the 1password.com security white paper. We believe they shouldn't have to read all that in order to enjoy good security. There's a difference between transparency and injudicious dumping of technical details on average users who just want good security without feeling like they'll need to acquire a CS degree to achieve or even understand it.

    Of course it's good to be truly informed about the details of important matters (health, security, etc), but good security should not be available only to those who are willing and able to put in the kind of time and energy required to understand the intricacies of what we do. And the reality of what goes on behind the scenes when you use 1Password has always been far more complicated than what the UI - or even our basic help documentation - gives the appearance of, on the surface. This is very much intentional, for the reason I just gave. It's not an attempt to hide things we don't want the public to know, but rather a set of judicious choices about what will be not just irrelevant but actively confusing for the vast majority of users. Those who want to know more can find what they're looking for relatively easily, and we'll happily help them find it - as well as being available to answer questions in public or private. As ag_ana mentioned earlier, that's why we maintain this discussion forum as well as our security white paper which both do delve much deeper into the intricacies of how things are actually done: to provide transparency and detail for those who really want to dig into the nitty-gritty.

    Perhaps someone else could chime in on the "Always show lock screen for Password AutoFill" option. I do not agree with @gazu that it is purely cosmetic because I tested it myself and I stand by what I said earlier.

    You're correct that it's not purely cosmetic. But the difference is subtle and dependent on a few factors. What it means is: if it is on, then failing biometric authentication three times will result in requiring your Master Password to autofill, and if it is off, failing biometric authentication will result in requiring the device passcode. Most people use a default six-digit passcode for their iOS devices. It's what Apple suggests straight out of the box, and most folks don't want to have to be bothered to use anything longer -- but you certainly CAN create a much longer, alphanumeric passcode if you wish. I did. By contrast, our own advice for 1Password users is to create a strong Master Password, so chances are good but not certain that any given user's Master Password will be stronger (higher entropy) than their device passcode. So t's certainly arguable that the average Master Password will be stronger and harder to crack than the average device passcode, but that's not necessarily true. And what IS true is that having that lock screen pop up interrupts a user's Safari experience with a 1Password screen. Some users will prefer the 1Password lock screen and others might prefer not to have their experience interrupted/lengthened/complicated. Enabling this option will result in a different level of security, it's not necessarily a higher level. And remember, we're talking about something that happens only after biometry has failed three times. We do have a feature request internally to change that setting to default to the "on" position, but there are arguments on both sides of that question.

    Here again, though, while I wouldn't describe the decision as trivial or inconsequential, neither setting (requiring Master Password or requiring device passcode) is likely to ever be tested/needed in reality, and individual preferences as well as situations will vary. That's why this option is inside the Advanced > Security preferences instead of part of the sign-up or first-run flow of using 1Password, the way things like choosing a good Master Password are.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file