Security Feature Request: Polling by browser extension

Love 1Password, far better than Lastpass (I moved over about a year ago). For my browsing, I rely primarily on 1Password X extension in Chrome.

I'd love for 1Password X to adopt a security feature that I really liked in Lastpass: polling by the browser extension (I think that's what they called it). When I logged into the Lastpass extension in one browser, it would log out of all other browsers and I would have to reenter my master password when using a different computer or browser. For those of us that use a variety of computers, it's a great security option - you know that you're only logged into the instance that you're using at that moment, and any other web browser extension will log out.


1Password Version: 7.2.5
Extension Version: 1.14.3
OS Version: 10.14.1
Sync Type: 1Password

Comments

  • @joshua01 you can achieve what you want with 1Password in one of three ways:

    • Log out of the extension after you've finished using it
    • Log into your 1Password online account and deauthorize the extension (you can do this remotely)
    • Change the option under Preferences > Security > "Lock after computer is idle for X minutes" (best practice)

    Automatically logging users out would cause significant inconvenience for people who use their extension on multiple computers and may not want to be immediately logged out.

    You should really be using the third option because that achieves the best balance of security versus convenience.

    If you leave your screen unlocked on another computer (i.e. so somebody's in a position to access 1Password) then it's game over - that person could install a keylogger, read your memory etc.

    If you lock your screen, you've got nothing to be concerned about.

    Taking the above into account, can you think of any use cases in which such an option would increase security?

  • The auto-logout from other sessions should be an option (not required), but it's a valuable security option. Lastpass offers it and it works well.

    Your other suggestions are not a replacement for the polling (auto-logout) option:

    Of course one should log out after finishing, but we often forget, or we walk away and think we'll only be away for a minute.

    De-authorizing only works when you realize that you didn't log out and you have immediate access to another computer to do it.

    Locking after X minutes is good, and I do it. But the problem is striking a balance between convenience and security.

    Offering auto-logout as an optional setting inconveniences no one and is valuable to a lot of folks.

  • Hey, @joshua01.

    I'm not a 1Pass team member, but I recognize that'd be a great feature. I know it's not what you're actually looking for, but another thing you could do is to check the This is a public or shared computer option. What that does is that your Account Key isn't stored in that particular browser's local database. For security, it's a great option, that combined with Lock after X minutes strengthens your account without losing too much of the convenience.

    Hopefully, 1Password can implement this feature in some way!

  • ceceliacecelia

    Team Member

    Hey @gazu and @arturoaubry! Thanks for the helpful tips. :) — And welcome to the forum, @joshua01! 👋🏻Thank you for the kind words - I'm delighted to hear you're enjoying using 1Password. I appreciate you bringing this up to us. Though this isn't currently a setting in 1Password, we can see ourselves implementing something like this in the future, especially with Desktop App Integration in play. Desktop App Integration syncs the locked state (among other things) of the native app and 1Password X so it really paves the way for features like this. I've gone ahead and filed an issue with your auto-log-out suggestions for the devs to mull over.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file