U2F and 1Password Fat Clients

If and when you ever get to that stage, it would be nice to pick and choose which installs need the second factor if possible.

Like i don't use it on the web site, not so worried because I know the secret key (good luck to them), but on a work PC or two that may or may not be keylogged, and little extra would be nice (though at that point, yes, they probably could get the secret key and get into the web account, but still... even if it were enabled everywhere, I would prefer not to need it on the home dekstop/laptop).

And also, such NOT a fan of FIDO2 passwordless experience. Just lift my keys? OMG. And a pin doesn't count.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • brentybrenty

    Team Member

    @AlwaysSortaCurious: We don't currently have plans to go "passwordless". That would be problematic for a number of reasons, like you mentioned, and also cause some fundamental confusion about what the heck "1_Password_" means. :lol:

    In all seriousness, it's an interesting idea about requiring additional authentication only on certain devices...but that's sort of here no there, as 1Password's security does not rely on authentication. That only happens when signing into the account on a device, which only happens either the first time, or every time if you don't save it there. So you can already sort of get what you're talking about by simply checking the "This is a public or shared computer" box so that you're required to authenticate every time you use it.

    I know that's not exactly what you have in mind for your use case...but if your use case is accessing sensitive information on an untrusted machine, that's not something we can ever recommend or design around. But perhaps there's something we could do which is similar -- provided we're not encouraging people to behave unsafely thinking that they have protection on a device someone else controls. Thanks for bringing this up!

  • It's edge case, fer sure. It is a trusted machine with untrusted others in play.... Or perhaps not such an edge case if people want an extra layer at work, just in case.

  • brentybrenty

    Team Member

    @AlwaysSortaCurious: Likewise, thanks for sharing the idea. The biggest "challenge" we have with 1Password in this regard is that its security is based on encryption, not authentication. That's great on the one hand because it means that your data is available on your device locally, even without an internet connection; and if an attacker gets your device, your data is still protected. But the flip side of that is 1Password doesn't need to authenticate most of the time. For your example, someone failing authentication on a device where you've already setup 1Password just wouldn't be able to sync any changes; they'd still have a copy of the data locally. So perhaps something like the 1Password web interface's checkbox "This is a public or shared computer" would help, since you'd then need to enter all of your credentials and the two-factor code to sign in the next time.

  • LOL.... was thinking this again, and came by to see what was going on and just realized it is still on the first page! You guys have to get out some more betas for us to play with, and a FIDO option just for fat clients might be a nice one to include ;)

  • brentybrenty

    Team Member

    No word on FIDO a this time, but yep, we really need a new beta. Shouldn't be too long. :)

This discussion has been closed.