It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Feture Request: modern app unlock
Hi,
I'm a happy 1password user, but, I have a big concern about how to unlock it and I will explain why and give a suggestion about it, would be great if 1password team make it, I think it would be an extra level of security.
The actual problem is that if an attacker gets access to my computer and my 1password password, he can easily get access to all my vaults. This could be done very easily if someone plugs a physical keylogger on my work computer's keyboard for example. It's easy, simple and very effective. I know that is impossible to provide 100% security, but we should try to make it harder, take longer time or expensive to break the security. A malware and a software keylogger could also give my computer access to a attacker.
The solution 1: Yubikey passkey. This would be great, as no malware, remote access or keylogger could unlock my vaults. This is my favorite solution.
Solution 2: Password + TOTP (not the same TOTP as the account), this TOPT would work just for vault unlock. As some users don't have a security key, they could use mobile phone TOTP app to unlock the vault.
Solution 3: Unlock confirmation using mobile phone. A notification and a simple confirmation could do the trick.
If I could choose what to implement, I would do all the 3 options, as they cover different type of user's needs. The recover method, also could be as simple as the account password + secret key + TOTP (if TOTP is activated) so the user could disable this extra feature and go back to simple password unlock or register a new passkey or new unlock TOTP or whatever...
I know that a attacker that has access to my computer could exploit the possibility to copy unencrypted data while 1password is unlocked, but this involves another level of knowledge, more time and maybe more money. Because, in the way it is now, an attackers can buy a cheap USB keylogger and hide it in our computers making a big disaster knowing my 1password password and this is a real concern. Check more about it on https://en.wikipedia.org/wiki/Hardware_keylogger
Thanks in advance!
1 Reply
- 1P_Dave
Moderator
Hello ivolanski​! 👋
Welcome to the community! While 1Password does protect your data as much as possible on your device, it can't protect you against malware that has completely compromised your system. It's important to take other measures to prevent being infected by malware and to only use 1Password on devices that are safe and that you trust. You can read more here: How 1Password protects information on your devices (and when it can’t)
That being said, we have a feature called passkey unlock that is currently being tested in a public beta. Passkey unlock allows you to unlock 1Password using a passkey stored in another authenticator app or on a security key like a Yubikey, it sounds like the feature that you're looking for. You can read more here:
I don't have an ETA on when passkey unlock will make it to normal accounts, currently you need to create a new test account to try the feature. Let me know if you have any questions.-Dave
