This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Feature Request: Multi-Factor Authentication

2»

Comments

  • khad
    khad Social Choreographer
    MFA certainly adds a level of complexity.



    Consider what Jeff mentioned about security tokens requiring a remote server. A man-in-the-middle attack could intercept the OTP and use it immediately. (The bad guys don't sit around waiting to use a password. That's the main reason regularly changing your passwords is pointless. If you have a strong, unique one that no one else knows, there is no reason to ever change it. I digress.)



    Biometrics, being "something you are" rather than "something you have," make me a bit nervous. Once my iris scan gets intercepted, well, what recourse do I have besides transplants? <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' /> I am mostly joking, of course, but I have never felt very comfortable with biometric security. That's just me, though.
    Flag
  • evin
    evin
    edited May 2011
    Hello I'm new to this forum while I use 1Password for years.

    I have a suggestion for maybe (I'm not an expert!) more security.

    How about using a display keyboard for the password input in the UI, so I can additionally use my mouse to write? No keylogger would be able to read...



    Some home banking software uses this add. possibility?

    Bad idea? useless?



    Please reply



    reagards evin
    Flag
  • [Deleted User]
    [Deleted User]
    [quote name='evin' timestamp='1305475373' post='27043']

    How about using a display keyboard for the password input in the UI, so I can additionally use my mouse to write? No keylogger would be able to read...[/quote]



    Welcome to the Forums evin!



    I am not an expert on the pros and cons of the [i]virtual keyboard[/i] option, but there was some very enlightening discussion in another thread: [url="http://forum.agile.ws/index.php?/topic/3333-passwords-stay-in-clipboard-1passwordanywhere/page__view__findpost__p__25998"]Passwords Stay in 1PasswordAnywhere[/url]



    Please take a look at the topic and reply with any questions. I am sure one of AgileBits' resident [i]security experts[/i] will follow up with more information and insights.



    Cheers!



    Brandt
    Flag
  • brenty
    brenty
    edited October 2012
    [quote name='evin' timestamp='1305475373' post='27043']

    Hello I'm new to this forum while I use 1Password for years.

    I have a suggestion for maybe (I'm not an expert!) more security.

    How about using a display keyboard for the password input in the UI, so I can additionally use my mouse to write? No keylogger would be able to read...



    Some home banking software uses this add. possibility?

    Bad idea? useless?

    [/quote]



    We have this feature in 1Password for Windows, frankly because keyloggers on the Windows side are very much a fact of life. The trouble with this is that if you've gotten malicious software installed on your computer, it is just as possible for it to take screenshots along with the keylog...



    On the Mac, however, we have [url="http://developer.apple.com/library/mac/#technotes/tn2150/_index.html"]Secure Input[/url], so I am not sure if this is necessary.



    [quote name='Mezzanine' timestamp='1305291658' post='26867']

    I can see the benefit of the MFA concept of "something you know" with "something you have" in this case. The later would be physical; a fingerprint (not so good), an iris or a security dongle cycling passcodes on an LCD display. These physical things would need to be physically stolen whereas passwords and data could potentially be stolen by anyone in any location with a network connection...

    [/quote]



    The problem is, what if -- god forbid -- you lose the eye or finger in an accident. Additionally, some folks don't have them to begin with, so there needs to be a degree of flexibility for these systems to work for everyone, and there needs to be a failsafe. Now, the really tricky part is not making it [i]too[/i] flexible, or you've obviated any possible security benefits by filling it with holes.
    Flag
  • Philipp Meier
    Philipp Meier
    Hello Agile



    First of all, a BIG thank you for your continuous effort to make 1password even greater than it already is. I have one feature request:

    - would it be possible, to integrate strong authentication to unlock the 1password keychain?



    for example via certificate. I have a usb-card reader with my authentication certificate on it, it would be great of 1 password (at least on my mac's) would support certificate authentication

    or how about a yubikey from http://www.yubico.com/ ? that would be a cheap solution for everyone.



    that would also ensure, that a keychain stored in the cloud, would be harder to unlock (since a keyloger, could just log my pw)



    just my 5 cent !



    keep on with the fantastic work !

    phil
    Flag
  • imajes
    imajes Junior Member
    Two factor auth to access 1pw is something i'm very very very very interested in.



    Dave et al: I'd pay an upgrade fee bounty (whatever hte price is) for this.



    it's my number 1 feature, especially given the amount of data loss happening in the cloud etc right now.
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi Philipp and imajes. And welcome to the forums Philipp!



    We are very much looking at these sorts of security measures, but I can't make any promises at this time.



    We need to find ways of doing that that are simple and straightforward for most users. The idea of 1Password is to make doing the convenient thing also be doing the secure thing. So we need to make this a very natural thing for people to do if they chose this sort of option.



    Another thing we have to contend with is losing access to data. We do have people write to us saying that they have forgotten their master passwords. We need to make things robust enough so that we don't have too many additional people losing access to their data. (Big warnings about using such an option aren't really enough.)



    Finally, we need to get this to work across platforms. If you are syncing your database across Mac, Windows, iOS, Android, and Windows 7 Phone, we need a way for each of those systems to read the "second factor".



    We are exploring various schemes, but I also need to ask for patience on this. I suppose that if I had to describe our relationship with multi-factor authentication, I would have to say "it's complicated".



    Cheers!



    -j
    Flag
  • imajes
    imajes Junior Member
    [quote name='jpgoldberg' timestamp='1308608741' post='29683']

    Hi Philipp and imajes. And welcome to the forums Philipp!



    We are very much looking at these sorts of security measures, but I can't make any promises at this time.



    We need to find ways of doing that that are simple and straightforward for most users. The idea of 1Password is to make doing the convenient thing also be doing the secure thing. So we need to make this a very natural thing for people to do if they chose this sort of option.



    Another thing we have to contend with is losing access to data. We do have people write to us saying that they have forgotten their master passwords. We need to make things robust enough so that we don't have too many additional people losing access to their data. (Big warnings about using such an option aren't really enough.)



    Finally, we need to get this to work across platforms. If you are syncing your database across Mac, Windows, iOS, Android, and Windows 7 Phone, we need a way for each of those systems to read the "second factor".



    We are exploring various schemes, but I also need to ask for patience on this. I suppose that if I had to describe our relationship with multi-factor authentication, I would have to say "it's complicated".



    Cheers!



    -j

    [/quote]





    thanks for the reply. I think this is a case of starting with at least _something_ and getting some user feedback. Even if it's in a beta only and then removed, it's some experience for you to build on. Sitting around and trying to build the perfect product the first time is what you learn not to do in engineering 101. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    [quote name='imajes' timestamp='1308617962' post='29702']

    thanks for the reply. I think this is a case of starting with at least _something_ and getting some user feedback. Even if it's in a beta only and then removed, it's some experience for you to build on. Sitting around and trying to build the perfect product the first time is what you learn not to do in engineering 101. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

    [/quote]



    Fair point. I can't say at this point what approach we will take. You may be interested to know that we've actually tried integration with a finger print scanner in the distant past and had to abandon that effort after putting an enormous amount of effort into the project.



    But we do like to remain agile, so you never know. But as part of that agility we typically don't announce features until they are actually available.



    Cheers,



    -j
    Flag
  • jcmjapan
    jcmjapan
    Please add me to the list of people who wants Secure ID supported.

    I need it for logging into etrade.



    Thanks
    Flag
  • brenty
    brenty
    Hey there, jcmjapan! Welcome to the forums!



    We have your vote. Thanks for your feedback! We will see if we can add this in a future version. Only time will tell. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

    [quote name='jcmjapan' timestamp='1310526449' post='31876']

    Please add me to the list of people who wants Secure ID supported.

    I need it for logging into etrade.

    [/quote]
    Flag
This discussion has been closed.