This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Enable Universal Unlock
Comments
-
I am sorry about the docs, we'll make sure they are up to date soon. I tried to explain it under the checkbox.
The 1Password Helper is a separate process that can be unlocked from either 1Password application or from the browser extension (or from the helper itself). If you enable Universal Unlock then 1Password application will be unlock with the helper.
For example, you might unlock Safari and this will automatically unlock 1Password application. Or you might quit 1Password and launch it again. It will be unlocked as long as the helper is unlocked.
I hope this helps, let me know if you have any questions.Flag 0 -
I believe the helper is new to 3.9. Previously there was an "agent" that did some but not all of what the helper does. Like the iTunes helper is what hangs out waiting for your iPhone to connect so it knows to then launch iTunes for you, the 1P helper provides similar assistance.
Unless you changed the default, one of its manifestations can be seen in you menubar as the little Key. So, it's always running waiting for you to trigger it to perform some 1P function, and also seems to manage the lock and unlock states.
I think of it as the creamy center between the browser extension and 1P.app Oreo cookies. Just don't eat it.Flag 0 -
Not at all, beznogim! Your 1Password data is encrypted when you create it, stored encrypted, and it stays encrypted until the moment it is accessed -- and again thereafter. And because each item is a separate file, the granularity allows us to decrypt [url="http://help.agilebits.com/1Password3/cloud_storage_security.html#unlocked_vaults_or_unlocked_boxes"]only the item you need when you need it[/url].
And just to elaborate on what Roustem and The Doctor said, the 1PasswordHelper is roughly analogous to 1PasswordAgent in that it communicates between the main 1Password application and the browser extensions, and handles background tasks like locking and unlocking and automatic backups of your data.
Finally, getting back to the main topic, Universal Unlock, in practice, maintains the lock state between 1Password and the extensions. And again, your data is not decrypted wholesale when you unlock 1Password. It is decrypted on demand, when you access it.
I hope this helps. If you have any other questions, just ask! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />Flag 0 -
I've noticed that when the universal unlock is enabled and the app is unlocked, I can close both Firefox and the 1Password.app, launch Firefox again and see my passwords without unlocking the 1P Firefox extension. Looks like the decryption key is stored on disk or in memory somewhere, readily accessible to other (potentially malicious) processes or nosy colleagues.
Maybe this is the deisred behavior, but, IMHO, the application should give me a warning about potential security implications.Flag 0 -
I agree completely! This is why 1Password [i]and[/i] the extensions obey the Security Preferences you have set, so you can decide how you want to secure your data. If you unlock it, it will remain unlocked until whatever criteria for Auto-Lock rules you have set are met. In my case, this means that after I unlock my 1Password data, it [i]remains[/i] unlocked unless one or more of the following happens:[list=1]
[*]I lock it manually ( ⌘^L )
[*]The screen saver turns on or the computer goes to sleep (Lock when ...)
[*]So many minutes of inactivity elapse (Lock after ...)
[*]I restart my Mac
[/list]
You can get granular and tell 1Password to "Disable automatic unlock ..." depending on your needs. It is up to you how secure you make it.
I hope this helps. Let me know if you have any other questions. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />Flag 0 -
If I understand correctly, 1P sets up a local HTTP server that can be "unlocked" to provide logins and passwords to any app that asks politely, and there is no per-application authentication there. It either serves no one (when locked), or serves anyone (when unlocked). Is this what Universal Unlock does?Flag 0
-
Apologies that this post has gone overlooked for a few days. I just want to clarify that this is not at all what Universal Unlock does. That would be horribly insecure. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
Universal Unlock simply binds the locked state of the main application to the locked state of the browser extension(s). With Universal Unlock enabled, you can unlock either one and the other will also be unlocked. Likewise for locking.
We plan to write a document describing the security of the syncing procedure between the main application and the sandboxed browser extensions, but it is analogous (though not identical) to what happens with the old Wi-Fi sync mechanism that we had for syncing between 1Password on the Mac and 1Password on iOS. (Note that Dropbox syncing is far more robust, I just bring up this old method because it is the best analogue to what is going on between the browser extension and the 1Password application.)
You can read the details of that here: http://help.agilebits.com/1Password_touch/how_secure_is_syncing.html
Note that even though this syncing process is all happening just on your computer, we make sure that your data and master password are always well encrypted when being transmitted from one component to another.
If we can be further assistance, please let us know.
We are always here to help!Flag 0
