bitbucket.org issue #17
Comments
|
Can you please paste the entire OTP line from that particular password file (obviously with the actual seed redacted)? |
|
Never mind about posting the line - this appears to be the anti-phishing logic working as intended. The 2FA is on a completely different origin (bitbucket.org) than the actual login (id.atlassian.com). Do you have any suggestions for how to proceed in this case? Dropping the token when the origin changes is a deliberate security measure. I note also that the OTP extension does not clear the clipboard - so you can still paste the OTP code just fine. /cc @maximbaz |
|
I loigin gitlab.gnome.org via github, but with OTP. And it also says |
|
@532910 Can you clarify the workflow? I'm not sure where you're saying you are being prompted for OTP - as long as the password and TOTP entry are on the same origin, it should work. If they are on different origins (e.g. login on GitHub, but OTP on gitlab.gnome.org), then the phishing protection will discard the OTP seed, as that seed would belong to GitHub, not to gnome.org. If you have a different OTP token available for the gnome.org origin, you can load it by performing any action with the gnome.org pass entry (e.g. copy username or password), after which the OTP token will be available until you navigate away from that origin. |
|
I can't reproduce gnome's gitlab issue more (: |
|
OK. I will close this issue for now then, but if you can reproduce it, please let me know. |
|
Nope! This issue is about bitbucket and anti-phishing. |
|
@532910 Are you requesting this issue be reopened, or saying it's OK that it be closed? I think the bitbucket thing is working as intended, and nobody posted anything indicating there was any action needed as regards that feature. |
|
I'm requesting this issue be reopened.
I believe the anti-phishing protection is not necessary, and it'd be nice to have a control to disable it.
|
|
Anti-phishing protection is definitely necessary. Phishing of OTP codes on alternate domains is one of the main ways by which OTP-protected accounts are compromised (the other being SMS hijacking). It happens often, and is a vector of concern. Completely disabling all anti-phishing protection won't be happening; that is not negotiable.
Can you describe what changes you would like to see happen, and how those changes would still mitigate the phishing risk? |
I meant you always can do it manually just typing into the search field, and browserpass will not stop you
show OTPs for those websites that has an otpauth record it the passwordstore |
It does stop you. You can't find a non-matching entry using the search field without first disabling the anti-phishing protection, unless you have already used the entry on the current origin before. If you have discovered any scenario where this is not the case, please log a new issue for it so that we can fix it (except for Re OTP - how do you propose that logic should work? Can you describe the flow of how you see that working? Please correct me if I'm wrong, but it sounds like you are suggesting that Browserpass should proactively select and decrypt credentials without being prompted by the user. That is something we currently never do; decryption currently occurs only after the user requests it. |
I can find any password staying on any webpage, just backspace for the first.
Yep, my fault. I understand the current logic.
a. This will save the toolbar space.
|
Pressing backspace when there is no text in the search field disables the anti-phishing protection. That's how it's meant to work; I think we may have been talking about the same thing this whole time 🙂.
Do you have any other suggestions for a workflow that would solve your issue? |
(:
Nothing wrong to show it for all records, the same as password and login button are always shown even the record has no login or password. Think about it as a pass otp command, you can always say
It's a pity ): Is it possible to make an OPT button a part of browserpass, but keep all logic in browserpass-otp?
It seems like no. |
|
@532910 We have discussed the OTP issue again, and the usability concerns. We have agreed to move that functionality into the main extension, which should hopefully resolve your issue. |
@erayd sorry I may have missed the conversation, but I thought that after this previous discussion, the decision was final. cc: @maximbaz |
|
Decisions reconsidering is a sign of mind flexibility. |
|
@erayd and I discussed it in a private chat, so you didn't miss any conversation. My personal attitude to storing both OTP tokens and passwords in a single basket (and assisting with this workflow) hasn't changed at all, however considering the following factors merging codebases simply becomes the most rational choice:
I have a great respect for everyone contributing to this project, and I don't want to irrationally stand in a way. That's why I decided to change my mind and agree to merging the codebases with the following conditions:
Maybe @erayd will want to add something. But what do you guys think? |
I think you covered it pretty well @maximbaz 🙂. One of the notable points IMO is the lack of complaints and feature requests regarding the OTP extension since its inception. If people have been happy with the limited way that functionality works for over a year now, then that's a fairly strong indicator that the feature doesn't need to grow. The integration brings the same behavior and capability that browserpass-otp extension currently does, and nothing more. However, being integrated means that it can be searched for and triggered without needing to invoke another activity (such as autofilling login credentials) first, which IMO is a viable solution to the primary issue raised in this thread. Another point in favour of including OTP in the main extension is that, due to some other (unrelated) work that was already planned, we now have a logical home for it in the UI. To be very clear, I agree strongly with @maximbaz that using a password manager for managing both passwords and 2FA weakens user security, and neither of us wish to encourage that behavior. The inclusion of OTP within the main extension is not an indication that either of us have relaxed our opinion regarding that issue, and the feature will not be growing in scope. We've simply agreed to change the manner in which we are addressing significant user demand for the feature. |
|
thanks both @maximbaz and @erayd for the clarifications, I completely understand the technical reasons. As I am clearly using browerpass-otp in some contexts I can't complain :-) although some may argue that not having it might not be the same as having it disabled (maybe plausible scenarios where the Anyway, not the right place to further discuss this (sorry @532910 for hijacking your issue) but I kind of feel that some users will be surprised. |
Ideally it's better that people do not store OTP secrets in their password manager at all - if the secret doesn't exist, then no amount of compromising the password manager could possibly obtain it. The option to enable / disable OTP in Browserpass is just a switch for the UI and a bit of internal processing; turning it off doesn't magically make storing your OTP secrets there a good idea (because Browserpass still has access to the decrypted contents of your pass entries, plus it's a single point of failure for both authentication factors). The storing of OTP secrets in the same place as passwords is the security-compromising behavior we are trying to discourage. The risk is the same, regardless of which tool they use. Some may consider that the security tradeoff is acceptable to them, and that's their choice. But we want to make sure, as much as we can, that their decision is a properly informed one. Too many people just see the convenience side, and don't actually consider the security implications of that convenience. |
Are you able to expand on this point a bit? Surprising users is generally not a good thing; it often indicates that one has designed a workflow, process or UX poorly. I would prefer not to surprise our users in such a way. |
Oh sorry, I mean not being surprised about the UX/UI (which I'm sure will be fine, some prototypes around here were looking great), but about the decision to merge the OTP feature in the main extension. |
There is an on-upgrade popup that will display advising of the change. And I will push a notice in the OTP plugin as well.
Not quite; there have been plenty of releases in the interim - that discussion was well over a year ago now. V3.6.0 will ship it. This isn't a breaking change, and therefore doesn't warrant a major version bump.
True. Are you suggesting that users might dislike this change? |
Everything's fine for me but yes, some users might complain about (or find surprising) a feature it was first discussed then externalized to a side-extension and finally decided to be merged into the main extension. Most will probably just think "nice, now browserpass also manages OTP". And possibly: "what's an OTP token by the way?" But hey that's just my two cents on the matter, I hope my being transparent with you is not taken as a negative knee-jerk reaction :-) I've always appreciated you guys spending unpaid time on browserpass and will keep using it anyway. Hope my point is clear. |
|
@apiraino You make some good points there. @maximbaz What do you think - better to put the announcement only on the OTP extension? That way existing users will still know about it, but we won't be collecting any new recruits for the OTP cause by displaying an update popup to users who don't already use that stuff. |
|
Good points indeed! Yes let's make notification only in the otp extension! |
The text was updated successfully, but these errors were encountered: