[Webkit-unassigned] [Bug 209563] New: Negative effects of LocalStorage expiry for 1Password

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 25 14:02:11 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=209563

            Bug ID: 209563
           Summary: Negative effects of LocalStorage expiry for 1Password
           Product: WebKit
           Version: Safari 13
          Hardware: All
                OS: All
            Status: NEW
          Severity: Major
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jasper at agilebits.com

At 1Password we are concerned about the sudden announcement (https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/) that LocalStorage will expire after 7 days, and want to provide our use case of browser storage and how this will cause harm to our users (including irreversible data loss to some).

We have a full featured web app at 1Password.com that allows users to signup for an account, access their vaults, and perform admin functions for their business.

For context, 1Password is end-to-end encrypted with keys we do not hold. For users to decrypt their 1Password vaults, they need their Master Password and Secret Key: https://support.1password.com/secret-key-security/

The Secret Key is a randomly generated string generated locally during signup and stored on devices users have previously used. This key is required for users to decrypt their vaults. Given that most signups occur in a web browser, that is the first place we store this critical piece of data. While we do try to encourage users to install our native applications, for some (unknown) number of users out there LocalStorage in their browser will be the only place they have this key saved, and in 7 days may now become irreversibly locked out of their 1Password vaults.

Again because 1Password is end-to-end encrypted, unlike most sites, we cannot use authentication cookies to remember a user. We must use LocalStorage since our servers can never know the user's Secret Key. Additionally, a device UUID and 2FA token, are kept in LocalStorage. This means that returning users will often be met with an empty login screen, requiring them to again enter their email, locate and enter their 34 character Secret Key, and complete 2FA again. I think it's unreasonable to expect every user to visit our app at least once every 7 days, especially for business account administrators who may visit sporadically depending on which administrative actions happen to need performing.

We also store an additional 20+ user settings and other state information that will often get erased. It will be unexpected behaviour for users who may have to constantly reconfigure their preferred settings, or see notices they've previously dismissed.

Until now the only way for us to lose all this data stored in the browser is if the user explicitly chose to erase it, which is a pretty intentional action. To unexpectedly hear all this user data will be suddenly erased in less than 7 days from user's devices is very concerning, and will cause confusion and harm to our 1Password customers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200325/2325c084/attachment.htm>

More information about the webkit-unassigned mailing list