Mitchell Cohen

Product Lead

Back to the list of Speakers and Sessions

Mitchell Cohen Product Lead, 1Password

Mitchell is Product Lead at 1Password, where he specializes in delivering usable security in the browser and on the desktop. Before he joined the joined the dark side and became a software developer, Mitchell followed a circuitous path through technical writing, journalism, and liberal arts. His interests span from operating systems, to UX, to linguistics, to the history of science and technology. Mitchell lives in a tiny Toronto apartment with his partner and cat. He will make you a great cup of coffee if you ask.


Discussion: Application security

This is a Q&A session.


Q&A and discussion for the malware block, hosted and moderated by Laurent Desaulniers Questions will be gathered from the audience during the four prior talks.

Talk: How to harden your Electron app


Let’s be honest — when you decided to build an Electron app, it wasn’t because of the framework’s stellar reputation for security. Like so many developers before you, you weighed your options and made a practical choice. But now you have to make the best of it and protect your users and their data. Hardening your Electron app is not straightforward, but it is also not impossible. Through a combination of threat modelling, careful separation of concerns, and simply reading the docs, you can achieve the security goals for your app. This talk is about how we built a secure password manager in a framework that’s infamous for being insecure. We’ll look at how the security model for our Electron-based frontend for 1Password, what pitfalls we encountered along the way, and how you can apply what we’ve learned to your own projects. We’ll also reveal our hardened Electron starter kit and invite you to see how it works — and try to break it.

Electron and web apps may never be the first choice for security-conscious developers, but they are an industry reality. We recently faced this dilemma at 1Password when we set out to build the new Linux desktop client for our flagship password manager.

Compromising on security was not an option. At the same time, building a web app was the only practical option. Undeterred, we set out to harden Electron to meet our unique client-side requirements.

I am not going to pretend we made it all the way — no software framework ever will. But we did end up with an app we are proud to call 1Password, and to entrust with our user’s most sensitive data.

I hope to share what we learned so that others in a similar situation will have an easier time. At the same time, I invite the community to see what we’ve built and look at what we’ve gotten right — or wrong.