1Password Secret Keys

We are working with some new clients and we would like to position 1Password, but we have found that that the security model becomes quickly unmanageable for businesses with non-technical people. Keeping track of two-factor tokens and rotating passwords is, by itself, a bit of a challenge for most. Compounding it with a secret key that employees have to store safely somewhere implies that those employees have a safe area to store and secure sensitive papers. This model really limits the usefulness of this product to individuals and technically-apt teams.

How do recommend working with clients like in situations like this?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Teams

Comments

  • BenBen AWS Team

    Team Member

    Hi @wavesound

    1Password greatly decreases the overall cognitive load of remembering and securely storing credentials because you only have one set of credentials you have to keep track of: the ones for 1Password. This is vastly better than having to remember passwords for each system that requires one. The Secret Key is only needed infrequently: when signing in from a new device. It is stored in the 1Password application after entering it once, and can be retrieved from there. So while it is ideal to have it printed and stored in a physically safe location this is not absolutely mandatory. It is even less critical particularly in large organizations that should have multiple people that can assist with recovery (if the Secret Key is needed and unavailable for some reason).

    Really all that you have to remember is your email address and Master Password. As such I'm not sure I understand the question? Could you elaborate? Where/when are people running into trouble? Is it when adding 1Password to new devices?

    Please let me know.

    Ben

  • Hi @Ben

    You don't have to sell me on the use-case of a password manager. My concern is more about the administrative overhead with managing random Secret Keys for users.

    "Really all that you have to remember is your email address and Master Password."

    We're not really running into issues with technically-savvy users, but rather with SMBs that tend to outsource IT. These users do not keep track of their secret keys meaning that if their work laptop crashes, etc. we have to reset the key. For SMBs this is headache that users themselves cannot address without help from IT. With competing products, a trip to the store for a new device and an app install is all that is required. However, with 1Password for business, you actually need to keep track of...two passwords and managing those secret keys as an administrator would be an unacceptable hassle for my clients. I was wondering if you had any suggestions there.

  • brentybrenty

    Team Member

    @wavesound: That helps a bit, but I think we may still not be on the same page here. I'm not sure how you're proposing 1Password could help with people losing their account credentials. We simply can't have them. As you mentioned, in a team/business setting, an admin can help the user go through account recovery. I guess, from experience using account recovery, I'm not sure how it's a hassle. I mean, I guess it is compared to not having to do recovery...but the only solution to that problem is users not locking themselves out of their accounts in the first place. And we're not in a position to prevent that. :blush:

  • @brenty,

    Understood, however, when the account recovery process is completed, you need to go and re-enter the new account key on all of their devices. Some of those devices are not immediately accessible.

  • ag_anaag_ana

    Team Member

    @wavesound: that's correct, but it's not mandatory to reauthenticate immediately on every device. If some of those devices are not immediately accessible, the user can update the login credentials on the devices they have already, and update them on the other devices at a later time. Hopefully recovery will also not be required that often :)

  • brentybrenty

    Team Member

    @wavesound: You're correct that you'd need to reauthenticate in order to sync any new changes, but any app where you've already signed in will already have the data locally and is quite usable, even without a connection. Again, you'd just need to sign in to be able to connect going forward.

  • Right, but I think you're missing the point that we'd have to have them drag all of their devices in to get reset. It sounds what we find to be an excessive burden for our customers is an acceptable tradeoff.

    We will have to recommend another product for this affected client since they will not accept this approach since its too "geeky" as far as they are concerned.

  • brentybrenty

    Team Member
    edited July 2019

    we'd have to have them drag all of their devices in to get reset

    @wavesound: Why? If they're not using them anyway (at home?), it doesn't matter. To be clear, the account recovery process isn't done per-device; it's done for the account.

    We will have to recommend another product for this affected client since they will not accept this approach since its too "geeky" as far as they are concerned.

    That's entirely up to you of course, but I do think you're missing the point with the Secret Key. I'd encourage you to see my comments here, and let's keep the conversation going in one place as opposed to all over, as that can cause confusion and slows down response time for everyone -- including you. Thanks!

  • @brenty,

    I'm keeping the conversation separate since I'm exploring two challenges we are facing with the Secret Key model.

    I'm familiar with the account recovery model because I just tested on my own 1Password.com account and all of my devices were immediately disconnected and I had to go to each one and re-enter the "Secret Key." That's the burden to which I am referring and I think you may not quite understand. Once they get home and have to re-configure their devices as if they were signing into 1Password for the first time and we have to walk them through that process for each device.

    As I said, I'm aware of the Secret Key and its benefits, however, we are finding that, it works well for small technical teams, but otherwise, it does not scale well beyond those environments into the hands of typical business consumers.

  • brentybrenty

    Team Member

    Again, the 1Password apps can still be used without entering the Secret Key immediately everywhere. Believe me, I use recovery a lot, both in testing and with my family. :lol:

    I'm not really following you when you keep saying things like "it does not scale". If it's something you'd be willing to actually discuss in detail via email, as opposed to here in a public forum, I'd encourage you to reach out to [email protected] so we can get a better sense of what in particular you have in mind. :)

  • BenBen AWS Team

    Team Member

    I think a reasonable solution to this problem for such clients would be to encourage their users to print their Emergency Kit and keep it in their filing cabinet at their desk or in their personnel file. I'd certainly be open to hearing ideas, of how we could potentially improve this process, but getting rid of the Secret Key or somehow making it optional isn't going to be something we can entertain.

    Ben

  • kurtdkurtd Junior Member

    Long time 1password user here.... I have not liked they secret key requirement from day 1 and now that we use 1password in the office, it's even more annoying. If you search the community for secret key, you'll find 100s of posts from users who've lost their secret key. I should be able to turn off the secret key requirement in my account and use a regular 2 factor auth app instead. It's totally impractical to keep track of a secret key that can never be remembered.

  • BenBen AWS Team

    Team Member
    edited November 2019

    Hi @kurtd,

    Thanks for taking the time to share your perspective on the Secret Key. To some extent the Secret Key serves a different purpose than 2FA. 2FA is there to help prevent someone from authenticating with the server through a replay attack. The Secret Key is designed to protect you in the event someone is able to gain access to your encrypted data. One of its functions is protecting you from us, which 2FA doesn't really do.

    What about my proposal above is impractical for your situation? We're interested in hearing where things break down, and how we might improve.

    Ben

  • kurtdkurtd Junior Member

    If you saw some of the user's desks here, you'd know printing them won't work for some. They have stacks of paper on their desks and in their filing cabinet. Things get misplaced and they often lose documents in their stack that they just printed a week ago. Saving it to the computer won't work because the computer may get lost or broken. Printing it won't work because it could get fire damaged or lost.

    I'd recommend putting it in a safe if you have one and saving it to a cloud storage account where you know the password because if you can't get in 1password and don't know your cloud storage password you'll be out of luck. I wish there were a better way because I don't like having to worry about where my secret key is so I won't get locked out of my own account. Plus every time I need to sign in to a new device, I have to find it which is annoying. My secret key changed at one point and I had to search around for the new key on the computer. After dealing with this for a while, I'm getting the hang of it. For business accounts, this seems unnecessary.

  • brentybrenty

    Team Member

    I don't think anyone is suggesting "print it and throw it in a pile on your desk". That may be "security by obscurity" at its best (no sarcasm intended) if the pile is big enough. But what we're talking about is putting it somewhere safe where you can actually find it if you need it. A fire-proof safe is recommended. :tongue:

    But you make a fair point about business accounts: if you're only keeping work stuff there, and the company has a recovery plan in place, you shouldn't have to worry about it at all. It's our personal stuff that most of us are most concerned about losing.

  • wavesoundwavesound
    edited November 2019

    @brenty,

    As you know, I’m not a fan of how the Secret Key works for most of our business and individual clients and this is exactly why. People won’t store or keep it, so adding a new device makes resetting turn secret key a routine standard operating procedure where we have to update it in every device for the customer. In a most office and enterprise environments we just tell clients to use LastPass. It’s just much more straightforward from a recovery perspective in a way that customers can self-service. The LastPass UI stinks by comparison so I’d much rather recommend 1Password, but I also prefer fielding fewer support phone calls and limit how much time my customers have to spend with us because fixing IT issues is lost productivity.

    I like the added security of the Secret Key for myself and I think it is a distinctive and effective feature for protecting sensitive data. However, we have to, as best we can, adapt these tools to the way that our customers use technology. Otherwise, they won’t use and it we’re wasting money on an unused tool.

  • brentybrenty

    Team Member

    @wavesound: Supporting 1Password users isn't your job; it's ours. If you're trying to handle "1Password support" inquiries yourself, you're doing you and whichever users you're attempting to assist a disservice by insulating us from actual problems our customers are having, and not getting them help from the people who actually work on 1Password day in and day out. That can definitely skew the feedback we see and therefore how we prioritize things we work on.

    That said, we're not going to change 1Password's security model. Sure, you can totally find other tools that don't use 2SKD, and are easier to deal with in some contexts as a result. But we'd all have a much bigger problem without the Secret Key if 1Password servers were breached, as then the attacker(s) could perform a brute force attack against users' Master Passwords, many of which will not be very strong, or could be almost certainly be found in publicly available password databases. Is that what you want for your "clients"? Maybe you'd be okay with that because then you could just blame us. And maybe you'd be right to, if we listened to you in the first place. But we're not willing to put ourselves in a position where attackers can get to our customers' data through us, and most of our customers would not be okay with that either. I don't think it's reasonable for you to dictate others be in that position just because it suits you in some way (though I think you're being a bit short-sighted, in that it could come back to haunt you to later on too).

    In the vast majority of cases, 1Password users have 1Password setup with their account in the app/browser on at least one device, and therefore will have access to the Secret Key there. That's kind a of a silly thing to say, but certainly some people will have all their devices lost, stolen, or destroyed, forget their Master Password (though biometrics could allow them to access their data in most of the apps), etc.; but we're a security company and it would be foolish for us to lower the security for all users because some lock themselves out of their data. Would that help those who did get locked out? Sure. But it would also make it much easier for someone else to get access to 1Password users' data, whether the user could access it themselves or not. That's a hell of a compromise. This "Secret Key" discussion is essentially the same one we used to have all the time about the Master Password even before 1Password memberships existed: users would request that we offer an option for 1Password to never require the Master Password, because it is harder to remember and type it. But the whole reason 1Password exists is to protect data, so we're not going to throw out the things that make that possible.

    However, I do think there are things we can do to streamline users getting back "up and running" after having gone through recovery, and we'll continue to work on that. Recovery is as simple as it can be while still being secure though. And, frankly, given the security model which millions of 1Password users rely on, this is also the only way it can work.

  • kurtdkurtd Junior Member

    "we're a security company and it would be foolish for us to lower the security for all users because some lock themselves out of their data. "

    If it were optional, it wouldn't lower security for all users or come up with a better method. For example, why not let me type my own secret key that I have a chance to remember?

  • wavesoundwavesound
    edited November 2019

    @brenty ,

    I know that we have discussed this at length before but I feel like we may be talking past each other. I have mentioned previously that I am very familiar with the benefits if the Secret Key your service architecture and the consequences of removing it. I think it is very valuable, important and somewhat unique to 1Password.

    However, if you ask just about any of us in this thread, I imagine that at end of the day, we are not opposed to using the Secret Key. We are just asking for something better. A better way to manage Secret Keys, an integrated way to escrow them, whatever...I don’t know I’m not an expert in the area, I’m just a customer that’s wants something better for myself and my own customers.

    Please dismiss this idea that I have something against the use of Secret Keys or that I’m trying to suggest that AgileBits weakens the protections built into the service. I just want to improve the workflow and provide other options for customers so that we are not doing Secret Key gymnastics (keeping them in the soles of our feet, relying on phone calls to loved ones, etc.) if we lose our only device while traveling, etc.

    Your consistent, thorough and well-worded defense of the 1Password strategy, misses the entire point of what I'm trying to convey... I get it, its secure, but it causes some of us a lot of headaches. Can you please consider ways to make it both secure and better for us?

    Maybe you cannot, that's fine. I understand.

    @kurtd I have to disagree with you here. 1Password's reputation is dependent on the security and integrity of its service. If one customer's data is compromised because 1Password weakened their security model it would be a bad bad day for AgileBits.

    In our experience, security and convenience are inversely related, meaning that the more security that we implement, the less convenient something is to use/access. So a most vendors strive to strike a balance between effective security that keeps Oscar out of Alice and Bob's secret treasure chest. But Alice and Bob won't use that treasure chest if it's difficult to use. That's why we always try to find a sweet spot for Alice and Bob that leaves Oscar miserable.

  • brentybrenty

    Team Member

    "we're a security company and it would be foolish for us to lower the security for all users because some lock themselves out of their data. "
    If it were optional, it wouldn't lower security for all users or come up with a better method. For example, why not let me type my own secret key that I have a chance to remember?

    @kurtd: That's the thing. The same could be said of nearly any other security measure: "Make it optional; if someone decides to make themselves less secure, that's on them". At a certain point though 1Password is no longer security software, but software that can optionally be used for security; and it's not only unreasonable for us to expect users to understand the implications of decisions like that which is being proposed we dump on them, it's professional negligence. There are plenty of other apps out there, and no one needs 1Password for "optional security". Some people keep their passwords in an encrypted Excel spreadsheet after all.

    wavesound makes a really good point about reputation too: if a 1Password users' data is compromised because they eschewed hypothetical optional security, that's on them in a sense, but the headlines will just say something along the lines of "1Password compromised". But the larger concern is that by enabling insecure behaviour in the first place we actually would be complicit. If people want to be insecure, there's an app for that, and it is not 1Password.

  • brentybrenty

    Team Member

    I know that we have discussed this at length before but I feel like we may be talking past each other. I have mentioned previously that I am very familiar with the benefits if the Secret Key your service architecture and the consequences of removing it. I think it is very valuable, important and somewhat unique to 1Password. However, if you ask just about any of us in this thread, I imagine that at end of the day, we are not opposed to using the Secret Key. We are just asking for something better. A better way to manage Secret Keys, an integrated way to escrow them, whatever...I don’t know I’m not an expert in the area, I’m just a customer that’s wants something better for myself and my own customers.

    @wavesound: I think that's a much better way to frame it: looking for a better way to manage the Secret Key. I don't think "escrow" is the answer, as it would be bad for us and for our customers to be in that position. But if we can find a way to keep the Secret Key and its security benefits and make it more user-friendly somehow, I think we can all get behind that. I'm just not sure what that could be.

    Please dismiss this idea that I have something against the use of Secret Keys or that I’m trying to suggest that AgileBits weakens the protections built into the service. I just want to improve the workflow and provide other options for customers so that we are not doing Secret Key gymnastics (keeping them in the soles of our feet, relying on phone calls to loved ones, etc.) if we lose our only device while traveling, etc. Your consistent, thorough and well-worded defense of the 1Password strategy, misses the entire point of what I'm trying to convey... I get it, its secure, but it causes some of us a lot of headaches. Can you please consider ways to make it both secure and better for us? Maybe you cannot, that's fine. I understand.

    I can. And I'm listening. What do you suggest? :) Did you have any thoughts on this?

    However, I do think there are things we can do to streamline users getting back "up and running" after having gone through recovery, and we'll continue to work on that.

    It sounds like recovery may be the biggest pain point you are encountering. I'd be interested to hear actual details of the difficulties you're seeing to discuss with the team, so feel free to shoot me an email at [email protected] with the info. It sounds like you may have many, and I think it would be better for us to evaluate in the context of real world examples rather than vague generalities, especially since our frame of reference will be real world examples from thousands of direct customer interactions, to put it all in context, if that makes sense.

  • kurtdkurtd Junior Member

    That's the thing. The same could be said of nearly any other security measure: "Make it optional; if someone decides to make themselves less secure, that's on them". At a certain point though 1Password is no longer security software, but software that can optionally be used for security; and it's not only unreasonable for us to expect users to understand the implications of decisions like that which is being proposed we dump on them, it's professional negligence. There are plenty of other apps out there, and no one needs 1Password for "optional security". Some people keep their passwords in an encrypted Excel spreadsheet after all.

    Your logic doesn't make sense. So why don't you make other security features required like 2FA etc.... and don't make anything optional.

    What about the suggestion to type in my own secret key? At least it would be a bit more helpful than a totally random key nobody can remember.

    So you're saying the other password managers out there that don't have this secret key requirement are negligent? I would say this issue is more negligent:

    1Password7: The current release of the software, in the security researcher's opinion, is "less secure" than the legacy version. Rather than only keeping one entry at a time in memory, this version of 1Password decrypted all individual passwords in a database upon testing, and also did not scrub individual passwords, the master password, or the secret key used to derive the encryption key when moving from the unlocked state to locked. "This renders the "lock" button ineffective; from the security standpoint, after unlocking and using 1Password7, the user must exit the software entirely in order to clear sensitive information from memory as locking should," the researchers added.

    https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/

    Anyway, I don't want to change the subject but I'm pretty much done talking about this issue. I hope there will be a better solution to the secret key in the future but it doesn't sound like it.

    Thanks

  • brentybrenty

    Team Member

    @kurtd: The point of the Secret Key is that it's random. A Secret Key you make up yourself will not have that property or offer any substantial security benefit as a result. And it doesn't need to be remembered; it's available in the app/browser where you've already signed into your account. You'd necessarily need to have done that in order to use 1Password at all.

    Regarding the ISE paper, I'd encourage you to read this for more information:

    Managing 1Password secrets in memory

    If you have any questions not addressed there, don't hesitate to reach out via email at [email protected] so our security team can answer them. Cheers! :)

  • @brenty I did want to follow-up on your last reply related to customer support.

    @wavesound: Supporting 1Password users isn't your job; it's ours. If you're trying to handle "1Password support" inquiries yourself, you're doing you and whichever users you're attempting to assist a disservice by insulating us from actual problems our customers are having, and not getting them help from the people who actually work on 1Password day in and day out. That can definitely skew the feedback we see and therefore how we prioritize things we work on.

    I can see that you that do not understand some of what are perhaps your most valuable customers and the consultants that they trust...

    In our business it is our responsibility to advocate and work on behalf of our clients. We support individuals, businesses and enterprises that require end-to-end system architecture and security work on a boutique and concierge basis. These are not technical people, they don't have time to get mired in technical issues and they expect us to open tickets, make support calls and take care of technical problems on their behalf. Will that affect your support analytics? You bet it will. I know it may sound cold, but they couldn't be bothered to talk you or any other tech/software company for that matter. They regard these tools as the necessary burden of being secure 21st century online participants. They don't use your product because they want to use it or like it. They use it because we told them they they needed it to secure their passwords and sensitive data from attackers. Think of these people as career professionals like doctors, lawyers, executives, public figures, creative professionals, private individuals, retirees. Even seeing their favorite tech consultants (us) on a routine basis has been characterized to us like "going to the dentist." They just want us to help them develop good habits and procedures for using their technology so that they can focus on being productive in their daily lives. They have far more important things to do that worry about computer, phones and security. They have people for that, and we are those people that tell them what to do and us and help them with it. We put technology into terms and procedures that they can follow and understand. As nice and well-written as your website is, its might as well be written in Chamicuro.

    They don't don't wax philosophical about how things should be laid out, what improvements could be made, Secret Keys, etc. I have been passing along a lot of their feedback here on these forums. They frequently have pretty salty thing to say about 1Password and quite frankly, software in general.

    If my non-technical Mom or Dad has a problem with 1Password. What are they going to do...

    Create an account on this forum or open a support case on your website?

    No... They're going to call their techie son. I'm going to pick up the phone and hand-hold them through the process of figuring out why something isn't auto-filling in their browser. No support ticket, no forum thread, problem solved.

    I don't say this to put down or belittle you or your company. But most of our clients don't see or use these tools the way that you or others might and will interact with you in the ways that you might want. They are required to use technology as we all are in their daily lives and are entitled to do so using the best tools available. When these tools get in the way of their productivity, we hear those complaints first. We summarize what is relevant and we try to pass along what we thing is significant to you via these discussion forums. We're happy to help you beyond this forum participation if you think you're missing out on some useful metadata in your Support system.

    We like 1Password since it provides the best GUI and management tools at the moment for most of our individual and family clients.

    However, if you don't think that a significant and valuable portion of your user population use trusted technology consultants as their first point of contact because they have more important things to do than open support cases, you don't really know many of your customers as well as you think that you might.

  • brentybrenty

    Team Member
    edited November 2019

    Thanks for sharing your perspective. My point is simply that it would be unwise for us to backtrack on a solid security model on the word of one anonymous person on the internet. It seems that you think this is about analytics or something, but what I really care about is making 1Password better for everyone who uses it. I get what you're saying, but you filtering what you deem "relevant" isn't going to get 1Password where all of us need it to go. The actual feedback of all of our customers, positive and negative, is invaluable. So again, if you would be willing to discuss specifics, please reach out to [email protected] with the details so we can have that conversation -- and of course any of our customers can contact us directly via email as well with any comments, questions, or requests. We care about all of our customers and want to make 1Password better for them, not just the "most valuable" ones. :)

This discussion has been closed.