Android backup security?

ArbitraryConstant
ArbitraryConstant
Community Member

Hello,

I was confused to see my previously set up account appear without any need to enter the secret key, so I did some searching and found the following thread.

https://discussions.agilebits.com/discussion/80286/can-someone-explain-how-saved-accounts-work-on-android

This seems to suggest that the secret key is backed up to Google with, in effect, the security of the Google account rather than the secret key. While I understand the benefit to inexperienced users not experiencing data loss and I understand these are the very users that can't be asked to opt-in, this seems like it substantially weakens the security of more advanced users with a different threat model. The latter do not (AFAICT) have any way to opt-out of the backup behavior other than disabling backups altogether, and since the behavior is poorly documented these users aren't in a position to take mitigation steps. If there were, for example, a toggle in the settings, it would at least be discoverable, but AFAICT the only way to discover this behavior is to infer something is going on from the behavior of not having to enter the key.

If true that would be very disappointing. Is it possible to at least make the behavior opt-out? This seems like a pretty serious weakness especially for people that may face targeted attacks. It seems fine for 1Password to optimize for the common use case but if security has been degraded from what's being advertised (and it's still being advertised) then that reduces the value being added over simply using built in Chrome password management or one of the other password management options.

In other cases, for example, Mac/Windows hard drive encryption, it's possible to select different recovery key options depending on the threat model. It seems like something similar should be explored here.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGKyle
    AGKyle
    1Password Alumni

    Hi @ArbitraryConstant,

    Can you explain where you believe this weakens your security?

    The point of the secret key is often confused by users, so for the sake of trying to be complete I'll explain where our thinking is on this. You're correct that this is for people who are likely to forget, lose, or otherwise misplace their Secret Key, though.

    When we set out designing our 1Password service we knew from years of prior experience with 1Password that users, despite our insistence and caution against using weak Master Passwords, would inevitably use weak Master Passwords. Our worry was that we'd have user data on hand and if our users used weak Master Passwords they'd be at great risk if our servers were ever compromised.

    We needed a way to strengthen the data stored on our server such that if our servers were compromised that the attacker couldn't easily brute force those accounts with weak Master Passwords. This is where the Secret Key comes in, it's entire purpose is to prevent cracking attempts against data stored on our servers, to make it incredibly costly.

    There's very little other reason than that.

    With this in mind, it doesn't really matter as much where you store your Secret Key so long as it isn't in the same place as our server data or publicly accessible (like on an open web server or file sharing service that other people could easily stumble across).

    You should absolutely be using a strong Master Password as well. In the event that someone does acquire your Secret Key your Master Password is what protects your data. If you do this then someone who gains access to your Secret Key is really not going to have much luck in gaining access to your account. And your Master Password is not stored with your Secret Key so they would have to acquire both of these separately.

    I hope that gives some insight, but we say it's a Secret Key to try to prevent people from giving it away without any thought in the world, but the real point of it is to be secret from us primarily, and from others secondarily.

This discussion has been closed.