Puzzled by (location of) Secret Key
I am trying to understand where the Secret Key is kept. According to the support pages (https://support.1password.com/secret-key-security/) "our Secret Key was created on your own device. We have no record of your Secret Key and can’t recover it."
On the other hand, it seems possible to generate an Emergency Kit containing the Secret Key by logging in on the 1password server.
How is it possible to generate the Emergency Kit with the Secret Key if no record of the Secret Key is kept?
Or have I misunderstood something?
Regards
Frank
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @fdebruin
While 1Password.com may look like a traditional website it doesn't work like a traditional website. We've tried to bring some level of clarity about this by referring to it as a 'web application' instead of a website. The servers that serve your web browser the 1Password.com web app do not have and never receive your Secret Key. The real simplified version of what happens is that your browser downloads the web app and runs it locally on your computer. The Secret Key is stored in your browser's local storage (sort of like a 'cookie', except cookies usually are transmitted to a server). Likewise the Emergency Kit is generated by the web app (running on your computer, not on the server) using data on your computer (not on the server).
So there is a record of the Secret Key... it is kept in every web browser and 1Password app that you sign in using. It may also be kept in iCloud Keychain if so configured. But it isn't kept on our servers.
Does that help make sense of it?
Ben
0 -
Hello Ben,
Ok, I understand the concept of an application-within-a-browser and the use of local browser storage. But in this case, there must be some mechanism to prevent other web applications to access that part of the local storage. How is that arranged for?
Regards,
Frank0 -
The intention of the Secret Key is not for it to be secret within your device. If it were encrypted then your browser wouldn't be able to read it. The "Locally exposed Secret Keys" section (pg. 57) of our security design white paper talks about this:
1Password Security Design White Paper
Recall that the Secret Key is designed so that an attacker will not be in a position to launch an offline password guessing attack if she captures data from the server alone. It does succeed at that goal, but in the current version, our ability to protect the Secret Key on your computer is limited by the tools available to that particular client.
Ben
0 -
I will have a close read of that White Paper.
Thanks,
Frank0 -
Great. :) Please let us know if you have further questions.
Ben
0