Can deleting an account be that easy?

yaronfn

Please confirm I am not missing anything. I created a new 1password account and started a trial, I also enabled 2FA. When I had to log in on the web to my 1Password account, I was able to chose recovery ---> got an email --> was able to delete the account without ANY authentication i.e. I was not asked to provide a password, secret key or use 2FA.

Can it really be that easy? all it takes is access to my email inbox in order to delete my 1Password online account and everything in it?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

ag_ana

Hi @yaronfn!

Yes, we require that you are able to access your email in order to proceed with the deletion. The idea is that someone would have to break into your email to be able to delete your account, so only you can do it.

yaronfn

Right, any other reputable cloud service requires some sort of authentication prior to accessing account settings or deleting the account. This is typically 2FA or a recovery key. Imagine Google or Apple allowing someone with access to your inbox to delete your account. Sorry but this is a major issue for me and not sure I can switch to 1Password.com. I recommend your security team reviews it and considers placing account deletion behind 2FA.

Henry

Hi @yaronfn. As you might imagine given how many customers we have, we pretty frequently hear from folks who have forgotten their Secret Key and/or Master Password and would like to delete their 1Password account, freeing up its associated email address to start anew. Therefore, we have to offer a method of safely deleting a 1Password account that does not require knowing the Master Password/Secret Key. We chose email authentication for a few reasons:

• Email accounts already have strong defenses, because they're the keys to almost all your online services (with that handy "forgot your password" button).
• 1Password users are easily able to keep their email accounts secure with a strong password and 2FA.
• Most users understand the flow of managing accounts by email, so the process is simple for those who need it to be.

Remember, there's no way to actually see the 1Password account data by email, only delete the account, and someone trying to delete your account maliciously (for what reason?) would have to manage to get your strong email account password and 2FA code to access your email account, as long as you set it up that way as recommended. Finally, in case your 1Password account is deleted by email, you can let us know and we'd be able to help from our end.

yaronfn

Thank you Henry, you are correct and I definitely see the logic behind these decisions.

ag_ana

On behalf of Henry, you are welcome! If you have any other questions, please feel free to reach out anytime.

Have a wonderful day :)

yaronfn

As a matter of fact, I do :)
So I signed up for new membership and after a few attempts, was able to migrate the content from my 6.8 to 7 and iCloud to 1Password.ca account. Both my iMac and iPhone seem to be working fine. However:
1. How do I delete the old vault from iCloud?
2. I have 1Password 6.8 on my work Macbook Pro, however, it's only synching to a separate vault synched to Dropbox. I would like to keep it that way if possible, is that possible? can I upgrade it to V.7? how do I add that Dropbox synched vault to my iMac running V.7 and using 1password account?

Lars

@yaronfn - at this point, rather than get further into the nitty-gritty of your specific setup and details here in this public forum, please shoot us an email at support+forum@1password.com and we'll go through it with you in private. You'll receive an automated reply from our BitBot assistant with a Support ID number.  Please post that number here so we can track down your email and ensure that this issue is dealt with quickly. :)

XIII

1Password users are easily able to keep their email accounts secure with a strong password and 2FA.

Doesn’t that result in a Catch-22 for people that forget their password and secret key?

ag_ana

@XIII:

Of course, if you forget your Master Password and Secret Key (all of your login credentials), you won't be able to access your 1Password account at all, unless you have recovery mechanisms in place in your account. It is of fundamental importance that you keep your 1Password account credentials safe and you never forget them (the Emergency Kit can help you with this).

But in your specific example, email accounts typically offer recover mechanisms through their forgot password procedure.

XIII

But in your specific example, email accounts typically offer recover mechanisms through their forgot password procedure.

Thanks for mentioning this. I never thought about this weakest link in the 1Password security.

Luckily my email provider has a relatively safe procedure for that.

ag_ana

@XIII:

I don't think it's a weakest link in the 1Password security, because access to an email address does not mean access to 1Password data. All you could do is delete the account, and for what reason? But even in that case, as Henry wrote:

Finally, in case your 1Password account is deleted by email, you can let us know and we'd be able to help from our end.

Also, often, in order to recover your email account, you receive an email at another email account you control. Someone would need access to both of them in order to do something.