Account recovery worries

Community Member

I read the whitepaper and am surprised how simple the account recovery is implemented. I see two problems:
1.) If the person whose data is lost also has no access to her email account anymore the recovery does not work,
2.) a "family organizer" just needs access to a member's email account to recover all data.

I am sure 1password is aware of Shamir's Secret Sharing which would make account recovery much better IMHO. My question is: are there any efforts in that direction? Are there downsides I don't see?

In my ideal scenario, every user could individually decide how many of the members chosen by her would have to collude to restore her account. This could also be changed at any time. The client would just have to get the public keys of the chosen family members and store each member's share encrypted with it's public key on the server and delete the old set.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • Hi @tschaboo

    Thanks for taking the time to read the whitepaper! Yes, you're correct, both of those items are limitations of the current implementation. Our security team has looked at Shamir's work to see if / where it might fit in. One possibility we've discussed is the case where the last / only member of the recovery group is incapacitated. As far as I'm aware there aren't any definite plans at this point, but the discussion is ongoing.

    As for if there may be any downsides to Shamir's Secret Sharing... I don't have any official comment here, but I did find this article that may be of interest:

    Shamir's Secret Sharing Shortcomings

    As with most any system, there are likely to be trade-offs. As I say though, we haven't ruled it out.


  • BBBB
    Community Member

    I agree with @tschaboo, something feels missing in account recovery security.
    I feel like it should be up to the end user to decide (in advance) if they want to have more personal data security or easier recovery options.
    Adding a recovery email option, or other backup communication channel.
    Allowing each user to create a emergency recovery code. In a recovery they would need their new emailed secret key AND their emergency recovery code. Maybe that is something static and stored offline, maybe that is a authenticatior app or hardware token.
    Allowing users to decide (in advance) what will happen if the family organizer decides to delete their account.

  • Thanks, @BBBB. :)


This discussion has been closed.