Recovering account - Phone Option
Hi,
I'm evaluating 1Password vs LastPass and can't figure out the account recovery option.
LastPass has a feature where you can recover your account via SMS passcode they send to your phone.
However I don't see how you can recover with 1Password the same way.
It seems you need a recovery kit saved somewhere (probably put in your safe at home), but this prevents remote recovery such as recovering while travelling abroad.
Am I missing something?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
No you are not. 1Password/AgileBits has zero ability to access your vault. LastPass offering this is gating an encrypted vault key behind authentication, not encryption.
When you create a LastPassword account, your device generates a random key, which is then used to encrypt a copy of your vault encryption key. That copy of your key is then stored on LastPass's server. Upon initiating the reset, LastPass sends the encrypted copy of your vault key to your device, which then uses the device key to decrypt the vault key.
It is unlikely that something like this would ever be implemented by AgileBits however, as it turns access from the vault from a cryptographic promise, to an identity verification promise. A suitably motivated and supported attacker could either compromise LastPass and steal the encrypted vault encryption keys and then use that on a target's device to gain access to the vault, or attack it from the other end by using the target's device to recover, potentially using SS7 attacks to redirect the SMS recovery.
In short, an advanced threat actor could break LastPass security because the gate that separates the key to the vault key and the vault key is now no longer encryption, but authentication. There is no possible way to do this kind of attack with 1Password, since everything is backed by encryption, not authentication.
0