Are QR codes for new client setup one time use or can they get reused by an attacker if found?

I setup 1P on a workstation without a webcam using a QR Code that I screenshot on my phone and emailed to the workstation (and deleted it afterwards but can you really trust it's not stuck in some cache somewhere?). Is this a security risk? Can an attacker find this QR code and reuse it? Or does 1P do the right thing and make them one use? Took a quick look in the white paper but didn't find anything.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Are QR codes for new client setup one time use?


  • edited January 8

    The QR code contains your secret key. The idea of using a QR code is that it keeps this local and out of the hands of a remote attacker. If the new device doesn't have a camera then I would always type the secret key.
    1Password don't know your secret key, so they can't generate one time use QR codes which are exchanged for the secret key. The secret key has to be embedded in the QR code by the local client.
    You can regenerate your secret key at under My Profile. Remember to re-save your Emergency Kit and update your 1Password Account login entry in your Private vault with the new secret key.

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @grigore! missingbits is correct - the Setup Codes are not single-use because they contain the same data:

    1. The sign-in address (usually, but may vary if it is a Business account or older Families account)
    2. The email address you used to register for the account
    3. Your Secret Key

    This is intentional, as it's what's required to sign into any 1Password account for the first time (except for the Master Password, which is not stored anywhere except (hopefully) your head. That's why every sign-up process asks you if you'd like to manually enter details, or use the Setup Code: because we realize some people will prefer the convenience of the code, while others will opt for manual entry. Most of the time, there's little-to-no additional risk to using the Setup Code because the new device has a camera that can scan the code.

    But in the case of emailing the Setup Code to yourself, it's somewhat different. In terms of the security risk, I would still consider it a judgment call, one that depends on your own perceived threat model as well as your risk tolerance. As you say, it is certainly possible that there is "some cache somewhere" that contains this code, and which -- if discovered and its use discovered by an attacker -- could then be used to put that attacker in a better position to attempt to decrypt your data, as they would need only your Master Password. But remember, this is no different than the situation that already exists on your own devices. If you lose a phone, say, or have one stolen, it is your Master Password which protects your 1Password data on that device, since the Secret Key is stored locally.

    The major difference between the lost/stolen scenario I just described and having a bad actor get hold of that Setup Code is that it would apply to the data on our server as well, not just your local device(s). The Secret Key was created to strengthen users' Master Passwords using a secret that never left users' own local device(s). Emailing it to yourself does violate that. If you would prefer to be sure, you can regenerate your Secret Key, which would solve that problem. But then you'd have to re-sign in from every device on which you use 1Password, because the Secret Key would be different. If you take the time/trouble to go that route, I'd obviously suggest manually typing the Secret Key by reading it off your phone (or a printout, etc), rather than emailing anything, else you'll just be back in the same situation again. Hope that helps! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file