PGP Email Support

MONKi1PMONKi1P
edited February 10 in Memberships

Can emails received from 1Password be PGP encrypted?

«1

Comments

  • ag_anaag_ana

    Team Member

    Hi @MONKi1P!

    Can you please elaborate? What emails are you referring to? Emails when you write to our support, 1Password automatic emails, or something else?

  • I was mostly thinking of the automated stuff especially with a separate account to keep it all anonymous.

  • ag_anaag_ana

    Team Member

    Thank you for the clarification @MONKi1P :+1: At the moment this is not possible I am afraid. We don't include sensitive information in automatic email messages already, but I see how it could be useful to you to encrypt this information too.

  • I'm thinking of changing the email address associated with my 1Password to keep it somewhat separate from my primary email address. Not the same as getting encrypted emails but it does separate things a bit plus with 2 family organizers it makes it a bit harder to get access to the other email incase someone get a hold of the other organizer's account. Any best practices around this or forum discussions where others have discussed this that you know of @ag_ana ?

  • ag_anaag_ana

    Team Member

    @MONKi1P:

    I am not aware of any best practices or discussions, but I know that many people use email aliases too, in case you don't want to use a completely separate email address.

    Not the same as getting encrypted emails but it does separate things a bit plus with 2 family organizers it makes it a bit harder to get access to the other email incase someone get a hold of the other organizer's account.

    Regardless of what method you use, or what email you choose to use, in case someone manages to access the other organizer's account they will have power to do everything on that account. A separate email would not help that much in this specific scenario you mentioned.

  • It can certainly help your privacy and security to have a unique email address for your password manager. However, for you to receive alerts in a timely manner, the messages should come to an inbox you check regularly. So either use an alias for an existing inbox or forward messages to an existing inbox which you check regularly. And make sure none of the email accounts involved can have their password reset by SMS text.

  • @missingbits Right right sms reset is the scorch of the Earth! It’s off everywhere I can turn it off. Some silly account down allow it though.

    Right now I am thinking of using Google's Advanced Protection with Yubikey login as the 2FA as a requirement, not be logged in actively anywhere with it, and have those emails forwarded to my otherwise primary email. This way even if the other organizer's account is compromised, I don't have to worry because the person does not have access to the Yubikeys as the real co-organizer would have.

    I guess I could use ProtonMail or Tutanota but I am wondering if those smaller teams can provide better security than Google and the other issue is longevity of course. I'd love some thoughts on that from you guys to weigh the benefits and drawbacks as best as possible.

  • Security is only as strong as the weakest link. Does the other family organiser have access to your primary email account? If so and their account were compromised, wouldn't the attacker be able to recover your account using the emails forwarded to that inbox? I would focus on securing the inbox you're checking regularly.
    I have had bad experiences of forwarded emails failing SPF/DKIM checks and ending up in spam or even bounced/deleted. This is probably less of risk when forwarding from one Google account to another, but I'm not sure I'd rely on it between mail providers. An alias is a better way to go in terms of email delivery. Does your existing mail provider offer aliases?
    ProtonMail's security comes from the encryption. They can deliver mail to your inbox using your public key, but only you have the private key required to open the emails in your inbox. Like 1Password they use Secure Remote Password to avoid sending your credentials over the internet. So they are more private than Google and, even though they don't support YubiKeys, they are probably more secure. They may not be around forever, but you can always change your email address later.

  • LarsLars Junior Member

    Team Member

    Hey @MONKi1P - Lars from the Security team here. Just wanted to let you know that we do accept encrypted emails for support issues. You can find instructions for using GPG and importing our public key for support right here. There's really no easy way to do that for automated email sent via the 1password.com server back-end, however. We would need every user's public keys, and most people don't even know what PGP/GPG is, let alone use it. The potential for missed messages (expired or incorrect keys, etc) - potentially very important messages that might be time-sensitive, such as new sign-in messages - would far outweigh the number of times we managed to get an encrypted message using the proper key for the recipient through to the right person. But if you find yourself in a position to send an email to [email protected], you can indeed utilize GPG. :)

  • MONKi1PMONKi1P
    edited February 12

    Thanks for sharing about the GPG support email option @Lars

    How does an alias help @missingbits ? If I use my primary email on my iPhone, iPadPro, Macs ... it is easier to get a hold of a device where I am logged into my email than if I had a separate account that is not logged in actively anywhere unless needed and the Yubikeys are put away safely and only known by a someone who should know of them. I trust this person and they can know everything in my 1Password account but I am more uncertain how well they maintain the security of all their devices. So I won’t want someone who gets a hold of their device to be able to initiate and initiate a reset of my 1Password vaults through them. I know they still need access to my email account and if it is my primary account which is active on all my devices, it seems much more vulnerable even if they are all secured fairly well than using another account that’s not active.

    Of course if 1Password would have a delay mechanism for resetting my account then that would put my mind more at ease because then a trusted person could still get instant access with my email, master password and secret key but otherwise without that the trusted person or the imposter would need to wait and I get notified of that attempt which I should be able to cancel and take mitigating measures.

    The issue is with email forwarding when reset are forwarded just like all other emails from 1Password. There is no way to have that one email for resetting not forwarded to my primary email as far as I know. I will see if I can make some exception to forward all but I am not away of that. Is it correct that the link in the email is all that is needed to confirm the resetting?

    Am I making sense or am I missing something?

  • MONKi1PMONKi1P
    edited February 12

    This also gets me full circle with encrypted emails, especially for account recovery. If that would be possible, I could just use my primary email address and know that only with my decryption key used with a separate email client can those be decrypted and allowing the recovery to be confirmed.

    Plus my Yubikeys/2FA code generator won’t help because that is also being reset during account recovery.

  • The alias doesn't prevent someone with access to your email account from doing anything. It just makes it harder for someone to figure out your 1Password credentials or, for example, to initiate a phishing attack against your 1Password account.
    The problem with an unused account is that genuine email alerts from 1Password could be sat in there for hours or days before you see them. So you would need to automatically forward emails to an account which you monitor regularly. Then the recovery emails would be forwarded to all your devices and could be read by anyone who has access, whether or not the other account is secured by a YubiKey.
    Sounds like you're trying to fix a device security problem by adding an extra layer of email complexity. Have you set strong passwords/passcodes for your devices? Are they set to autolock? Does your email app offer any additional security options?

  • edited February 12

    @MONKi1P Another idea: how about removing the Family Organiser privileges from the trusted person and giving them a separate account that they should use if they need to trigger a recovery. That account could be secured with a YubiKey.

  • MONKi1PMONKi1P
    edited February 13

    After I figure out my setup, I hope the 1Password team releases some new features that make all this added complexity obsolete and all this was just an exercise in curiosity ;)

    @missingbits I like your suggestion of using a non-actively used co-organizer account with a separate email address that is locked up and safe. Stil debating on which provider to use. Leaning towards Google here at the moment with Advanced protection.

    Going with a big email provider might provide greater longevity as compared to the two options I had mentioned earlier since they do/may delete inactive accounts.

    Tutanota — "Your deleted email address (also if it is an alias) will not be recycled for security reasons....Free of charge accounts are deleted after an inactive period of six months. A regular login is necessary to prevent automatic deletion." https://tutanota.com/faq/#inactive-accounts

    ProtonMail — "Although it is not the current practice, we reserve the right to suspend or delete accounts that are inactive for over three months. Paid accounts with active paid status are not subject to this measure." https://protonmail.com/terms-and-conditions

    @missingbits you have mentioned before that you use Authy and I have used it in the past but they require a phone number that can be used for recovery purposes. I just initiated it and I got an email to confirm it, then the first of four sms' until in 24h my account will be accessible without another previously logged in device. In the end I will still need my passphrase to unlock it. I don't get why a phone number is used/needed at all if my email and the passphrase is what actually secures my Authy account. Carriers recycle phone numbers, sms' are not safe and just leak data. (Signal has planned to implement phone numberless accounts starting sometime this year.) I'm no expert but it seems safer to use LastPass Authenticator with the cloud backup (requires a free LastPass account) where I can sign up with an email address and a MasterPassword of which neither can be traced back to me in any identifiable way.

    As a side note to all of this, I'm primarily looking to create peace of mind for myself as opposed to some active real concern that I am in danger of any of this happening to me.

  • ag_anaag_ana

    Team Member

    @MONKi1P:

    you have mentioned before that you use Authy and I have used it in the past but they require a phone number that can be used for recovery purposes.

    Have you given Microsoft Authenticator a try? This does not require entering a phone number, you can start scanning QR codes right away.

  • @ag_ana what about backups? I had the impression it wanted a Microsoft account to be linked to make that work.

  • ag_anaag_ana

    Team Member
    edited February 13

    @MONKi1P:

    If I am not mistaken, Microsoft Authenticator on iOS requires just an iCloud account. I am not an authenticator expert though, as I personally store my 2FA information inside 1Password :)

    But if you are concerned about backup capabilities in your authenticator apps, you should not use the feature altogether, and instead rely on your backup codes manually (for example by printing them, or storing them in a safe place outside of your authenticator app).

  • @ag_ana I have Microsoft Authenticator on the iPhone I use for work. iCloud backup didn't fit my personal needs because I wanted to sync 2FA tokens across all my devices, Apple and non-Apple. However, my employer had already disabled iCloud backups, so the only option was to sign in to a Microsoft account. I wasn't comfortable with this from a privacy point of view and I ruled it out because there was no information available on the security model.

  • @MONKi1P I know exactly where you're coming from. I have spent the last 3 years analysing and improving my internet security. It became an obsession for a while, now its more of a hobby!

    I don't use Gmail for privacy reasons and just have a Google account (with no Gmail) to log into my Android phone. Tutanota have a very cheap premium account at 12 EUR per year. ProtonMail is more expensive, but OK if you pay for 2 years in advance. These allow you to set-up aliases which you can use to hide the main address of the account.

    Most people are not like you and I and do not test authenticator app recovery processes to check they are secure! For the average person it probably suits them better to have an associated phone number to help with recovery. In Authy's case I'm OK with this because they do not know my "backups password" and cannot help if I lose it. In addition, I'm confident that I would be able to intervene if someone tried to recover my account without my authorisation.

    I moved away from LastPass for privacy and security reasons, so its probably a year since I tried LastPass Authenticator. However, it can receive codes via SMS and one of the first steps when setting it up was verifying a phone number. If you have a LastPass account this means someone can bypass your 2FA and reset your Master Password via SMS, but they would need access to one of your devices where a Recovery One Time Password has been saved. I don't know how well the latter is secured, it obviously can't be encrypted with the Master Password.

  • ag_anaag_ana

    Team Member

    Thank you for the confirmation @missingbits, I was quite sure that iCloud was indeed an option there :)

  • I enjoy this discussion and find it helpful, thank you @missingbits for willing to engage my current endeavors of re-thinking my setup now that I have migrated back to 1Password. It's been a long time since I have looked this closely at every aspect. I hope I won't go down a 3 year pass like you have but I'm happy spending a few weeks to plan it all out to a point where I feel at ease with it.

    @missingbits when you say you don't use Gmail, are you referring to the personal free gmail.com or also to Google Workspace/GSuite which I have seen some 1Password Team member(s) mention as using & having their 1Password associated with. Tutanota's cheapest yearly plan is exceptionally affordable and their security setup seems even more private than ProtonMails. Not that I have the ability to review all their OpenSource code but that does seem like a great option.

    @ag_ana I've tested Microsoft Authenticator a little and the iCloud backup but when I enabled it, they required me to add a personal Microsoft account seems to work. Then I deleted it and reinstalled it and when I clicked on recover from backup it offered me the Microsoft email address I logged in with to enable it and it restored everything without requiring any additional security steps. So the only way to prevent anyone from restoring all the TOTPs is by preventing someone to have access to my Apple account. Once they do, they can access all the generated codes. It's unlikely but it doesn't make me feel comfortable using Microsoft's Authenticator.

    @missingbits with LastPass, which I have used heavily in the past, the default at least now when you signup for a new account, is to enter an email address and a Master-Password. That is it. They don't ask or require a phone number. In fact, the user would need to manually enable SMS Account recovery to link a phone number and weaken their security to gain convenience. What they do prompt for is to to enable account recovery when you login on a mobile device. If enabled then you can reset your MasterPassword via Biometric authentication. I've never had that enabled due to the additional security risk this poses but for people who just store random forum site passwords, I guess this is useful.

    To me Authy seems better than Microsoft's current Authenticator implementation but using a LastPass account (even on the free tier) that can only be unlocked with a MasterPassword without any other recovery options still seems safer to me for a TOTP cloud backup option. This is not an endorsement of LogmeIn, which I am personally not a fan of and I know too little about TWILIO to make a comparison but they might be a more trustworthy company & that could tip the scale here.

    A nice feature LastPass does have is something called Security Email: "This is a secondary email address that you associate with your LastPass account. It's used as your inbox for LastPass multifactor authentication emails and other security emails from LastPass." It is not exactly a PGP/encrypted email option but an alternative solution that is helpful to keep accounts safer. That way I was able to use one email address to login while getting all alerts to my general primary email account. Adding this feature to 1Password's account security options with @missingbits's idea of having an alias email address looks like a good combo to me. Maybe you can pass this kind of idea along to the dev team @ag_ana ?

  • ag_anaag_ana

    Team Member

    So the only way to prevent anyone from restoring all the TOTPs is by preventing someone to have access to my Apple account.

    That sounds correct if you decide to enable recovery features @MONKi1P, no matter what recovery method :+1: The only way to avoid the scenario you are concerned with is to disable recovery and not use backup codes altogether.

    Adding this feature to 1Password's account security options with @missingbits's idea of having an alias email address looks like a good combo to me. Maybe you can pass this kind of idea along to the dev team @ag_ana ?

    I can certainly pass the feedback to the team :+1:

  • @ag_ana Right, but both Authy & LastPass right now seem to offer backups that can be secured with a password that does not hinge on another account.

    @missingbits I've tested your alias idea and also noticed that anything above ~37 characters prior to the "@" symbol cannot fully be displayed in any of the preview/login screens and show fully only when going in to the Settings. This would protect from any onlooker as well except those with whom passwords are shared of course.

  • ag_anaag_ana

    Team Member
    edited February 14

    @MONKi1P:

    Right, but both Authy & LastPass right now seem to offer backups that can be secured with a password that does not hinge on another account.

    One requires a phone number, and the other requires an additional email though, from what you wrote. In both of these cases, the feature would be compromised if someone had access to your phone number, or this second email account, the same way it would be compromised if someone were to get a hold of your Apple or Microsoft account, in your previous example.

  • @ag_ana correct, iCloud & sms seem less secure & have similar problems like in my case I actively use my Apple devices so I cannot be as careful with them as I could with an email account like Tutanota that is not logged in or actively used anywhere and completely encrypted and unrecoverable just like 1Password if the password were to be lost.

  • @MONKi1P Glad to help and happy that some of the information I've collected over the last 3 years has a use!

    I know that GSuite has more guarantees of privacy than free Gmail, but Google is an advertising business at heart. You can get the same functionality elsewhere from companies whose business model does not depend upon selling personal information.

    I didn't like the way Microsoft Authenticator was essentially an extension of validating yourself to Microsoft. It feels like "Sign in with Google" or "Sign in with Facebook" and I'd be concerned about ending up in some catch 22 situation where I couldn't validate myself to Microsoft because I couldn't validate myself to "company x" because I couldn't validate myself to Microsoft. In addition, the security model wasn't clear and Microsoft 365 is one of the world's most phished services. I want a clearly described security model with clearly defined authentication and recovery paths. This is the main reason I use 1Password.

    You're right about LastPass: if you don't enable SMS Recovery then they don't need a phone number at account set-up. The system then defaults to account recovery via email and a Recovery One Time Password saved on your device. My point was that, last time I checked, TOTP 2FA for free accounts requires that you use the separate LastPass Authenticator app and the set-up procedure for this app involves validating a phone number. I can't remember whether its a necessary step when associating the authenticator app with your LastPass account, but it is certainly recommended and it would be interesting to know whether this then enables SMS Recovery.

    With Authy you're protected by your Backups Password and with Lastpass by your Master Password. With Authy the risk is that someone will fraudulently take over your phone number and use this to initiate the 24 hour recovery of your Authy account. With LastPass authenticator I was concerned that there was a risk of 2FA being bypassed in real time. So, as long as Authy's "multi-device" is disabled after adding all devices, it seemed better on balance.

    By the way, Authy has an optional additional Master Password for desktop installations. I'm not sure whether this is enforced with encryption or is just part of the user interface.

  • ag_anaag_ana

    Team Member

    Understood @MONKi1P :+1:

  • MONKi1PMONKi1P
    edited February 15

    @missingbits The benefits that I see with Google Workspace are the selfish interest of Google to protect their own system's security, they are big and will probably be around for a long time to come, they have a lot of money to spend on security, and if you do loose all access to an account you can recover through laborious ways to identify myself as the person who has signed up & paid for the service. At the same time that can be a downside incase of court orders or elaborate identity theft schemes in for those scenarios this same "feature" would be the downside, which makes Tutanota ideal as their security setup is similar to a good password manager where if you loose all your login information, you lost your data. Their downside is they are small (hopefully they'll be around for a long time) and working with a minuscule budget when compared to Google. So if some new digital threat/technology comes along they might struggle to adapt quickly. I guess this is where it is all a process that needs to be reevaluated regularly & adapted as needed.

    So I've checked LastPass + Authenticator app. I wasn't sure how the setup process was anymore so I created a new account, turned all recovery methods off, downloaded the Authenticator app, and enabled 2FA in LastPass. Now there you have a few 2FA options and if you use the top LastPass Authenticator option, then you are right @missingbits that they require you to add a recovery/backup sms phone number that doesn't show but anywhere later on in the settings (good for security specially if one has a secret secondary number) but as you said this leaves a phone vulnerability issue which they force onto the user. BUT if you go with Google Authenticator option (maybe the others as well) then there is no phone number for sms recovery/backup required or even possible during the setup. This is how I've had it on my end to avoid any sms/phone vulnerabilities. It also allows to backup the TOTP code for offline backup. I guess my question is to you, does that change the equation between Authy & LastPass+Authenticator?

  • @ag_ana
    Just to clarify why encrypted emails communication with 1Password would still be the best option:
    (1) Any web email provider could be used to increase usability.
    (2) Email clients like Canary could be used.
    (3) It protects the user from security breaches including infected software, developers going rough, or court orders forcing email providers to monitor the users inbox, which has happened to Tatunota as well but would only expose unencrypted emails (reference article).

  • ag_anaag_ana

    Team Member

    Thank you for the clarification :+1:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file