Please critique my plan for securing crypto keys with 1Password
Hi Team hope you are all well
Please check this plan for any serious points of failure... Bear in mind:
- That a physical copy of our private keys, is not ideal because I and my family travel a lot.
- That all of us in the family trust each other 100% with each other's finances.
- The biggest risk IMO is user error, e.g. mistyping seeds, and loss of a physical paper/steal copy.
Theoretical plan...
- We set up a Family Account, with our computers all running VPNs.
- We enable 2FA across the board
- We create a shared folder for each member that contains our:
- emergency keys and master password
- a screenshot of our crypto seed phrases (we delete the image, empty trash, and wipe our clipboard as soon as it's uploaded)
- a secure note backup of seed phrases i.e. typed out (in case the image file becomes corrupted).
I understand that if a hacker manages to compromise one of our accounts we are all screwed, however, this seems almost impossible with 2FA and VPNs implemented.
Looking forward to your feedback.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @Danas!
I just wanted to share a couple of documentation pages with you, which you might find interesting since you are thinking about the security of your accounts:
About the 1Password security model
Your 1Password credentials are the most important things to protect:
How to keep your 1Password account secure
And this is a page on 2FA and 1Password. 2FA is important, but since 1Password relies on encryption, it's important to understand exactly what 2FA protects you from:
Authentication and encryption in the 1Password security model
0 -
@Danas I'm not sure what you mean by crypto keys and crypto seed phrases. Does crypto key equal 1Password secret key? And crypto seed phrase mean 2FA TOTP seed or long term secret?
If so, this seems like a good plan for not ever getting locked out! I'm not sure what the VPN adds because your connection to 1Password is already triply encrypted. The benefit is that it will hide from your ISP that you are connecting to 1Password. The downside is that you share that same information with your VPN povider.
An alternative approach is to make everyone a Family Organiser. So anyone can recover the account for anyone else without knowing their master password or secret key. The security benefit is that you wouldn't be able to see into each other's private vaults and an attacker gaining access to one of the accounts would only be able to access the private vault of that account.
0 -
I'm not sure what you mean by crypto keys and crypto seed phrases. Does crypto key equal 1Password secret key? And crypto seed phrase mean 2FA TOTP seed or long term secret?
Unless I misunderstood, I think they are referring to keys related to cryptocurrencies. And now that you mention it, I remember a blog post that we wrote about this some time ago, which could also be interesting:
How to use 1Password to manage cryptocurrency
0 -
Thanks 1password team!
I'll have a good read of those materials and write back if I get stuck.
0 -
I've been trying to decide if I want to store my seed phrases in 1Password. The current line of thinking is that you never store them digitally. I have two hand-written card with my seed phrase and I keep them in my house. But if it ever burns down, I'm screwed. I guess I'm trying to decide if it's safe to store it in 1Password. I save everything else in it, so I'm probably being overly paranoid not doing it.
0 -
This is an interesting discussion that I just came across. @Danas did you have any more thoughts? I'm wondering if the risk of having images of crypto seed phrases compromised could be reduced by somehow by splitting them into two parts e.g. 12 words and 12 words and somehow storing them separately e.g. in different vaults? Though I guess if the attacker gains access to 1password online then different vaults would not help?
0 -
Though I guess if the attacker gains access to 1password online then different vaults would not help?
That's right: different vaults would not help you if what you are afraid of is someone accessing your crypto seed phrases via 1Password.
0 -
For me, the biggest risk is a physical seed phrase being lost or even misrecorded, so 1password is the most secure overall system.
A variant of this strategy could be to divide the seed phrase into 2 parts. Part 1 is in your private vault, and part 2 is in a private vault belonging to a family member. Ideally more than one family member will have part 2 in case one of them is incapacitated. Now even if a thief gets access to one system, they will only have one part.
The downside to this level of protection is if you were to pass away, there is no access for your family members.
Another idea is to put all your seeds into a shared folder, less the last word. The last word could be on a shared document on Google Drive. Now a thief would need to break into 1password, AND know where to find the missing last words. Sharing the missing words document in a shared Google Drive folder would limit the document from being inaccessible, and your family will have access to the full seeds.
I'm not saying this is the best solution, I'm just putting out ideas for discussion.
0 -
The downside to this level of protection is if you were to pass away, there is no access for your family members.
You could rely on the Emergency Kit to help you with this. If you store a copy of your Emergency Kit in a safe place, outside of 1Password, that other family members have access to, you would be able to get to the second part of the password even in an emergency.
0