security bug: Multiple Samsung phones being used to log into an account without 1password knowing it

If you use Smart Switch to transfer data from an old Samsung phone to another Samsung phone, it will copy the 1password app data as well. 1password will think the new phone and the new phone are the same (the new phone will not show up on your dashboard). That means no need for 2FA, no need for a secret key either to use the new pone. Just the master password. Both phone stay signed in and 1password dashboard only shows one.

I've used the new phone and old phone for 1 week now and 1password still has not realized they are different phones.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:how to post

Comments

  • @petero43432 Sounds like Smart Switch is functioning as intended. If I cloned my desktop PC's hard disk, I wouldn't expect 1Password to be able to tell the difference between the two. Is the issue that 1Password doesn't spot that it's servicing two devices with the same identity?

  • I will disagree with that for two reasons: 1) 1pass should at least recognize there are now two phones connected in the "my devices" section and 2) other apps like lastpass do not clone the database when used with smartswitch (I have both)

  • ag_anaag_ana

    Team Member

    @petero43432:

    I have also asked the security team to weigh in here and see if they have any thoughts about this :+1:

  • brentybrenty 1Password Alumni

    @petero43432: How do you propose that work?

    I ask because while there are any number of ways we might try to differentiate between devices -- OS, model, fingerprinting -- that could be cloned/spoofed as well.

    Significantly, two-factor authentication isn't what protects your data, and is only relevant when authenticating, which you'd already done. Two-factor authentication protects against a specific attack, wherein someone already has all of your account credentials and tries to sign in on a device they control. If they have your device already, they don't need to do that.

    What's protecting your 1Password data isn't that the server is saying, "Oh, well, this looks like petero43432's device, so let's give them access", but rather encryption: the encrypted data on the server is protected by your Master Password and Secret Key, as neither of those are ever transmitted to it; and the encrypted data on your device is protected by your Master Password, since you've authorized it and saved your Secret Key there...which you copied over along with everything else when you cloned it.

    Given that the security is the same on both devices, and you don't seem concerned that you're able to access your data on the original by decrypting it using your Master Password, I'm not sure what the security risk would be on the second. But I'm interested to hear your thoughts, especially regarding the question I posed at the beginning. Although it won't be a security issue, there may be other reasons it could be worthwhile to try different approaches for device identification, recognizing that there will be limitations to doing so. Let me know what you think.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file