To protect your privacy: email us with billing or account questions instead of posting here.

Old Authorized Devices?

When I sign into my account at the 1Password web site, and I go to the My Profile page, there are always old Safari entries under the Authorized Devices list (in addition to the one labeled "Your current device"). This is despite signing out every time. I have to manually deauthorize the old ones.

Why don't they automatically get deauthorized when I Sign Out?

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member
    edited January 2022

    @SpinalNeon9446 When you Lock an app, it keeps a copy of your 1Password data and it remains an Authorized Device. When you Sign out of an app, it should cease to be an Authorized Device and the local copy of your vault should be deleted. If its not behaving like that then it sounds like a bug.

    https://support.1password.com/sign-out/

  • SpinalNeon9446
    SpinalNeon9446
    Community Member

    Yes, I understand that.

    My concern is when I sign in at https://my.1password.com/ with Safari. Despite choosing Sign Out (in the menu under my account name at the top-right corner), old sign-ins still appear in the list next time I sign in.

  • Hi @SpinalNeon9446:

    Great question! The Authorized Devices view in the profile page of my.1Password.com is a historical view of devices/sign-ins, and not a list of currently authenticated devices/sessions. Given this, signing out does not necessarily remove the entry from the list. Let me know if that helps, or if you'd still like me to dig into it with you a bit further!

    Jack

  • SpinalNeon9446
    SpinalNeon9446
    Community Member

    How come there's a Deauthorize button (under the gear icon) next to each old browser session? It does work, i.e., you can deauthorize them and they disappear from the list.

    If they truly are different, then maybe they should be presented differently, e.g., in a separate section with no gear icon.

  • Deauthorizing a device makes it such that the Secret Key (and 2FA, if enabled) will need to be re-entered. These are not normally necessary if the app/extension has simply locked. When the app is locked, normally all that is required to unlock is the account password.

    Locking and deauthorizing are indeed separate and are presented separately.

    I hope that helps!

    Ben

  • SpinalNeon9446
    SpinalNeon9446
    Community Member

    Yes, I understand that. I'm not worried about 1Password app installations in the Devices list. They're correct — if I sign out in an app, it disappears from the list.

    My concern is with old web browser sessions appearing in the list, even though I signed them out (under the menu at the top-right). For example, note the fourth device in the list in the attached screenshot. I signed out of that a couple of days ago.

    Indeed, once I sign out, then sign in again, there will be a second extra Safari session listed, i.e., this current one that I used to take the screen shot.

  • Hey @SpinalNeon9446:

    Just to clarify, signing out on my.1Password.com does not trigger a full deauthorize event.

    • Signing out of my.1Password.com saves your Secret Key to the browser, allowing you to just use your account password again to access your 1Password account.
    • Deauthorizing a my.1Password.com session will require the Secret Key (and 2FA if necessary) next time you try to access your 1Password account on that browser.

    I hope that helps clear up the difference here!

    Jack

  • SpinalNeon9446
    SpinalNeon9446
    Community Member

    So that means there's no way for old web browser sessions to be automatically cleared out of the Authorized Devices list. The only way is to go to each one and do it manually, under the gear icon next to it.

    I frequently reset Safari to clear cookies (I've been tracking-averse since even before the recent Safari history-exposing bug) so I'd end up with lots of them in the list. If I ever did have to deauthorize a particular device's installed app, I'd have to wade through them.

    Maybe 1Password apps and browser sessions should be listed separately. A Deauthorize All for browser sessions would be useful too.

  • Thanks for the suggestion, @SpinalNeon9446. :) I'll share that with the team.

    Ben

This discussion has been closed.