Security of account

[Deleted User]
[Deleted User]
Community Member

Hi,

I tried to explain somebody abour the security that is built in into 1password.
Please correct me if I am wrong🤔

To access your account, an attacker needs four things:


  1. The email address used to sign up for the account.

    2 Your Master Password for the account.

    3 The secret key of the account
    4.Access to my 2fa device.

That means that if for example an “attacker” can have my 1 password masterkey OR secret key , but still needs the other 3 to get in. Right?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hello @F_9083x! 👋

    All of the data in your 1Password account is end-to-end encrypted using both your account password and Secret Key. Without both your account password and Secret Key it is impossible for anyone to decrypt the data in your 1Password account. They are the tools needed to decrypt your information.

    The email address associated with your 1Password account is needed as part of the authentication process but it's not needed as part of the decryption process. And if you enable two-factor authentication for your 1Password account then authentication will fail unless the one-time passcode generated by your authenticator app is entered when signing into your 1Password account on a new device.

    You can read more about the security of your 1Password account here: About the 1Password security model

    Please let me know if you have any questions. :)

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi Dave,

    I am very interested in the way 1password protects the user.

    I read ****that 2fa protects me even when somebody has my password AND secret key.
    You cannot use an new device without the 2fa code, right?

    And what about disabling 2fa? Does that require 2fa too?

    *****“Two-factor authentication is an extra layer of protection for your 1Password account. When turned on, a second factor will be required to sign in to your account on a new device, in addition to your 1Password account password and Secret Key.””

  • @F_9083x

    Thank you for the reply. If you enable two-factor authentication for your 1Password account then you'll need to supply either the six-digit one-time passcode from your authenticator app or use your Security Key in order to sign in to your 1Password account on a new device. You can read more here: Turn on two-factor authentication for your 1Password account

    Without the second factor an attacker who had your account password and Secret Key would be unable to add your 1Password account to a new device.

    And what about disabling 2fa? Does that require 2fa too?

    If you're already using your 1Password account on a device then you don't need to enter the one-time passcode again in order to disable two-factor authentication from that device because the account has already been authenticated on that device.

    Let me know if that helps clear things up. :)

This discussion has been closed.