Strange link in 1P renewal email?
Just received an email that my family plan will auto-renew next week. Thanks. I'm just curious about the embedded link to "your Billing page" which goes to https://XXX.1password.com/admin/billing (where XXX is a long and unreadable string). That sends me to a page that asks for both my Secret Key and my Password.
The same sentence in the email also has a link to "1Password.com" and that goes to a page which just asks for my Password. (And from there, I can navigate to my billing page without having to enter my Secret Key.)
Why does one link to 1Password.com require only a password while the other link requires the Secret Key as well? I'm always a little on edge when I have to enter my 1P Password to a browser but I'm even more reluctant to enter my Secret Key to a browser. (And yes, I generally don't click on links in emails but I did verify that these two links were as claimed.)
1Password Version: 8.9.11
Extension Version: 2.5.1
OS Version: macOS 12.6
Browser:_ Chrome 108.0.5359.124
Comments
-
Hi there @clarino
It's probably best that we help you with this via email so that we're not doing it in a public forum. Send us a message to
support+forum@1password.com
with a link to this thread and you'll get a reply from BitBot containing a conversation number, which looks like[#ABC-12345-123]
. Post that number here, and I'll be able to make sure your email goes to the right team to help you. I look forward to hearing from you. :)— Grey
0 -
As requested, here is the support ID:
[#EPP-51917-824]
0 -
While I recognize that you can’t discuss the specifics of @clarino account, I am concerned about the idea that an email from 1password could contain a link that asks for both our password as well as secret key. This is a very insecure practice. One should NEVER provide this information in a link that came in an email. Can you please clarify if this is something that would show up in a legitimate 1password email?
0 -
Hi @BillL1
Emails from 1Password may ask you to visit my.1Password.com (or .ca or .eu depending on region). This is the website that is used to access your 1Password account through the browser. If you have not signed into 1Password through your browser then you will be requested for your full credentials as you need these to access your data. If you previously have authenticated your browser, you should only be asked for your account password.
0 -
Okay, I understand now. Thank you for the response.
0