After master password change on other device, able to view vault before reauthenticating on app
First time 1Password user after jumping ship from LastPass. Sorry if this has been posted before but I couldn't find anything and didn't have a lot of time to keep digging so here goes:
Setup 1Password doing the trial with a temporary master PW. Installed the desktop and Android app and using it for the past week or so. Decided to commit to 1Password, so changed my master password on the 1password website via my Windows machine--no problems there.
Go to my Android phone and open the app get prompted to re-enter my secret key and new PW which is good but, if I "arrow back" I'm able to still see my vault. Shouldn't 1Password prevent me from seeing/accessing my vault if it senses (which it did) that my master PW changed and ask me for updating things before letting me see my vault? That would seem far more secure. If, God forbid, I lost my phone and changed my 1Password master PW on another device I would hope that the app would be invalidating any access until new creds are entered. Yes, I do have a pin and bio data set on my phone to make it harder but it just seems like a bad idea to let me see my vault before entering the updated password. Even LastPass in all of their irresponsibility doesn't allow for that to happen. I really like 1Password but am I missing something?
1Password Version: 8.9.13
Extension Version: Not Provided
OS Version: Win 10 and Android 10.0.15
Browser:_ Chrome
Comments
-
Hi @TurnerBurn, thanks for writing in with this question.
If a device is lost or stolen we recommend regenerating your Secret Key and deauthorizing the device. Deauthorizing a device will automatically sign the account out of the 1Password app. If 1Password is unlocked on your device when you change your password, the app won't lock automatically or sign the account out like deauthorizing.
You can deauthorize devices from your account on 1Password.com by clicking your name > My Profile then clicking the gear icon next to a device and selecting "Deauthorize Device".
You can also set 1Password for Android to lock automatically anytime you switch focus away from the app to reduce the likelihood that anyone who picks up your phone might find an active session, with or without the password change:
1. Open and unlock 1Password for Android.
2. Tap the account or collection icon.
3. Tap Settings > Security.
4. Tap Auto-Lock on Exit
5. Select Immediately.Let me know if there's anything I can help with!
0 -
Thanks, Timothy, but the concern here is that the 1password phone app still allowed me to view my vault even though it sensed a master password change done on my PC but not yet done on the phone app. I would expect it to force me to re-authenticate on my phone by providing my new credentials before allowing me to see the contents of my vault. Seems like a security hole to me.
0 -
@TurnerBurn, thanks for getting back to us.
While it might seem odd, we actually do allow for the prompt to be dismissed in our applications. In 1Password for Windows, for example, there is an "x" button to dismiss the prompt. The data is available, but only what is already stored on the device. Not new items will be synced until the authentication with the new account password occurs.
Every device connected to your 1Password account will have a local cache of all vault data that is encrypted with the account password + Secret Key (along with a couple of other things). Here is a similar question from another customer that has several responses from our team that better explain the syncing and the security tradeoffs: https://1password.community/discussion/101453/changed-secret-key-still-able-to-access-vault
For most positive path cases, dismissing the prompt shouldn't be much of a concern, as you're not likely to want to if you're connected to the internet and know your updated password. Since you mentioned what would happen if you lost your device, here are some additional threads and documentation that would assist you with understanding those scenarios:
0