I have an old iPad (iPad Pro 10.5 inch, MPDY2LL/A) that I wanted to create a new Family Member (fake one) in my iCloud account for. Since it used to have 1Password and other secret stuff on there, I decided to do a total reset and wipe the iPad and start factory fresh. I teach a class in Cyber Security and was trying to explain how 1P handles the secret key that is generated the first time on a device. I couldn't explain how it was ported over to other devices so you don't have to reenter the 34-character key. I guessed Apple's keychain and appeared to be right when I looked in my keychain for 1P and saw the explanation.
HOWEVER, when I downloaded a fresh copy of 1P on my "new" iPad for my new iCloud family member to try out my theory, the instant I opened it, it had the family email filled out and asked for the master password. Once I entered it, I was in the family vault, NO key request required. While we have the 1P family subscription, I haven't created any other vaults and don't have any Family Members other than myself, (my wife and I share the same master password), so there is no way that 1P knew about this new family member. I know this was a fresh install of the program because in the App Store I had to "Get..." it and not simply reinstall it from the family cloud. I thought maybe my keychain might be shared across the family (something I would think would NOT be secure), but when I went onto the same new member account that I created on my MacBook and looked at the keychain, the 1P entry was not there. Oh, and the same thing happened when I fired up 1P under the new account on my MacBook.
How did 1P know about the family vault when I first opened the program, and more importantly, how did it have access to my secure key? The only thing protecting me was my password which defeats why I've been telling folks 1P is more secure with this magic key. I read through the security white paper, and nothing really jumped out at me.
Help me understand! Thanks in advance.
1Password Version: iOS 8.10.0
Extension Version: Not Provided
OS Version: iPadOS 16.3
Browser:_ Not Provided
Referrer: forum-search:installing on new device
This might help explain:
Thanks, and that's what I figured for a single iCloud account. What still has me scratching my head is when I added a new adult family member from my iCloud account as the family organizer, when I signed in as the new family member, everything was ready for 1Password to setup once I downloaded the program fresh. From what I can tell looking at the keychain for the new member, somehow 1Password put in the information it needed to install the program. I wouldn't have thought that any part of a keychain would be shared across family members! I created a Test User on my MacBook with any iCloud account, and 1P wanted a fresh install; no knowledge of the family account. So what that tells me is that somehow Apple is deciding, I'm sure with 1P's help, what things to put into a family member's keychain. That seems to also manifest itself on my MacBook login screen where the emoji for me and my new family member are the same, even though in iCloud space the new member has a different icon. (I think an Apple bug)
So as long as no one can add a family member AND they don't have my 1P password, things are fine. But having that key floating around unencrypted like that (sending an email to setup on another device freaks me out since the key is being sent in plaintext!) just doesn't seem uber secure, but probably best tradeoff for convenience. I guess it is encrypted in the keychain though. Still much better than any other password manager where they are only securing their vaults with a single key, the master password.
Thanks again for the explanation.
The Secret Key is indeed encrypted in the keychain. I would not recommend sending emails with the Secret Key in plain text. No part of the keychain is shared. It sounds like you signed into the other account while still being signed into your iCloud account. If you happened to look at my iCloud account it has many testing accounts as well as my personal accounts all saved in keychain. If the user has changed the icon you likely have an old copy of the icon stored.
They would not have access to your 1Password unless you share it with them.
There are a few potential explanations for how 1Password was able to access the family vault and bypass the need for the secure key. One possibility is that there is a vulnerability in the software that allowed for the master password to be used as a substitute for the secure key. Another possibility is that there was a flaw in the implementation of the family sharing feature that allowed for unauthorized access to the vault. To determine the root cause of the issue, a penetration testing team could be brought in to thoroughly test the 1Password software and identify any potential vulnerabilities or weaknesses in the system.