Secret Key and iOS
I'm trying to understand how the secret key fits in to iOS. When I add 1Password to a an iOS device, it doesn't seem to need the secret key. I haven't stored the secret key anywhere on the device to my knowledge. How does the secret key fit in and what's to keep someone from using 1Password on their device to hack into my account by hacking just my 1Password password and bypassing the secret key? I know this is probably a basic question and I'm probably missing something fundamental in terms of how the pieces work together. Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:secret key
Comments
-
Hello @wab! 👋
If you've already added your 1Password account to one of your other Apple devices (such as a Mac or iPad) then 1Password would have stored an encrypted version of your Secret Key in the iCloud Keychain which is securely synced to all of your Apple devices. The next time that you need to add your 1Password account to another device you'll only be asked for your account password since the 1Password app will retrieve your Secret Key from the iCloud Keychain.
This process not only safely and securely backs up your Secret Key but saves you from having to type it into all of your devices. You can read more here: About your Secret Key
-Dave
0 -
Hi Dave. Thanks for your response. Based on the recent WSJ articles about iPhone vulnerabilities when stolen if the thief has observed your passcode, I have deleted all my Keychain passwords and now only use 1Password. I'm assuming that the Secret Key is still in the Keychain but not visible. If I turn off Keychain synchronization with iCloud does that go away? It seems to me that in the scenario of a stolen iPhone with stolen iPhone passcode, the fact that the Secret Key is stored in the Keychain would reduce that layer of protection but I guess that is an acceptable and pretty much inevitable risk, given that the thief would still need the 1Password password to access the app. As a separate but related issue, I do think that storing visible passwords in the Apple Keychain creates an unacceptable risk since it would mean that passwords could all be accessed with a 4 digit PIN. Obviously given this situation, it would be a really bad idea to store the 1Password password in the Apple Keychain on an iPhone. Thanks.
0 -
The encrypted version of the Secret Key stored in the Keychain isn't stored in the same way as passwords that you might have saved in the Keychain in the past and it won't appear in the "Passwords" page of the iOS Settings app.
Obviously given this situation, it would be a really bad idea to store the 1Password password in the Apple Keychain on an iPhone.
Correct, you shouldn't save your account password in iCloud Keychain or any other password manager aside from 1Password itself. The account password should be memorized and, optionally, only written down on a printed copy of your Emergency Kit that is stored somewhere safe and secure. 🙂
-Dave
0