To protect your privacy: email us with billing or account questions instead of posting here.

Best way to transfer secret key for new device

themantalope
themantalope
Community Member
edited March 2023 in Memberships

Hi All,

I'm not sure if I'm using the correct keywords but I can't find information on the topic.

Here is the situation. I use 1password for basically everything (migrated from LastPass). This includes at work (corporate hospital system). I cannot install software on workstations, but I am able to add the 1Password extension on browsers.

I have to frequently change workstations as a radiologist. When signing into a new workstation I need to input the 1Password secret key. It's kind of a pain in the butt to manually type out the whole thing. As far as I can tell, the only way to use the generated link from my phone app (starts with onepassword://...) is if the new device I'm logging into has 1Password device app (not browser extension) installed.

Is there something I'm missing? I can create a QR code on the iOS app, which would then allow the new device to scan it and log in, but the workstations here do not have webcams.

Any suggestions appreciated. Any recommendations on which part of the docs to check also helpful.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • ag_josephine
    ag_josephine
    1Password Alumni

    Hi @themantalope,

    Due to the restrictions on your work device and the inability to scan the QR code, there aren't any suggestions that could be provided that would allow you to input the Secret Key any way other than manually - you could look into saving the Secret Key on a USB device and then copying the Secret Key from this device for each computer you access, however, carrying around a USB with sensitive information poses it's own security risk and I wouldn't recommend it.

  • themantalope
    themantalope
    Community Member

    Yes this seems like an issue.

    Not saying that I can’t just do so manually but it’s a big pain every day.

    Is there a feature request that I can submit? Would make more sense if I can scan a QR code on the new device with my phone (that is already logged in).

    Thanks

  • Tertius3
    Tertius3
    Community Member

    Steam has the functionality to login to a desktop computer through their mobile app. I don't know, if it's secure enough for 1Password, however from the user's point of view, it works like this:
    You want to login to Steam on a desktop computer. The Steam desktop client displays empty username+password input fields, and a QR code as well. If you have the Steam app installed and logged in on your mobile, you can start that app and scan that QR code. A prompt appears if you want to authorize the login on your PC. You approve it and the Steam client on the desktop logs in like magic the next moment. The only interaction you do is taking your mobile, start the app, scan the QR code, touch some YES button.
    That would be a very nice workflow if feasible with 1Password.

  • Tabaluga
    Tabaluga
    Community Member

    This is not secure enough, what you describe sounds like a simple App Push TOTP 2FA. The secret key forms together with the master password the necessary input for the decryption algorithm that unlocks the decryption key for your encrypted data.

    The only other option that can be secure enough would be FIDO based pass key login. This might be available soon. In this case you could use a Yubikey, plug it into a device and replace the secret key or even secret key and master password.

  • Tertius3
    Tertius3
    Community Member

    It's more than just a push TOTP, because some data is exchanged as well. You don't enter anything at the client you want to sign in with, not even the username. Username and password is taken from the mobile client and is transferred back to that client if you approve it on the mobile phone. So it seems there is some secure channel established to enable this data transfer.

This discussion has been closed.