The two secret key design
Hi!
I'm interested in the security design of secret key, account password and AUK.
As I know, my data stored in 1Password server is protected by AUK,
which actually strong as the secret key and 1Password never knows that.
But if I forgot my account password, my secret data is also gone with the AUK.
I'm curious why not replacing the account password with another secret key.
The simplified idea is like:
There are two secret keys, say SK1 and SK2, both are randomly generated in client.
SK1 is just like the secret key, only lives in client and never passes to 1Password.
SK1 is used to encrypt/decrypt user's data, and SK2 is used to encrypt/decrypt SK1.
The SK1 lives in client's storage like browser's local storage in a encrypted form.
When decrypting user's data, SK1 will be decrypted by SK2.
The SK2 stores in 1Password server, only when user logging in the service it can be retrieved to client.
In this way, user's data in server is protected by SK1, and 1Password never knows that.
User's data in client is protected by SK2, only both passing authorization and client containing SK1 can decrypt user's data.
If I forgot my account password, I can reset the password as the normal reset procedure,
and my data can still be securely maintained.
This way seems as secure as 2SKD? and user's data can be maintained even if forgetting account password.
Any idea about this? Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:2ksd