Unexpected behaviour: still able to see local data after deauthorising a device.
Recently I bought a new iPhone and transferred the data from my old iPhone. Next, I deauthorised the old iPhone. However, after restarting 1Password on the old iPhone it only asked me for my 2FA factor! (So I did not need to enter username, password, or secret key). Is that because the secret key is stored in iCloud and I had Face ID still active?
Even worse, I could still see all local data (so everything!) even though I deauthorised the device! Shouldn't it delete all data as soon as it connects to the 1Password infrastructure and sees that it is deauthorised?
Comments
-
Good question. Would expect similar. But it might be a feature to prevent accidental (or malicious) loss of access.
According to the Support Site only regenerating the Secret Key has the effect of needing to provide account password and secret key on every(!) device currently logged in.
0 -
Hi @XIII,
As a convenience feature, to make signing into the 1Password apps across multiple Apple devices easier, if you've set up your device with an Apple ID and have iCloud Keychain enabled (https://support.apple.com/en-us/HT204085), then when you sign into a 1Password membership inside one of our apps for Mac or iOS, the app will write some of your sign-in details to your encrypted iCloud storage. Then, if you go to sign into an account on a different Apple device that's set up with the same Apple ID and iCloud Keychain, the 1Password app there will find the account details stored in iCloud, and will present it as a list of found accounts to make signing into them easier.
0 -
Which sign-in details are stored in iCloud?
I knew that the secret key was stored in there, but the password is a surprise to me (I only had to type the 2FA code to get back in).
Even if you stored everything in iCloud, I would still expect the App to delete all data once it learns the device is deauthorized.
0 -
Thanks for the reply. Since I don't have access to your account information here on the forums could you open a ticket with our support team so that we can look into this further? I'd also like to ask you to create a diagnostics report from your iOS device:
Sending Diagnostics Reports (iOS)
Attach the diagnostics to an email message addressed to
support+forum@1password.com
.With your email please include:
- A link to this thread: https://1password.community/discussion/142670/unexpected-behaviour-still-able-to-see-local-data-after-deauthorising-a-device
- Your forum username:
XIII
- Please do not post your diagnostic report to the forum. This is for your privacy and security.
Please send the entire file.
You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!
-Dave
0 -
Not sure whether that still makes sense now (already wiped the old iPhone).
Can you please tell me how 1Password should behave?
Is this a bug, or do I have wrong expectations?
0 -
Thanks for the reply, I wasn't aware that you had already wiped the old iPhone.
If you deauthorized the old iPhone then you would have seen an account suggestion for your account when you opened the 1Password app on that iPhone. While your Secret Key and email address would have been provided by iCloud Keychain, you would then have been required to enter your account password and two-factor authentication to authorize your account again.
The behaviour that you describe sounds like you chose the "Require 2FA on Next Sign-In" option instead. If you didn't then I would recommend sending an email to the team using the instructions in my previous post (aside from the diagnostics report) so that we can investigate further.
-Dave
0 -
Yes, I understand all that.
Please focus on the second part: what should happen if I do not log in?
1Password said it would not sync (until I logged in), but I rather had that it deleted all local data (since the device was already deauthorized).
0 -
Thanks for the reply. Deauthorizing a device removes the local copy of the data on that device. Without access to a diagnostics report from your device, and knowing more, I wouldn't be able to comment on what might have happened on your device.
Are you able to reproduce the issue if you deauthorize 1Password on your new iPhone? Do you remember what specific version of 1Password for iOS you were running on that old iPhone?
-Dave
ref: dev/core/core#19697
0 -
Sorry, only know the major number (8).
Since I already wiped the device (and gave it to a family member) I can't provide diagnostics.
0