Suggestion: add warning that re-entering password is necessary after changing email
Hi,
I would like to suggest to add a warning or caution label that re-entering the Account Password will be necessary in the apps after changing email addresses on the Change your profile information and language on 1Password.com (https://support.1password.com/change-profile-1password-com/#change-your-email-address) page. It caught me by surprise and it would have been nice to know that beforehand.
I also noticed that the 1Password Account was not suggested for the password field of the prompt notifying of the recent email address change on iOS. I expected this somehow and it irritated me. Just as observation.
The prompt is also the first time the Account Password was entered outside of the usual UI that unlocks the vaults. It might be worth considering to make it a rule that the Account Password is only entered in that one field.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
You would need to enter the password because the email is essentially part of the identifier for accessing your account. That's why it (email) is included in the Emergency Kit. You'll need to update the apps so that they use this new part of the identifier. Without doing so, there would be no way to sync your data. I can see how this might be confusing, but how else might the account be recognized? During the linking process, you're asked for four things. Email, address (server), Secret Key, and password.
Serious questions here, no joke; I'm looking to understand your thought process.
The Secret Key is 1/2 of the encryption, and the password is the other 1/2. To me, it would stand to reason that changing the email would necessitate updating the apps and so on. I'd be happy to share your thoughts with the team. They are appreciated. Conveying things is sometimes a hard business, and if we can tap into your thoughts, it just may help others who may not be as seasoned as some of us long-time users are. New users' input, as well as that of old-timers, is greatly welcomed. I've been a user for 17 years, and I cannot tell you all the interesting things I learn daily from users like yourself, and they cause the 💡 moment. I often end up incorporating them into my daily usage.
Your password should not be filled in by the apps or saved. Ideally, the only place that your password would generally exist is with you. Sure, you can configure the (browsers) to fill on your behalf, but as a general guideline, we suggest against it to prevent accidentally filling on a site where it should not be filled.
Please tell us more about what you thought the flow should go like. 🙂 You've done a great job already and there may not be much more to add, and that's ok. I can use what I have to present this to the team.
0 -
Hi @ag_tommy!
I’ve been using 1Password for about 9 ½ years now, so I’m not that new myself :D
To be honest, I thought that the new email just replaces the old in the authenticated apps and I’m good to go, since it can only be done in a browser.
From my experience it is also not that seldom that apps (either mobile or desktop) just get the new email pushed and run with it.
Your password should not be filled in by the apps or saved. Ideally, the only place that your password would generally exist is with you
If I understand you correctly you advise against the saving of the 1Password Account data (email, password, secret key) as login item within the private vault? If yes, this would surprise me since the item was automatically created and tagged with Starter Kit when I registered for the membership back in 2017. Has this since changed? This blog post from early 2023 suggests no: https://blog.1password.com/starter-kit-items-explained/
Please tell us more about what you thought the flow should go like. 🙂
In case of the email update, I would make the flow almost the same as you already have. Notify the user about the email change when the vault is next opened. But then say that the password has to be re-entered at the usual vault unlock screen instead of the very rare occurring extra prompt. Or put the notification on the vault unlock screen and require the password right then and there. Maybe that is not possible due to design and/or would reduce security, I don’t know.
Because I hadn’t seen the „the email of this account changed recently, please enter your password to continue“ prompt, I actually was a bit hesitant to enter my password. And since the saved url also is a part to avoid accidentally choosing the wrong item and also phishing, there was a split second doubt that in app prompt is legit, when the 1Password Account didn’t show up. I know that is silly, but I hope it helps understanding where I came from. :)
0 -
No, not quite. I have mine saved in my vault, too. As long as your data is secured no one can access it. It's akin to saving the safe combination in the safe. It would do no one any use inside 1Password, other than myself. I only input my password from memory.
I do not have my personal password set to fill in a browser. I do have my testing accounts set to fill because, honestly, I have no clue what those passwords are. I'm not going to remember those because 1Password does.
I talk with so many folks each day who can log in via biometrics on a mobile device, but they cannot recall their password. I recommend the starter kit. I rarely access 1Password.com. I can't think of a need in years. I live almost entirely in the application.
Also, I'm glad you've been with us for a bit. No, not silly thoughts at all.
Edit: Hmm, a login item and then set the filling only to 1Password.com should work nicely for this.
0