How does the Recovery Code feature work?

Options
fernando91
fernando91
Community Member

This is about the new Recovery Code feature:
https://support.1password.com/recovery-codes/

As per the documentation, using the Recovery Code means "You’ll receive a new Secret Key and create a new 1Password account password."

I am confused.

The whole basis of zero-knowledge encryption is that 1password is supposed to have no knowledge of our credentials.

If this Recovery Code feature can actually change the Secret Key, it seems like a 'backdoor feature', meaning our credentials are not really private anymore.

How does this work?
How can 1password offer a 'Recovery Code' feature and still maintain a Zero Knowledge architecture?


1Password Version: 8.10.32
Extension Version: Not Provided
OS Version: Win10
Browser: Not Provided

Comments

  • Dave_1P
    edited May 17
    Options

    Hello @fernando91! 👋

    Thanks for the question. Recovery codes allow you to recover access to your 1Password account in the event of a lockout where you've lost either your account password or Secret Key. Generating and managing recovery codes on 1Password.com is currently limited to individual accounts.

    Your account password and Secret Key are never sent to 1Password's servers. Instead 1Password uses Secure Remote Password (SRP) to authenticate your account: How Secure Remote Password protects your 1Password account

    When you first signed up for a 1Password account, the local client on your device generated a Secret Key and asked you to set an account password. When you complete recovery using a recovery code a similar process occurs: the local 1Password client on your device generates a new Secret Key and asks you to set a new account password. These are generated locally on your device and are not sent to the server.

    Regarding the recovery code process itself, a colleague of mine from our security development team shared a great overview on Reddit: https://old.reddit.com/r/1Password/comments/1cty1bl/recovery_code_how_is_the_encryption_key_derived/l4hx0q2/

    Let me know if you have any other questions after giving that a look. 🙂

    -Dave

  • XIII
    XIII
    Community Member
    Options

    Excellent question and good explanation on Reddit.

    I suggest you make this a FAQ item on your site instead of referring to a post on a third-party website.

  • MerryBit
    MerryBit
    Community Member
    Options

    … and please put the details in the security white paper.

  • Dave_1P
    Options

    @XIII and @MerryBit

    Thanks for the feedback! The team is working to update our security white paper to include recovery codes. Internally, I've shared that you'd like to see a page published on our website with information about the security of recovery codes.

    -Dave

  • fernando91
    fernando91
    Community Member
    Options

    Thank you Dave for the answer.
    I finally had the time to come back and analyze what's going on.

    The Recovery Code feature seems superfluous to me, and I don't know what type of user would benefit from it. If somebody lost their PW and Secret Key credentials, what says they would be any better at keeping track of a Recovery Code? People should just keep their original credentials safe.

    The idea behind the Recovery Code seems to be that it doesn't need to be securely stored, because it's useless without e-mail confirmation. Therefore, the e-mail account becomes the weakest link. And if someone is so careless as to lose their PW and Secret Key, what kind of security would they keep on their e-mail? Furthermore, it is very likely their e-mail credentials, TOTP seed, and/or Passkey may be stored in 1password. Can they even login to their e-mail account? What percentage of people actually memorized their Google or Apple account logins? Lastly, people are careless. They leave e-mail open, and they use webmail services that are hardly private or secure.

    I can't figure out why this feature was invented.
    From my perspective, the Recovery Code feature looks like a solution looking for a problem.
    IMO, the safest choice is to not use a Recovery Code and focus on securely and responsibly storing your credentials in the first place.

  • Dave_1P
    edited June 3
    Options

    @fernando91

    Thank you for the reply. Storing a recovery code can be more secure than storing your account credentials. While it's important to keep it safe, your recovery code can't be used without a verification step using your email account. Additional protections prevent the use of a stolen recovery code under certain circumstances, such as if you're currently signed into and using 1Password on one of your devices. Contrast this to storing your account credentials, they can be used at anytime.

    The team is also working hard on bringing passkey unlock to the stable version of 1Password and recovery codes are vital for this new feature. If you were to lose your passkey, or all of your trusted devices, then the recovery code allows you to regain access to your 1Password account.

    Let me know if you have any questions. 🙂

    -Dave

  • fernando91
    fernando91
    Community Member
    Options

    Thanks @Dave_1P for the additional information.
    The provision for a Recovery Code alongside Passkey Unlock is reasonable and logical.

    The only hole I see is that if the encrypted databases were somehow stolen, (as they were with one of 1password's major competitors), a carelessly stored or disclosed Recovery Code could be used to do an offline unlock of the encrypted password database. (This is a possible, but very unlikely theory.) Criminals could use stolen customer data to send out very convincing phishing messages, trying to get customers to give up Recovery Codes. Is it possible? Yes. Is it likely? No.

    Finally, I now understand the main benefit behind the introduction of Recovery Keys.

  • Mark1P3
    Mark1P3
    Community Member
    Options

    Thanks for your detailed explanation, Dave. Your colleague’s Reddit post was also helpful in clarifying certain details.

    I’m now looking to generate a recovery code in the unlikely event I lost my safely stored emergency kit AND my two devices where I am signed into 1Password.

    As I see it, I’d only need the recovery code in the above circumstances? And email isn’t a problem because my email credentials aren’t stored in 1Password. Therefore someone getting hold of the recovery code on its own wouldn’t be able to access or take over my 1Password account without email verification?

    Many thanks

  • Dave_1P
    Options

    @Mark1P3

    You should keep your recovery code somewhere safe and secure, store it as securely as you would your Emergency Kit. But you are correct that the verification step using your email address is required before the recovery code can be used.

    I hope that helps. 🙂

    -Dave

  • Mark1P3
    Mark1P3
    Community Member
    Options

    Thanks @Dave_1P

  • Dave_1P
    Options

    I'm happy to help! 🙂

    -Dave