Why use a recovery code instead of an emergency kit?

System
System
in Lounge
This discussion was created from comments split from: How does the Recovery Code feature work?.

Comments

  • Pleonasm
    Pleonasm
    Community Member

    Are there any situations in which it would be preferable to have an account Recovery Code rather than the Emergency Kit?

    It seems to me that the Recovery Code is only protected by the password of the email account associated with 1Password. If the email password is short and memorable, then the overall security of the 1Password account will be reduced, because an adversary could hack the email account.

    If, however, the email password is long, random, and saved in 1Password, then the 1Password account may not be able to be recovered using a Recovery Code, because the email password is inside of 1Password which itself is inaccessible during the recovery process. (I am assuming a user may not necessarily have a device already logged into the email account.)

    Thank you.

  • Dave_1P
    Dave_1P
    edited May 29

    Hello @Pleonasm! 👋

    Thank you for the question! You can certainly choose to continue to use your Emergency Kit if you wish, that option remains available.

    Recovery codes provide additional safety over Emergency Kits for the following reasons:

    1. If your account password is written down on your Emergency Kit and an attacker finds your Emergency Kit then they have everything that they need in order to access your 1Password account. In contrast, using a recovery code requires an additional step where you're required to verify your identify by providing a six-digit code that is sent to your email address. This prevents someone from using your recovery code if you happen to misplace it.
    2. Additional protections prevent the use of a stolen recovery code under certain circumstances, such as if you're currently signed into and using 1Password on one of your devices.
    3. If you choose not to write your account password down on your Emergency Kit, and you forget your account password, then the Emergency Kit won't help you regain access to your account. Your recovery code will be able to help you regain access to your 1Password if you lose/forget either your Secret Key or your account password.

    Recovery codes also play a vital role for accounts where the Emergency Kit isn't available, such as accounts that are unlocked using a passkey. If you were to lose your passkey, or all of your trusted devices, then the recovery code allows you to regain access to your 1Password account.

    It's true that you need access to your email account in order to complete the identity verification step to use your recovery code. Most people should be signed into their email account on multiple devices. If you do lose access to all of your devices then you may be able to reach out to your email provider and request that they reset access to your email account.

    You can read more about recovery codes here: Generate and use recovery codes

    -Dave