Feedback for improving 1Password account recovery process
Hello,
About the 1Password recovery process, for several months it has been possible to generate a recovery code.
With this recovery code the chances to be locked out of the account are less, but it is necessary to have access to the email account; besides, if a user has 2FA enabled, it is also necessary to have access to a 2FA device, virtual or physical.
I strongly suggest implementing a recovery method using official ID or passport documents, with an internal process or by using specialized companies (such as iDenfy, for example), to certify that it is the user that is doing the recovery process.
With a method like this, also the 2FA could be bypassed; just yesterday, I was strangely locked out of an account because my 2FA TOTP codes and recovery codes weren't recognized anymore (strangely).
Fortunately for me, the company in which I had an account was able to reset my 2FA credentials just by upload my official ID document; if that company didn't have this kind of process, I surely was out of luck.
I think that for a service like 1Password it is of an greater importance, as 1Password is the key for accessing literally everything.
For improving security of the process, maybe the process itself could be this:
1) When logged in the 1Password account, upload the official ID/passport document (before of a recovery attempt);
2) In case of a recovery attempt, 1Password could ask to insert the ID number, issue date and expiration date (for example), or only upload the front/back of the document;
3) 1Password will check if the document data are a match to the document data already stored in 1Password account prior to the recovery process;
4) Even better, because passport and many ID documents (like the Italian ID card) have a NFC chip, for improved security a user could also be asked to use a NFC reader to read the card and confirm that the user is physically possessing the document;
5) Or maybe the recovery process could be done only by scanning the ID/password with a NFC reader to improve the flow.
I would be willing to pay more for the 1Password subscription just to have this option or paying a fee when doing a recovery process, if needed, as I know that this type of services are very expensive.
I hope that you don't find this post too long, but I wanted to be as clear as possible.
Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @nicos18! 👋
Thank you for the feedback! Currently, a recovery code allows you to recover access to your 1Password account if you lose either your account password or Secret Key (or, if you're using the passkey unlock beta, then you can recover access if you lose either your passkey or all of your trusted devices). To use a recovery code, you'll still need to have access to your email address to confirm your identity before being able to recover access to your passkey unlock account: Generate and use recovery codes
That being said, I can see how having more options for identity verification beyond access to your email address would be useful and I've filed a feature request on your behalf.
Regarding two-factor authentication (2FA), you can add multiple authentication factors so that you can still sign in even if you lose one factor. For example, you can add both an authentication app and a hardware security key:
- Turn on two-factor authentication for your 1Password account
- Use your security key as a second factor for your 1Password account
I hope that helps. 🙂
-Dave
ref: PB-41992348
1 -
edit: posting as new thread
0