Feedback for improving 1Password account recovery process
Hello,
About the 1Password recovery process, for several months it has been possible to generate a recovery code.
With this recovery code the chances to be locked out of the account are less, but it is necessary to have access to the email account; besides, if a user has 2FA enabled, it is also necessary to have access to a 2FA device, virtual or physical.
I strongly suggest implementing a recovery method using official ID or passport documents, with an internal process or by using specialized companies (such as iDenfy, for example), to certify that it is the user that is doing the recovery process.
With a method like this, also the 2FA could be bypassed; just yesterday, I was strangely locked out of an account because my 2FA TOTP codes and recovery codes weren't recognized anymore (strangely).
Fortunately for me, the company in which I had an account was able to reset my 2FA credentials just by upload my official ID document; if that company didn't have this kind of process, I surely was out of luck.
I think that for a service like 1Password it is of an greater importance, as 1Password is the key for accessing literally everything.
For improving security of the process, maybe the process itself could be this:
1) When logged in the 1Password account, upload the official ID/passport document (before of a recovery attempt);
2) In case of a recovery attempt, 1Password could ask to insert the ID number, issue date and expiration date (for example), or only upload the front/back of the document;
3) 1Password will check if the document data are a match to the document data already stored in 1Password account prior to the recovery process;
4) Even better, because passport and many ID documents (like the Italian ID card) have a NFC chip, for improved security a user could also be asked to use a NFC reader to read the card and confirm that the user is physically possessing the document;
5) Or maybe the recovery process could be done only by scanning the ID/password with a NFC reader to improve the flow.
I would be willing to pay more for the 1Password subscription just to have this option or paying a fee when doing a recovery process, if needed, as I know that this type of services are very expensive.
I hope that you don't find this post too long, but I wanted to be as clear as possible.
Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @nicos18! 👋
Thank you for the feedback! Currently, a recovery code allows you to recover access to your 1Password account if you lose either your account password or Secret Key (or, if you're using the passkey unlock beta, then you can recover access if you lose either your passkey or all of your trusted devices). To use a recovery code, you'll still need to have access to your email address to confirm your identity before being able to recover access to your passkey unlock account: Generate and use recovery codes
That being said, I can see how having more options for identity verification beyond access to your email address would be useful and I've filed a feature request on your behalf.
Regarding two-factor authentication (2FA), you can add multiple authentication factors so that you can still sign in even if you lose one factor. For example, you can add both an authentication app and a hardware security key:
- Turn on two-factor authentication for your 1Password account
- Use your security key as a second factor for your 1Password account
I hope that helps. 🙂
-Dave
ref: PB-41992348
1 -
edit: posting as new thread
0 -
@Dave_1P how about using SMS as an additional way to deliver the recovery link. Benefits: SMS is physically bound to your (e)SIM, so kind of 2fa grade, doesnt require any knowledge of credentials for the Mailbox to catch the link. So if you loose the phone and access to 1p and no access to mailbox, you can deal with your mobile provider to get back your SIM card and so far access to your SMS.
1 -
Thanks for the suggestion. SMS is widely considered to be an insecure method of communication since SMS texts can be intercepted and SIM hijacking can allow an attacker to gain access to your phone number. 1Password has always stayed away from offering features like 2FA over SMS for that reason.
SMS would also require us to collect another data point on you (your phone number) which is always something that we seek to minimize as much as possible: What we (don’t) know about you | 1Password
-Dave
0 -
@telephoneman2 As said by @Dave_1P, SMS are insecure methods, and for this thing, I suggested having a method like ID identification, for example.
0 -
@nicos18 @Dave_1P that’s a good point. But is that less secure than an email account where I need to choose a password which is storable and rememberable for human brains? That’s an account where I can’t use 2fa, can’t use strong complex artificial passwords.
I would make this that easy to keep it in mind, note password on a sheet of paper, or have a dedicated mailbox just for that … I am not sure if this is more secure than high jacking (keep in mind you still need the recovery code, just having the mail isn’t enough) - or have a second password manager for this.0 -
@telephoneman2 you're right, too.
And I think it depends on the situation in the customer's country.
In Italy, for example, the new law for MNP and changing the SIM is broken, lost or stolen are more tightened; in case of a broken SIM, you need the old one, and in case of a lost or stolen you need a police report.
So, in this way, be a victim of SIM swapping is now a remote possibility.
0 -
Thank you for the feedback, I've shared it with the team. 🙂
-Dave
ref: PB-42463697
1
