security key stored in keychain

chris000
chris000
Community Member
in Mac

I recently erased the hard drive on my Mac and manually reinstalled everything. Surprisingly, after installing 1Password, it didn’t ask me for my security key. I assume this is because Keychain automatically saved it and restored it from the cloud backup. If this is the case, would it be advisable to turn off Keychain from saving the security key in order to keep it off the cloud and stored locally only? I do have a printed copy of my security key as a backup already.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Dave_1P
    Dave_1P

    Hello @chris000! 👋

    Thanks for the question! When you add your 1Password account to the 1Password app on one of your Apple devices (such as a Mac, iPhone, or iPad) then 1Password stores an encrypted version of your Secret Key in the iCloud Keychain which is securely synced to all of your Apple devices. The next time that you need to add your 1Password account to another device you'll only be asked for your account password since the 1Password app will retrieve your Secret Key from the iCloud Keychain.

    You'll always need to enter your account password, which isn't stored, in order to decrypt your data and access your passwords and other items.

    This process safely and securely backs up your Secret Key and saves you from having to type it into all of your devices. The Secret Key is stored encrypted and can only be accessed by you and you can safely keep iCloud Keychain turned on. You can read more here: About your Secret Key

    -Dave

  • chris000
    chris000
    Community Member

    Thank you Dave :)

  • Dave_1P
    Dave_1P

    I'm happy to help! 🙂

    -Dave

  • chris000
    chris000
    Community Member

    By the way, I’m curious: I know the Apple Keychain is encrypted and quite secure, but is it possible to disable Keychain from saving the 1Password security key if someone wanted to do so?

  • Dave_1P
    Dave_1P

    @chris000

    The team has looked into the security and encryption of iCloud Keychain and are very confident in the security of iCloud Keychain or else this feature would not have been built. Apple has gone to great lengths to ensure that no one, not even they, can access the encrypted information stored there.

    This is also an important data security feature in that it helps to prevent you from losing access to your account in the event that you lose your Emergency Kit or your Secret Key everywhere else.

    The only way to stop the encrypted version of your Secret Key from syncing to iCloud Keychain would be to turn off iCloud Keychain on all of your devices. Then the Secret Key would still be saved to the local keychain but it wouldn't be synced to your account.

    Let me know if you have any questions.

    -Dave

  • chris000
    chris000
    Community Member

    Thanks, Dave, for the clarification. However, I have one other concern: I wasn’t prompted to use my physical security key (YubiKey) either. Is this to be expected?

  • Dave_1P
    Dave_1P

    @chris000

    Thanks for the reply. If you've added a security key as a second factor for your 1Password account then you'll only be prompted to use it the first time that you add your 1Password account to a new device or browser.

    Just to clarify: were you prompted for your security key when you added your 1Password account on the new Mac? It's normal that you wouldn't be prompted after that.

    -Dave

  • chris000
    chris000
    Community Member

    Thanks again for your reply. It was quite some time ago I added the security key as a second factor, so I don’t remember if my Mac prompted me for it at the time. I don’t specifically remember doing so, but it’s certainly possible. However, I did format and erase the entire hard drive recently so wouldn’t this trigger 1Password to re-prompt for the security key on this device? Thanks.

  • Dave_1P
    Dave_1P

    @chris000

    Thanks for the reply. If you formatted your Mac and reinstalled macOS then you should be prompted to enter your second factor (either your security key or one-time password from your Authenticator app) when adding your 1Password account back to the Mac.

    So that I can better understand the situation, I'd like to ask you to create a diagnostics report from your Mac:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    Please send the entire file.

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

    -Dave

  • chris000
    chris000
    Community Member

    Will do. Thank you Dave.

    Chris

  • Dave_1P
    Dave_1P

    Thank you, the team and I will keep an eye out for your email.

    -Dave