I recently erased the hard drive on my Mac and manually reinstalled everything. Surprisingly, after installing 1Password, it didn’t ask me for my security key. I assume this is because Keychain automatically saved it and restored it from the cloud backup. If this is the case, would it be advisable to turn off Keychain from saving the security key in order to keep it off the cloud and stored locally only? I do have a printed copy of my security key as a backup already. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided

Hello chris000! 👋 Thanks for the question! When you add your 1Password account to the 1Password app on one of your Apple devices (such as a Mac, iPhone, or iPad) then 1Password stores an encrypted version of your Secret Key in the iCloud Keychain which is securely synced to all of your Apple devices. The next time that you need to add your 1Password account to another device you'll only be asked for your account password since the 1Password app will retrieve your Secret Key from the iCloud Keychain. You'll always need to enter your account password, which isn't stored, in order to decrypt your data and access your passwords and other items. This process safely and securely backs up your Secret Key and saves you from having to type it into all of your devices. The Secret Key is stored encrypted and can only be accessed by you and you can safely keep iCloud Keychain turned on. You can read more here: About your Secret Key -Dave

By the way, I’m curious: I know the Apple Keychain is encrypted and quite secure, but is it possible to disable Keychain from saving the 1Password security key if someone wanted to do so?

chris000 The team has looked into the security and encryption of iCloud Keychain and are very confident in the security of iCloud Keychain or else this feature would not have been built. Apple has gone to great lengths to ensure that no one, not even they, can access the encrypted information stored there. This is also an important data security feature in that it helps to prevent you from losing access to your account in the event that you lose your Emergency Kit or your Secret Key everywhere else. The only way to stop the encrypted version of your Secret Key from syncing to iCloud Keychain would be to turn off iCloud Keychain on all of your devices. Then the Secret Key would still be saved to the local keychain but it wouldn't be synced to your account. Let me know if you have any questions. -Dave

security key stored in keychain | 1Password Community

11 Replies

1P_Dave
Moderator
2 years ago
Thank you, the team and I will keep an eye out for your email.

-Dave
chris000
Occasional Contributor
2 years ago
Will do. Thank you Dave.

Chris
1P_Dave
Moderator
2 years ago
chris000

Thanks for the reply. If you formatted your Mac and reinstalled macOS then you should be prompted to enter your second factor (either your security key or one-time password from your Authenticator app) when adding your 1Password account back to the Mac.

So that I can better understand the situation, I'd like to ask you to create a diagnostics report from your Mac:

Sending Diagnostics Reports (Mac)

Attach the diagnostics to an email message addressed to support+forum@1password.com.

With your email please include:

A link to this thread: https://1password.community/discussion/148360/security-key-stored-in-keychain

Your forum username: chris000

Please do not post your diagnostic report to the forum. This is for your privacy and security.

Please send the entire file.

You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

-Dave
chris000
Occasional Contributor
2 years ago
Thanks again for your reply. It was quite some time ago I added the security key as a second factor, so I don’t remember if my Mac prompted me for it at the time. I don’t specifically remember doing so, but it’s certainly possible. However, I did format and erase the entire hard drive recently so wouldn’t this trigger 1Password to re-prompt for the security key on this device? Thanks.
1P_Dave
Moderator
2 years ago
chris000

Thanks for the reply. If you've added a security key as a second factor for your 1Password account then you'll only be prompted to use it the first time that you add your 1Password account to a new device or browser.

Just to clarify: were you prompted for your security key when you added your 1Password account on the new Mac? It's normal that you wouldn't be prompted after that.

-Dave
chris000
Occasional Contributor
2 years ago
Thanks, Dave, for the clarification. However, I have one other concern: I wasn’t prompted to use my physical security key (YubiKey) either. Is this to be expected?
1P_Dave
Moderator
2 years ago
chris000

The team has looked into the security and encryption of iCloud Keychain and are very confident in the security of iCloud Keychain or else this feature would not have been built. Apple has gone to great lengths to ensure that no one, not even they, can access the encrypted information stored there.

This is also an important data security feature in that it helps to prevent you from losing access to your account in the event that you lose your Emergency Kit or your Secret Key everywhere else.

The only way to stop the encrypted version of your Secret Key from syncing to iCloud Keychain would be to turn off iCloud Keychain on all of your devices. Then the Secret Key would still be saved to the local keychain but it wouldn't be synced to your account.

Let me know if you have any questions.

-Dave
chris000
Occasional Contributor
2 years ago
By the way, I’m curious: I know the Apple Keychain is encrypted and quite secure, but is it possible to disable Keychain from saving the 1Password security key if someone wanted to do so?
1P_Dave
Moderator
2 years ago
I'm happy to help! 🙂

-Dave
chris000
Occasional Contributor
2 years ago
Thank you Dave :)