Logging in without Account Key?
I sometimes solve PC problems for family members that will never be part of my 1Password Family. However, in some cases I need temporary access to my own passwords on such a PC to solve a particular problem. With LastPass that is no problem; I can log in on their website using my username and password. Since my LastPass account has 2FA enabled (via a YubiKey), I feel this is safe. Since I always carry this YubiKey in my wallet it's almost always available when I need it.
If I decide to switch to 1Password for Families I would have to enter my Account Key instead of using the YubiKey. I see 2 problems here:
1) I have no problem remembering a real strong password, but I was not planning to remember my Account Key as well (and typing it is much more work than pressing the YubiKey once)
2) The YubiKey generates an OTP, so if a key logger would be active on such a PC, I should still be protected. In case of the Account Key I would have presented all the keys to my kingdom...
Do I see this right? Is there another way to use 1Password for Families for this use case?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
The need for the Account Key when logging into a Teams account is part of the security design -- it's "baked" into the cryptography and cannot be removed.
This is a key difference between authentication-based systems and cryptography-based systems. With 1Password Families the cryptographic keys which are needed to access the data can only be created when both the Master Password and Account Key are present. With authentication, the software can be modified so that a different authentication method can be used -- fingerprint readers, retinal scanners, biometrics, bad poetry writing -- to grant access to the desired resource. With encryption, the keys must be present and we can't simply decide that the keys aren't needed because everything is dependent upon them. The short answer is that there is simply no way to access your account, from an entirely new machine, without having the Account Key on hand.
This doesn't mean that we won't come up with some solution that allows you to securely carry your keys with you in a highly-secure manner. I'm the AgileBits resident hardware geek and firmware engineer (along with being our Redshirt Super Hero) and constantly looking for challenges to solve and opportunities to enjoy.
0 -
In addition to what Julie has mentioned, she's smarter than me on this stuff, and I'm no security expert by any stretch of the imagination. But you technically can use your Yubikey to help you out here. While it's not going to change the fact your Account Key is static, you can use the Yubikey to store and enter your Account Key. I have the Yubikey Neo I believe, and I can store a static password in it so that tapping on the sensor enters that static password into the currently selected text field. If you put your Account Key in that storage container on the Yubikey you can have it readily available with your Yubikey.
All of what Julie mentioned still applies, but this does mean you have the Account Key readily accessible should you need it.
Of course, my stance is always "Do I trust this computer?"
If yes, I have no problem entering data into it that might be confidential
If no, I avoid it like the plague.
A family member's computer is one I'd avoid like the plague, and I use my iPad or iPhone as a conduit through which I access my data. It's simply easier. Bonus for the iPad and iPhone is that they also have a copy of your Account Key so you can easily access it that way.
Hope that provides some additional insight :)
0 -
Thank you for the suggestion to use the second slot of my YubiKey. I have indeed used that before for similar purposes, but did not think of that in this context.
And yes, I mostly bring my iPhone or iPad when troubleshooting (if only to have a safe browser to look up stuff).
0 -
Great to hear!
If you haven't already noticed this, here's how you can see your Account Key on the iPhone or iPad:
- Open 1Password
- Goto Settings > 1Password for Teams
- Tap on your account in the list
- Then tap "Reveal Account Key"
That's another option for having access to the Account Key if you always carry your iOS devices. It's also why we stress having your Family/Team account on all devices (a subscription includes access to all the apps as they become available) because it means you are less reliant on the Emergency Kit and have access to the Account Key from several other devices if you need it.
My emergency kit stays in the safe deposit box where it belongs and I add accounts by referencing the Account Key from other devices. This is just my workflow, but it has worked well for me :)
0