I No Longer Control That Device
I've used 1Password for Families from an Android device. In order to help with the debug of a problem I encountered, I have voluntarily given over control of that device to a development team. Wanting to practice good security hygiene, I have been going to sites like amazon.com, pocket.com, evernote.com, etc., and telling them that that device should no longer have access to the cloud data. I can't simply do a remote wipe, because that would destroy the evidence needed to track down the bug.
I'm not finding anything similar for the 1Password for Families data. I see the Android tablet listed among the devices connected, but no way to tell anything not to let it any more.
Maybe this is not a big deal, related to authentication vs. decryption. And, I have a pretty good password. But, if there were a way to get that device to forget my Account Key, that would be cool. Where is the Account Key stored? If it's stored in the Primary Vault, then no worries, because I told DropBox to de-authorize that device.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @RonHeiby! No need to worry about 1Password Families, or just 1Password in general, if you lose your device. :) So long as you're using a strong Master Password that only you know, your data is quite safe. The Account Key cannot be obtained from the device because it's not stored on it. You have to use your Master Password to access all your data and account info there.
That being said, revoking a device is something we're working on adding to 1Password Families and 1Password Teams. It's not ready quite yet, but keep an eye out for updates. If in the future you do lose a device or expose your Master Password or Account Key, you can change and regenerate them, respectively.
To do that, sign in to your account from 1Password.com and click the account menu in the top right, then select My Profile. Click "Change Master Password", then fill out those fields with updated info and confirm the changes. Next, click the pencil beside your Account Key, type your Master Password, and click Regenerate Account Key. Lastly, click the Generate Emergency Kit button and store that in a safe place so you can sign in later on if you use a different device or reset your browser.
Hope that helps! :)
0 -
That's really good to hear. I think my Master Password can stand up to a pretty strong attack, so sounds like I'm fine. Still, looking forward to the ability to revoke a device (whatever that might mean in this context).
The statement about the Account Key not being stored on the device intrigues me. I was under the impression that to access my Family vaults (local copy or cloud), both it and my Master Password were required. And, except for the first time with a new device, I type in only my Master Password when I fire up the app. (And, of course, that first time I almost always get to use the QR code -- awesome.)
Actually, on my devices, the Master Password I enter is the one I associated with my Primary Vault (stored on DropBox). The 1Password for Families Account Key and Master Password were only entered when I first associate that device with my account in the cloud.
It's only when I go to my Family web site do I enter the Account Key and 1Password for Families Master Password. And, when I do that from Chrome on my home iMac, it seems that something has remembered the Account Key after the first time, because the initial XX-XXXXXX of it are displayed to me, and I need enter only the 1Password for Families Master Password.
So, I'm now very curious about how this works, if I need the Account Key but don't have to enter it, and it isn't being stored.
I had thought that my 1Password for Families Account Key and Master Password were somehow being stored within my Primary Vault, and that unlocking that Primary Vault provided the information necessary to unlock the cloud vaults. (I had assumed that the same approach was used to handle multiple DropBox-stored vaults.)
And, with the Web access, I don't know where that information gets saved, just been thinking it was pretty cool that there was a safe way to store it. I was thinking of the Account Key as something that demonstrated that this was an authorized device, and the Master Password as something that demonstrated that I'm the one at the keyboard.
0 -
I think that may have been a typo earlier. After a long day of answering questions, sometimes I often write one thing when I mean another. I suspect that may have been what happened.
You are correct. Your Account Key is in fact stored on authorized devices. That's essentially what defines an authorized device:
Understanding the Account Key
However, your Account Key and Master Password are not stored with your data, so they are never synced. Your Account Key never leaves your authorized device, and your Master Password never even leaves your brain. Okay, technically it has to "leave your brain" temporarily to unlock your data, but it is never stored on your computer. :)
When you enter your Master Password, 1Password attempts to decrypt the encryption key (1024 bytes randomly generated). If the Master Password is correct, then the key is provide and the data can be decrypted. If the Master Password entered is incorrect, nothing is returned.
0 -
Thanks. That makes much more sense.
0 -
Happy to help! Don't hesitate to let us know if you have any other questions. It is great that you are thinking about these things.
0
