To protect your privacy: email us with billing or account questions instead of posting here.

Security Key and Authorized Devices.

reddevil08
reddevil08
Community Member
edited May 2017 in Memberships

I have a few questions that I can't seem to get straight answers for.

Please correct me if I am wrong about these following assumptions and tell me why.

1) Authorized devices. Meaning : Any device I signed into ONCE with my password and security key and now every time i want to login, all i need is to enter my password because the device remembers my security key. So in this case, if i lose/sell/give away this device, I pretty much just have ONE FACTOR AUTHENTICATION on this device. How can i delete this device from the authorized list so it forgets my security key? I tested my 1password login on my work PC to test how it works and now my work PC will not forget my security key and i cant delete it off of an authorized devices list.

2) Security Key. I read on this forum and elsewhere that Security Key was the 2nd factor in two factor authentication. But in cases when the party intending to break into my account also has my security key (via screen grab or key logging etc.) or a device that has been authorized before, I again have only ONE FACTOR AUTHENTICATION, whereas if i could configure some prompt on my phone via an app or get a text with a code then it is clearly more secure and moreover I WILL KNOW WHEN someone is trying to use my password to get into my account.

I'm sorry but i just don't see how a security key is superior to a actual real time authentication. Moreover, saving a piece of paper in a safe is just archaic. Security key is more like a second password. Its like having two doors in series that are locked and the key to the inner door is in the hallway between the outer and inner door and the key to the outer door is your master password. AND if you let anybody into your house EVER, they already have the key to your inner door so now you only have one locked door.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGKyle
    AGKyle
    1Password Alumni

    Hi @reddevil08

    The Secret Key (or the Key formerly known as Account Key) is not a traditional second factor but it serves a very important role.

    First, lets tackle your question about authorized devices. In web browsers the secret key is stored in a local storage database. You can make your browser forget this by clearing various browser caches. If you don't want the browser to store it at all, make sure you choose the "public or shared computer" checkbox upon initial login. This setting will make sure it doesn't get stored. Just be mindful of accessing sensitive information on untrusted devices. If you can't trust the device, you shouldn't sign into any site or service using that computer that you aren't okay with being potentially compromised.

    For the apps, simply logging out will remove the secret key from the device.

    If you sign into your account then goto your Profile (under your name, top right) you'll see a list of Authorized Devices. Clicking the "x" button on the right of a device will cause that device to require re-authorization the next time it tries to access the server. If the user has the secret key and master password they can simply provide them and it'll re-authorize the device and service will continue.

    If you do not want that device to have access again, you can change your secret key and master password by once again logging into your account and going to your Profile. Next to your secret key you'll see an edit button that looks like a pencil. This will allow generating a new secret key and you can also change your master password there. Doing this and removing the device from the authorized devices list will effectively cut off a device from future access unless they have the new secret key and master password.

    So, in the event that you lost your device or it was stolen. This is an option you can take. Changing the secret key and master password will require re-authentication on each device as well, and you should make sure you have a copy of your Emergency Kit that is updated to reflect the new data. We don't necessarily require you to print this, though, many of us on the team have. Mine is stored safely in my home and while paper printouts are a bit "outdated" as you say, they're also fairly reliable. I have a digital copy of mine in an encrypted folder on my computer as well and also a digital copy on a USB thumb drive that's stored locked up.

    We provide the PDF because it's useful to have and it encourages people to make copies of it. If you don't plan on ever losing a device each device is effectively an emergency kit as it'll contain the secret key.

    I hope that answers the first question reasonably well for you.

    The second question you had is about the multiple factors side of things. I suggest reading this document which explains the point of the secret key.

    2FA systems don't actually get involved in the encryption of your data. What they do is try to block unwanted access basically. They're like a fence around your house and the encryption is the lock on the door. This metaphor only goes so far so don't read too far into it, but I'm trying to illustrate as best I can.

    There are various types of attacks that could be made, for instance breaking into our servers and gaining access to your data that way. This method of attack is actually not going to be protected by any 2FA solution we provide you. They'd be bypassing that protection, i.e., jumping over the fence. In this type of case whatever 2FA solution we provided you wouldn't help at all and now the only protection on your data is the strength of your Master Password. A weak Master Password would make it potentially trivial to gain access to your data. A very strong Master Password would make things much more difficult.

    However, the Secret Key provides more. What we do is, and this is simplified greatly, is combine your Secret Key and your Master Password to require decryption of your data. So now that same attacker who gained access to our server has effectively no chance of accessing your data because your Secret Key is incredibly strong and even with a weak Master Password has made accessing your data a non-trivial process.

    This is not a reason to use a weak Master Password, but we know some users will and the Secret Key is a way that we have made those weak Master Passwords a lot stronger. It protects us and our users from a situation that 2FA simply cannot. The Secret Key also makes our server a terrible target because nothing useful can be gained from it. If they like gibberish, this is a great way to get a lot of it. Our servers contain no secrets that can be used to attack your data, so they may as well have simply written out random text on their own computers.

    For the sake of discussion, another attack vector is stealing your device. In this scenario they may be able to gain access to your Secret Key, but because you used a nice strong Master Password you're still very protected and while you may wish to change your Master Password, de-authorize the device and create a new Secret Key, your data is still safe. The attacker would still have to brute force your Master Password and assuming it's a strong one it's going to keep you well protected.

    What 2FA would potentially provide is a way to block normal access and while that's certainly something we're looking into, it's not exactly the end all be all protection that everyone makes it out to be and the combination of a Secret Key plus a strong Master Password is still going to provide you with all the protection that you'll need. I can see how a 2FA solution might make you feel safer, but it's just a feeling and it's a feeling we all tend to think is more important than it is.

    1Password is designed in ways that are different from traditional services and as a result most of the typical solutions don't apply here. As users of software our feelings based on past experience with it make us feel we need to have 2FA support, but it's based on information using services that are quite different than 1Password, applying these assumptions and solutions don't always make sense.

    I hope that helps answer your questions. If you're really curious about the lengths we go through to protect your data our security white paper contains a great deal of information about it. And we're happy to answer any questions you might have.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2017

    I have a few questions that I can't seem to get straight answers for. Please correct me if I am wrong about these following assumptions and tell me why.

    @reddevil08: Thanks for reaching out! I'll do my best to help. :)

    1) Authorized devices. Meaning : Any device I signed into ONCE with my password and security key and now every time i want to login, all i need is to enter my password because the device remembers my security key. So in this case, if i lose/sell/give away this device, I pretty much just have ONE FACTOR AUTHENTICATION on this device. How can i delete this device from the authorized list so it forgets my security key? I tested my 1password login on my work PC to test how it works and now my work PC will not forget my security key and i cant delete it off of an authorized devices list.

    I just double checked this to make sure we don't have a bug here since you seemed so sure, but I was able to de-authorize my Windows machine from my Profile page on 1Password.com:

    Are you receiving some sort of error when you try to do this? In my case, the account and its credentials were removed from the app. If that's not happening for you, we need to know.

    While we can split hairs (that I don't have) when it comes to the definition of "two-factor", in my view, the authorized device itself, containing your Secret Key, becomes the second factor that is needed to authorize a new one. After all, you can choose not to save your Emergency Kit anywhere (though a safe deposit box isn't a bad idea), so that you literally need your authorized device to be able to sign in on a new one. How you manage your Secret Key is up to you though, so you have a lot of flexibility to do things the way you want.

    2) Security Key. I read on this forum and elsewhere that Security Key was the 2nd factor in two factor authentication. But in cases when the party intending to break into my account also has my security key (via screen grab or key logging etc.) or a device that has been authorized before, I again have only ONE FACTOR AUTHENTICATION, whereas if i could configure some prompt on my phone via an app or get a text with a code then it is clearly more secure and moreover I WILL KNOW WHEN someone is trying to use my password to get into my account.

    That's sort of like saying that TOTP isn't two-factor authentication because someone gains access to that. It doesn't magically become single factor, as that's still needed. That it's fallen into the attacker's hands is a problem, but just because they have what they need doesn't mean it isn't necessary to authenticate. It's a second thing without which not only can your account not be accessed, the data cannot be decrypted.

    I'm sorry but i just don't see how a security key is superior to a actual real time authentication. Moreover, saving a piece of paper in a safe is just archaic. Security key is more like a second password.

    It's important to remember that the Secret Key is vastly different to a password one needs to remember and enter manually (such as your Master Password). Just as it is impractical for you to memorize it and enter it on demand, that's because it is a randomly generated 128-bit string which is stronger than anything humans can come up with (and memorize). So I think to call it a second password is selling it short.

    That said, I think the crucial thing is that traditional two-factor is meant to keep you out of an account, not protect the data itself. 1Password is built on encryption not authentication, because we're less concerned about someone gaining access to the encrypted database than we are ensuring it cannot be decrypted without the keys to it: your Secret Key and Master Password. @jpgoldberg had a great blog post on the subject just last week:

    1Password is #LayerUp-ed with modern authentication

    Suffice to say, we realize that 1Password.com is a very attractive target, so we've built 1Password's security from the start so that it doesn't depend on the channel it's sent or it never being captured; because of the Secret Key, your data secure even if it falls into the wrong hands. And since your Master Password is also used to encrypt the data (not just let you login), it cannot be decrypted without both.

    Saving the Emergency Kit may feel "archaic", as paper is not a sexy new 21st century technology, and like I said, it's your prerogative how you manage your Secret Key. But if something happens to me and my loved ones need to access my 1Password.com account, they'll be grateful that I've prepared for that.

    Its like having two doors in series that are locked and the key to the inner door is in the hallway between the outer and inner door and the key to the outer door is your master password. AND if you let anybody into your house EVER, they already have the key to your inner door so now you only have one locked door.

    The door analogy is a good one, because it illustrates the difference between traditional two-factor and the Secret Key. Your description actually applies to the more traditional login + one-time password "doors":

    1. Authenticate login credentials
    2. Authenticate one-time password
      = Profit

    With 1Password.com and Two-Secret Key Derivation (2SKD), you don't get anything without both Master Password and Secret Key: you can't "unlock" any doors.

    It gets more complex at this point, so bear with my while I try to break this down (and check out the security white paper for more details). But if someone gets your 1Password.com-authorized iPhone, say, they would probably also need to also have your device passcode to even open 1Password, and also your Master Password in order to unlock it. Then they can get your Secret Key. Otherwise they won't have it in that scenario. So in most scenarios (barring you giving it away), getting the Secret Key is predicated on an attacker having full control of your device and probably your Master Password as well. Without both of those, they don't have your Secret Key, and without your Secret Key and Master Password, they can't decrypt the data.

    I think maybe what you're getting at is that the Secret Key can be obtained in some scenarios, and is therefore not "perfect" security, but the security of 1Password doesn't rest solely on its shoulders; there are multiple protections, any of which on their own are insufficient to protect against all attacks, but together they are incredibly strong. Also, the perfect security would mean destroying the keys so that they no longer exist and cannot be obtained by an attacker through any means whatsoever...but then of course we can't access out data either!

    Similarly, one-time passwords (or other two-factor options) can also be obtained in some scenarios. What the Secret Key has going for it is that there is no escape hatch. In the majority of cases, second factor can be circumvented or reset, as it is simply being used for authentication. Sites offer "recovery codes" or "security questions" that can be used to disable and/or go around it if you lose or cannot access your second factor. These can be exploited by attackers. The Secret Key doesn't work that way, and since it's used together with your Master Password to encrypt your data, having one without the other is not helpful (as anyone who locks themselves out of their own data can attest), and a brute force attack cannot be done against your Master Password. So while the Secret Key can't protect us from all possible attacks, I wouldn't sell it short. :)

  • reddevil08
    reddevil08
    Community Member

    Wow, excellent answers! Thank you. Color me educated. I use 1Password exclusively on mobile and i could not find the devices list. I will log into my desktop at home once i get off work and try it out. Also, i didn't realize I could generate a new security key if needed. That was news to me.

  • AGKyle
    AGKyle
    1Password Alumni

    Hi @reddevil08

    On behalf of myself and Brenty, you're most welcome.

    Make sure you have a copy of that emergency kit in some form or fashion. We can't recover accounts for our users, so if you lose that information the best we can do is facilitate deleting your account for you and allowing you to start over. It's definitely vital that you have a copy of that data somewhere. Even if you don't have it printed. Perhaps put it on a USB thumb drive and put it somewhere safe (it's just a PDF file).

    If you have any other questions please don't hesitate to let us know. Have a wonderful week!

This discussion has been closed.