What happens when I revoke access to a device on 1Password.com?
Let's say I lose a device that I use 1Password on. I know I should go into 1Password.com and revoke access to that device. My question is, what exactly does that do? I know the app needs both the Secret Key and the Master Password to decrypt the vault. Let's say the person who finds my device knows my master password. If they fire up the app and enter my master password my understanding is that the secret key is till on the device. Do the 1Password servers recognize that this device was once authorized and then revoked and thus disallow connection? How is this scenario different from a first-time connection from a device that is allowed in?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@btownguy: It's the same. Devices/browsers are either authorized or not. Revoking access simply deauthorizes the device, removing the keys and data. But for that to be successful it would have to be able to receive the command from the server. If someone has your data and you've given them your Master Password you should assume that everything in 1Password is compromised (since they'll have the Secret Key inside the app then as well). The only mitigation going forward in that case is changing your Master Password, Secret Key, and any other information affected. That way they will not be able to sign in to the website or app going forward to get more data.
0 -
Thanks for the quick response @brenty. Can you clarify one point? You said "But for that to be successful it would have to be able to receive the command from the server." How does that happen exactly? Does the server send out some kind of push notification transparently to the device to remove the keys and data? Or does the server wait for the app to attempt a connection when the user manually opens the app?
0 -
@btownguy: Hmm. Good question. I'm sure someone here who works on this stuff behind the scenes will cringe when I say this, but it's reasonable to think of it in terms of a "push notification" — much like any time you make a change to your account or your data on another device, 1Password.com will notify all other devices of the changes. This is only different in that it targets only a specific device, but so long as it is online to receive the message the app will comply by purging the keys and data. Cheers! :)
0 -
Great. That's what I was looking for. If I lost my phone and someone knew my Master Password, they would still have to re-enter the Secret Key if that device had already been revoked.
0 -
You're welcome! I wouldn't want to count on that, since the device needs to get the revocation order from the server. But you can always change your Master Password and Secret Key if you believe they have been compromised. Better safe than sorry. :)
0