iPhone migration and secret carryover

vkap
vkap
Community Member

Apologies if this has been covered. I just got a new iPhone and ported over all my data from my old iPhone (using iTunes on a computer). When I started up my 1pass app on the new phone, I saw the new account/setup screen, which is what I would've expected. Since I was setting up a new physical device, I expected to need my 1pass secret key to set up my account. When I continued to the existing account setup, the app said it already found my existing account and I only needed to enter my master password to continue. And it worked.

How did it "find" my account and why didn't I need to enter my secret key? Does the secret key carry over on backup of the phone to a computer? To the cloud? Is this expected behavior? Is there a way to turn this off? I do encrypt my phone backups to the computer with a strong password and I don't really back things up to iCloud, so this is probably fine if I can't do anything about it, but it seems preferable to me that the secret key not migrate from device to device (in this case, from my old phone to my computer and then to my new phone).

Thanks in advance!


1Password Version: 7.0.2
Extension Version: Not Provided
OS Version: iOS 11.1.2
Sync Type: Not Provided

Comments

  • thightower
    thightower
    Community Member
    edited November 2017

    @vkap

    The details, except for the master password are synced securely via the Apple iCloud keychain. As far as I know you cannot turn it off.

    Short answer, I would guess you could elect not to use Apple iCloud keychain syncing feature. But that would limit your ability to use Apple services etc.

    For me I find the feature extremely useful, especially when setting up new devices. It sure makes my life easier and it really makes it much easier when the wife gets a new device. ;) ( when, I am out town, traveling etc.)

    I personally have no issue with it, due to the fact all my Apple services would be using the keychain anyway. The Apple iCloud keychain is also protected by a security code on all devices when initially setting it up.

    I am sure one of the staff will be along and can give further information on the subject.

  • vkap
    vkap
    Community Member

    @thightower

    Thanks for the response. I have iCloud Keychain turned off on both my old phone and (as the settings carried over) on my new one. You can individually decide which apps use iCloud, and Keychain can be individually turned on and off. 1password does not show up in this menu, so I believe that means it isn't syncing to iCloud at all outside of Keychain either. So I'm still pretty sure this is carrying over through my iTunes backup, but maybe someone from the staff can confirm.

    It's certainly convenient, but I'd take a increment of more security over convenience for an event that occurs so infrequently. Obviously it's a personal decision!

  • @vkap: Even without iCloud keychain, the app itself does store an encrypted copy of your Secret Key as otherwise there would be no way for you to unlock 1Password without entering your Secret Key each time. Annoying under the best of circumstances and extra annoying on small devices. I do believe this would travel with a backup causing the existing account to be found even if you have iCloud keychain totally disabled. You can learn more about that here.

    The key bit there is that last section about why your Secret Key is stored, but the section above is relevant as well. Your Secret Key is designed to protect your data when it's not on your devices. Think of it this way -- whether your Secret Key is saved to a backup or no, someone with their hands on your device can necessarily unlock your data with only your Master Password. Since not saving your Secret Key would only ever protect you in the likely very rare circumstance where someone had access to your device, but 1Password was not yet set up, we felt the convenience factor easily won out here. :+1:

  • vkap
    vkap
    Community Member
    edited November 2017

    Thanks @bundtkate!

    I certainly understand why the Secret Key should be stored on the device. I doubt anybody wants to type that in every time they access 1Password. I also understand the interplay between the Secret Key and the Master Password, and why it's an effective safeguard against data loss that the Secret Key is backed up in this way. However, I prefer to offline self-secure secrets that require infrequent entry, knowing that this is extra work and introduces more risk of data loss. While the Secret Key automatically populated in my 1pass vault on setup, I removed it (and was a little annoyed that it populated there in the first place) to minimize exposure (however unlikely it may be!).

    So the important bits to me (reversed in order from how you covered them) are this:

    whether your Secret Key is saved to a backup or no, someone with their hands on your device can necessarily unlock your data with only your Master Password.

    Yes, but having this data back up from my device also introduces the vulnerability of my physical device to archived backups of my device, which, through redundant archiving, could proliferate a bit more widely (though, as I mentioned, I try to practice good safeguards with these as well).

    I do believe this would travel with a backup causing the existing account to be found even if you have iCloud keychain totally disabled.

    It does appear so for encrypted iTunes backups. And if I had the option to turn this off, I would. I don't know if there's a way to implement an iOS app such that particular data (or all data) stored locally on the phone can be excluded from iTunes backups. This may have been the case pre-iOS9, when iTunes could be used to manage and sync apps specifically. Today, iTunes backups specifically exclude certain data (Health info, Keychain info) unless the backup is encrypted. If the backup is encrypted, it always includes this data. It doesn't appear that non-native apps can choose specificity for their data this way, and 1pass data will carry over onto an unencrypted backup as well (though, of course, the Secret Key will still be encrypted with the Master Password necessary for decryption under expected circumstances, and perhaps 1pass only stores it in Keychain, in which case it's piggybacking on Apple's native secret protection; wouldn't mind confirmation of this).

    It does appear that iCloud backups allow for more control, though. Under iCloud in iOS Settings, there are toggle buttons for "Apps Using iCloud"; I have many apps that appear here, but 1pass is not one of them. Presumably, this means 1pass has no ability to sync data on iCloud outside of Keychain (which, as I mentioned, I keep turned off) and, were I syncing on iCloud and not on iTunes, the Secret Key would not have carried over. I don't know this for sure; perhaps 1pass data is swept up because it hasn't opted into this toggle feature, but I doubt it. Again, even this would also be moot if the Secret Key isn't stored in 1pass app data and only in the Keychain.

    In any case, I'm still quite happy with 1pass and appreciate the thought you've put into things. I'm certainly fine with knowing that my Secret Key exists on backups of my phone which I always encrypt (and probably not on iCloud since I don't sync Keychain). I mostly just typed out the above points because I don't think the control I was seeking is worthless, even if obsessive and paranoid.

  • Hi @vkap

    Thanks for taking the time to share your thoughts. We don’t have any changes planned in this regard, but certainly as we move forward and re-evaluate these are points we can consider. One of the difficulties with Secret Keys is that they aren’t intended to be memorized, and many folks no longer have easy access to a printer (to print an Emergency Kit). We still recommend doing so if possible (printing the Emergency Kit), but reality for many folks makes that impractical.

    For an individual account losing your Secret Key is equivalent to losing your data. And many 1Password Families accounts only have one organizer, so if that person loses their Secret Key the whole family is in serious trouble. As such we felt it very important that this information be made as accessible as possible without unduely compromising security, and so we’ve done that. A toggle to turn this option off has been deemed counter productive, at this stage.

    Thanks again.

    Ben

  • vkap
    vkap
    Community Member
    edited November 2017

    Thanks @Ben.

    I don't own a printer either, but bounce such things to PDF and store them on encrypted, redundant, and geographically separated flash drives. High risk of loss is actually a feature to me and some of my clients much of the time. Especially with data like 1Password data, which is very convenient to have consolidated in one place, would be devastating to have compromised all at once, and would be only tedious to rebuild if completely lost (assuming authorized devices and offline-stored 2fa backup codes weren't all lost at the same time). But I digress; I'm not upset if it's not on the roadmap.

    In any case, can anyone confirm that the Secret Key rests in regular 1Password app data? Or does it exclusively live in the iOS Keychain? If the latter, it would only carry over in iTunes backups when encryption is enabled on those backups and would only carry over through iCloud if Keychain is toggled to back up to iCloud. This is still a pretty good middleground, even for me.

    Thanks again! Sorry for all the words.

  • vkap
    vkap
    Community Member

    Also, in case it helps anyone; another workaround would be to delete the 1Password iOS app before performing iTunes backups. This presumably removes all 1Password-related data in and out of Keychain before backup. This could work well if people rarely back up to iTunes.

  • AGAlumB
    AGAlumB
    1Password Alumni

    1Password data, which is very convenient to have consolidated in one place, would be devastating to have compromised all at once

    @vkap: I'm just not seeing how it makes a practical difference. Someone would have to have access to one of your devices that you've already signed into iCloud and know your Master Password. There's just nothing that can be done without that. I understand the feeling here, but when it comes to an actual attack storing the Secret Key just doesn't help an attacker get your data. And keep in mind that the function of the Secret Key is to protect 1Password users from brute force attacks against their Master Password in case our server is broken into. There's nothing to stop you from using a stronger Master Password if you believe you're likely to be targeted personally for attacks against your devices locally. :sunglasses:

    In any case, can anyone confirm that the Secret Key rests in regular 1Password app data? Or does it exclusively live in the iOS Keychain? If the latter, it would only carry over in iTunes backups when encryption is enabled on those backups and would only carry over through iCloud if Keychain is toggled to back up to iCloud. This is still a pretty good middleground, even for me.

    Correct. :)

    Also, in case it helps anyone; another workaround would be to delete the 1Password iOS app before performing iTunes backups. This presumably removes all 1Password-related data in and out of Keychain before backup. This could work well if people rarely back up to iTunes.

    Yep. :chuffed:

  • vkap
    vkap
    Community Member
    edited November 2017

    @brenty

    I'm just not seeing how it makes a practical difference. Someone would have to have access to one of your devices that you've already signed into iCloud and know your Master Password.

    Obviously, security is about layers and everything at this level is an incremental improvement. The Master Password and Secret Key have two different risk profiles. The Master Password is something I type out quite frequently and could be gleaned from observation or video. The risk of making it additionally complicated is that this will make it harder and slower to enter it, increasing that risk. The risk of forcing myself to type it in too frequently also compounds that risk. The Secret Key, in being entered very infrequently, has much fewer of these risks. A compromised device is one. A compromised backup is another one. Mitigating the Secret Key in backups could cut the number of scenarios in half. The risk is likely cut more than in half if one considers the type of adversary who'd mug me and the type of adversary who'd surveil my Master Password. And it's not that hard after having worked it out in this thread.

    And keep in mind that the function of the Secret Key is to protect 1Password users from brute force attacks against their Master Password in case our server is broken into.

    Yes, and an iCloud Keychain compromise coupled with that event would leave a lot of user data vulnerable. This is a reason why I wouldn't anticipate turning on iCloud Keychain backup. Not much related risk wrt my encrypted iTunes backups, though, without a very direct attack.

    if you believe you're likely to be targeted personally

    Just wanna note that, while I may be overly paranoid, I also have clients who have reason to be. And I also wouldn't, with the way things have been going, convince them to be less so as long as they aren't killing anyone or completely torching money.

    Correct. :)

    Thanks for the confirmation. I came to a lot of these realizations over the course of this thread. In the event that anyone else ever has this concern, I'd just point to the facts that the Secret Key is only stored in Keychain, Keychain iCloud backup can be turned off, and Keychain iTunes backup only occurs on encrypted backups.

    Yep. :chuffed:

    And also that workaround even if that wasn't enough. Thanks @brenty, @Ben, @bundtkate, and @thightower!

  • vkap
    vkap
    Community Member

    I'm just not seeing how it makes a practical difference. Someone would have to have access to one of your devices that you've already signed into iCloud and know your Master Password.

    Security is about layers and, at this level, it's all about incremental gains. The Master Password and Secret Key have different risk profiles. The Master Password is something I type in pretty frequently, so it could be gleaned by physical observation or through video footage. I use a strong one, but making it increasingly complicated would slow me down and increase need for re-entry due to failures, increasing that risk. For that matter, having to unlock 1Password too frequently would also increase that risk. The Secret Key, in being entered so infrequently, doesn't have this problem. A physical device could be stolen, or a backup of a physical device could be stolen, or a self-secured backup of the code could be compromised. Removing the Secret Key from backups cuts the number of factors by a third, and, given that an adversary who'd physically rob me probably isn't surveilling my passwords and I'm confident in how I secure my own backups, it cuts the risk by more than that. And it wouldn't be that hard to mitigate this given everything I've learned over the course of this thread.

    And keep in mind that the function of the Secret Key is to protect 1Password users from brute force attacks against their Master Password in case our server is broken into.

    Correct. And an iCloud compromise coupled with a 1Password compromise would likely put a lot of users' data at risk. This is why I don't anticipate backing up my Keychain to iCloud.

    if you believe you're likely to be targeted personally for attacks

    Just want to note that, though I may be overly paranoid, I do have clients who have good reason to be. And, given recent events, I don't advise people to be less cautious about cybersecurity than they're willing to be. As long as they aren't killing anyone or completely torching money.

    Correct. :)

    Yep. :chuffed:

    Thanks for the confirmation. I came to a lot of these realizations over the course of this thread. If anyone ever had this concern in the future, I'd just point out that the Secret Key only rests in Keychain, Keychain backups to iCloud can be disabled, Keychain backups to iTunes only occur when encryption is enabled on those backups, and even this can be mitigated by removing the app before backing up to iTunes.

    Thanks @brenty, @Ben, @bundtkate, and @thightower! I'm satisfied.

  • On behalf of the team you are very welcome. :) If there is anything else we can do, please don't hesitate to contact us.

    Ben

  • vkap
    vkap
    Community Member

    Apologies for the redundant post. It looked like I had deleted it when I attempted an edit and I begrudgingly retyped my thoughts.

    Anyway. Thanks again.

  • No worries. :)

    Ben

This discussion has been closed.