Why do I need to type secret key into your website?
Your page https://support.1password.com/secret-key-security/ says that Secret Keys for accounts never need to leave my devices (apart from printing Emergency Kit). So why do you ask me to enter it on your website to get access to my account details? Is your documentation wrong?
1Password Version: 6.8.6
Extension Version: Not Provided
OS Version: macOS 10.11.6
Sync Type: iCloud?
Referrer: forum-search:"secret key"
Comments
-
To be more specific your page says of the Secret Key "Keep it secret. Don’t send it to us or make it public."
0 -
Hey @jgclark
Don’t worry, the information is correct. When you are logging into the website you aren’t actually providing the secret key to 1Password.
Some bedtime reading. Everything you need to know about the encryption used at 1Password
To put it simply. When you put your key in the front door to your home, nobody can see your locking mechanism or your key while it’s in the lock. The only way for them to know what your key looks like is by showing it to them.
Your secret key works in exactly the same way. Nobody can see it unless you show it to them, which is why it is important not to share it, say in an email or on the forum here.
Hope that helps clear it up for you!
0 -
Your page https://support.1password.com/secret-key-security/ says that Secret Keys for accounts never need to leave my devices (apart from printing Emergency Kit). So why do you ask me to enter it on your website to get access to my account details? Is your documentation wrong? To be more specific your page says of the Secret Key "Keep it secret. Don’t send it to us or make it public."
@jgclark: Indeed, that's a great question! I'm actually a bit surprised it doesn't get asked more often, but the short version is that 1Password.com is a web app that runs entirely within your browser on your local machine. So it isn't operating the way yo might expect. However, you'd also be right to point out that it has to communicate with the server in order to get the data from your account (even though it's encrypted there and in transit, and decrypted locally when you use it). So there we're using SRP — Secure Remote Password protocol: instead of sending your account credentials to the server, a cryptographic verifier is derived from your account credentials, and that is sent to us to prove that you have your correct account credentials even when we never do. All of that is setup when you create the account: the Secret Key is generated locally on your device, the Master Password is chosen by you, and the only thing we ever get is the verifier derived from those, so we know that you're not using different credentials than the ones you've used to encrypt your data locally. There's a lot more detail in the white paper TristanTrx linked, but be sure to let me know if you have ay questions. Cheers! :)
0 -
Appreciate the answers, guys.
TristanTrx: I understand your explanation, but when I'm entering it into a website it seems from all other experience that you're actually showing it to the world (or at least any person who's taking the trouble to read your traffic).
brenty: I'd read enough of your security blog in the past to know that you almost certainly weren't doing something odd here, and so gone ahead anyway and entered secret key for the account. Thanks for the summary of what's going on. I wonder if there is a way of making it clear for users that this isn't the usual password authentication handshake? Are there any other well-known applications of SRP? It's the first time I'd come across it, and I do know my sftp from my ftp from my udp from my ip ...
0 -
Reading your traffic doesn’t have any effect here as
- Data transmissions between your web browser and 1Password.com are TLS encrypted (though this is just one layer of security)
- Your Secret Key isn’t transmitted (even in encrypted form). It doesn’t leave your web browser.
We’d be open to suggestions on how we might make this more clear in the interface, but reality of the matter is that unfortunately most people don’t care and don’t make the distinction. So, if we were to try and make indication of this, it would need to be in an unobtrusive way that doesn’t cause more confusion than it prevents. Quite the challenge, I think.
:)
Ben
0 -
@Ben, indeed it's a challenge. But you already have a little ? circle next to the Secret Key field. At the very least you could simply add a "Why are we asking for this?" or a "How the Secret Key actually stays on your device" subsection to that page, for those that care enough about this. That's also why I asked about who else uses SRP, to see who else faces this challenge, and whether anyone else has found solutions here.
0 -
@jgclark - thanks for the suggestion, and I'm glad we were able to clear it up for you. Striking a balance between informing the curious (or worried) and overloading the interface with detail that most people aren't interested in is an ongoing process of adjustment. We really appreciate users like you who take the time to tell us what worked well or could've been clearer or done better for you, because it lets us know where there might be room for improvement. So thanks for taking the time to be a part of the process of making 1Password as good as it can be. I can't promise you'll see your points addressed in the way you suggest, but I can say that we're grateful you took the time to let us know. :)
0 -
@jgclark: Indeed, thanks for your feedback on this! The real challenge isn't providing the information, but that the answer to the question "Why are we asking for this?" takes most of the white paper to explain. The obvious, concise answer is "Because the Secret Key is needed to access your data", but I think people know that. The full answer, however is much too long for a little informational popup...but we're always happy to get into the weeds about the details here with anyone who's interested! ;)
0