Secret key migrated to new Android device
I recently set up a new Android device by migrating from an existing one using Google's migration setup (I don't think there was any device/manufacturer custom transfer going on). This was a wifi only transfer which supposedly was based on app data backup to Google drive.
When I went to set up 1Password on the new device I expected to have to enter/scan my account's secret key, but the app detected my saved account and all I had to enter was the master password. I've seen similar questions to this related to iCloud keychain on the mac but not to Android -- is the secret key stored in Google drive device backups or does this mean that there was actually some local network/bluetooth device->device data transfer going on? (The first possibility seems concerning but the second one much less so).
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@rationull: Thanks for reaching out. I’m sorry for the confusion! Indeed, if you have Settings > System > Backup enabled, that will include app data, which in 1Password's case includes the Secret Key (as with iCloud on iOS). That will only be accessible to you through your own Google Account though, which allows it to be transferred to your other devices. It isn't ever sent to us, as the purpose of the Secret Key is for additional security in the event that an attacker breaks into our server and steals the encrypted database. That way they will not be able to perform a brute force attack against users' Master Passwords, as the Secret Key is also needed. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
@brenty Good to know. I'd read about the analogous behavior with iCloud but the forum posts on that implied that AgileBits had specifically evaluated iCloud's security model and determined this was acceptable. Perhaps the same is true for Android assuming that backups have equivalent security to Google Drive storage.
Logically this seems reasonable -- the key is not stored in the same place as the database and even if both are obtained somehow (e.g. a targeted attack) then the database is still protected by the master password. So this is equivalent to using any other password manager without a Secret Key or keyfile and storing the database in Google Drive or iCloud.
Initially I was surprised because I was thinking of the secret key as being an on-device-only additional keyfile which is not transmitted -- clearly a misinterpretation on my part! Not to turn this into a feature request but it seems like treating it that way would be even better at the marginal cost of more difficulty when replacing devices.
Thanks for the quick response -- great product and keep up the good work!
0 -
Indeed, @rationull. We evaluated the security of storing the Secret Key in Google backups before implementing this. I'll pass your feedback on to the team! Let us know if you ever need anything else! :)
0 -
@rationull: Likewise, thanks for the kind words and your feedback on this! Indeed, backups are secured along with Google Drive. Since 1Password.com's Two-Secret Key Derivation using the Secret Key is pretty different from other things out there, it can be a bit confusing, so we're always working to make things clearer to users. How it works is great because of the unique security properties involved, but I agree that there's room for improvement with regard to communication. In case it helps, you can also use two-factor authentication to have additional protection for new sign ins. Just be sure to backup your TOTP secret like you do your other account credentials in that case so you don't lock yourself out of your account. Cheers! :)
0