To protect your privacy: email us with billing or account questions instead of posting here.

Strategies for Secret Key

utcv
utcv
Community Member

I won't mince words: The Secret Key drives me up the wall.

Here's the basic issue: It's labled an "emergency," and yet you need it very, very often. Just today I had an example. I was on my phone and I got an email from 1Password saying that my family member had created an account and it wanted me to confirm it. No problem! Well, yes, there is. I clicked the button and the damned site wants my Secret Key. I don't have it. It's an emergency and in a safe place. So, I can't login.

I've taken to putting it in a bunch of places trying to obscure it so it's not obvious what it's for, but doesn't this weaken security? I can not possibly remember it and yet I have needed it multiple times for whenever I log into something that 1Password doesn't recognize as a trusted source.

I get it. I understand, but it's still inconvenient.

What are some strategies for keeping this key without compromising security?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • utcv
    utcv
    Community Member

    In my opinion? For those of us using 2FA, the website should allow the option of 2FA instead of the Secret Key for the times when it's not available.

  • danco
    danco
    Volunteer Moderator

    I don't think you need the secret key "very very often". It's really only needed during first login/setup on a new device. It seems that this also includes you confirming that another family member wants to create an account, but that is also only very occasional.

    And the secret key is visible (or, perhaps, just copyable) if you go to your account in the web browser, and it is also stored in 1PW itself.

    I believe the only reason one may have to use it more than occasionally is if one is using a browser in incognito mode, as then the secret key does not get kept in the browser.

  • utcv
    utcv
    Community Member
    edited May 2018

    It is something I've run into enough for it to be a hindrance for me. Perhaps it'll become less of an issue for me over time. It sounds like it.

    I still think it would be a good idea to offer 2FA during those times. I have that setup in my account and I think it's a good substitute for the Secret Key.

    For now, I've put the secret key directly in 1Password. As long as I can access it in a quick-copy way, I should be okay. That's why my question was about strategy for keeping it handy more than about the necessity of the secret key in general. At least, that's how I wanted the message to come across. Admittedly, I came here pretty frustrated after trying all kinds of things to get logged in on my phone's browser.

    Thank you for your response.

  • danco
    danco
    Volunteer Moderator

    Looking at my 1PW account, I find the secret key was automatically installed in 1PW, I did not have to install it myself. Look at the tag "starter kit" to find the item that includes it. But I am using 1PW on my Mac, I don't have an iPhone, so it might not be visible on an iPhone.

    I do hope and expect that after a while you will be asked for the key only very rarely. Certainly that's been my experience.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I won't mince words: The Secret Key drives me up the wall. Here's the basic issue: It's labled an "emergency," and yet you need it very, very often.

    @utcv: I'm sorry to hear you're having some frustration. I'd like to understand why. Of course it will vary based on each of our individual usage, but personally I enter it maybe once a week -- and that's, worst case scenario, a copy and paste. And usually I just scan the Setup Code so I don't have to even to do that. I think maybe I've typed it in by hand once. This past week, however, I've signed into my account on a new device I purchased, so there may have been more than that. I have a few accounts, and I probably signed into one somewhere else to test something. But that's definitely not typical for most people. We don't buy new devices frequently (I don't think), and I'm a bit of an edge case because it's my job to try to break things, and that means a lot of resets.

    Just today I had an example. I was on my phone and I got an email from 1Password saying that my family member had created an account and it wanted me to confirm it. No problem! Well, yes, there is. I clicked the button and the damned site wants my Secret Key. I don't have it. It's an emergency and in a safe place. So, I can't login.

    As **danco **mentioned, it's probably not a common occurrence for most people to invite new members. I know I haven't this year (unless you count imaginary people in a test account). But, regardless, are you not using 1Password on your phone already? If so, you'll have your Secret Key right there in the app, both in your account settings and, probably, in a Login item in your vault (that's the Starter Kit he referenced). Is that not the case?

    I've taken to putting it in a bunch of places trying to obscure it so it's not obvious what it's for, but doesn't this weaken security? I can not possibly remember it and yet I have needed it multiple times for whenever I log into something that 1Password doesn't recognize as a trusted source. I get it. I understand, but it's still inconvenient.

    If you're thinking about signing into your 1Password.com account (or accessing any sensitive information) on an untrusted device, please stop and think again. This is not a safe thing to do. I know it's tempting to think that two-factor authentication can protect you, but it can't.

    What are some strategies for keeping this key without compromising security?

    Getting back to the Secret Key, the great thing about 1Password is that you don't have to try to obfuscate things there. And it requires your Master Password to unlock. So having the Secret Key available there means you'll always have it with you so long as you have an authorized device. The Emergency Kit really is just for emergencies: if your devices are lost, stolen, or destroyed, you'll still be able to access your account on a new one using that.

    In my opinion? For those of us using 2FA, the website should allow the option of 2FA instead of the Secret Key for the times when it's not available. It is something I've run into enough for it to be a hindrance for me. Perhaps it'll become less of an issue for me over time. It sounds like it. I still think it would be a good idea to offer 2FA during those times. I have that setup in my account and I think it's a good substitute for the Secret Key.

    It's not possible because 1Password's security model is based on encryption: both the Secret Key and Master Password are needed to decrypt the data. If we made it so you could sign in without the Secret Key, you would still not be able to access your data; it would be encrypted and unreadable. Two-factor authentication means that you're proving that you have something in addition to your static login credentials in order for you to access your account, but that's completely separate from how 1Password protects your data. Authentication just protects against access to your account by preventing new devices from being authorized without it. The "keys" to the data are also needed.

    For now, I've put the secret key directly in 1Password. As long as I can access it in a quick-copy way, I should be okay. That's why my question was about strategy for keeping it handy more than about the necessity of the secret key in general. At least, that's how I wanted the message to come across. Admittedly, I came here pretty frustrated after trying all kinds of things to get logged in on my phone's browser. Thank you for your response.

    That's definitely one thing we recommend, and recent 1Password.com signups generate the Starter Kit automatically. This is like keeping a spare key to the safe in the safe, so it isn't a security risk. So long as you know your Master Password and have an authorized device you can unlock with it, you'll have everything you need to setup a new one, even without the Emergency Kit.

    Definitely an interesting discussion. It sounds like you've got a good system now, but I appreciate you bringing this up since others can benefit too. Cheers! :)

  • utcv
    utcv
    Community Member

    When you say that the key is already added to 1Password, do you mean as an entry? Or is the PDF saved there?

    When I brought up the 1Password app in iOS at the time I was trying to login, I saw to entries related to 1Password. One had a partially obscured Secret Key and the other had no Secret Key. Is it somewhere else?

  • danco
    danco
    Volunteer Moderator

    Even when the secret key is partially obscured, you should still be able to copy it. I've only done that on a mac, where there is a Copy button available. There will be something similar for iOS, but I don't know exactly how to get it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    When you say that the key is already added to 1Password, do you mean as an entry? Or is the PDF saved there?

    @utcv: Recent 1Password accounts have a Starter Kit that is 3 items which are automatically generated at the time of account creation — one of which includes the account credentials. All 1Password.com accounts ever created have an Emergency Kit which can be downloaded from the website as a PDF.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @danco: There isn't really a way to copy it from the account settings, only display it as large type onscreen. But for most 1Password.com members, it can be copied from the Starter Kit login item. And anyone else can create their own. I actually made all of mine before we had the idea of having something like that generated during sign up. So mine are a bit less pretty. Crude, but effective. :)

  • utcv
    utcv
    Community Member

    @brenty I sincerely didn’t see anything that had the full secret key. Having said that, I can think of two plausible scenarios in which I may have missed it or it’s simply gone from my vault.

    1. When you’re in the Safari browser and need to login to something, the icon shelf that brings you to 1Password will only show those items which match the URL in Safari at that time. I don’t know how the secret key is saved. Perhaps I didn’t see it because the URL in which I launched 1Password associated with items that didn’t have the secret key. I can’t recall whether I opened the full iOS app but I believe I did. Nevertheless, I consider this the least plausible of my two scenarios, if I understand how the product works.

    2. When I first set up 1Password, I had tried to import my LastPass sites into it but I found a quirk in LastPass’s Firefox plug-in and the export tool therein. Essentially, every password with an ampersand in it was exported as “&amp” in the csv. This, of course, came into 1Password as “&amp” and, therefore all sites with the ampersand wouldn’t login properly. When I exported from the LP website, it all worked. In the course of figuring out what had happened, I completely emptied the 1Password vault in order to reimport the sites wither correct information. If the Key was a part of that vault, I inadvertently removed it.

    Any thoughts on either of those possibilities?

    Cheers

  • prime
    prime
    Community Member

    Like @brenty I made my own login with this info, so it was pretty easy to log in when I needed to. I don’t log in that often, once every few weeks. When I need too, it takes a few seconds to do so.

    2SA is great, but it’s far from 100%.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @utcv: As an example, if you're using 1Password on your iPhone, you can go to 1Password Settings > Accounts > (account) > Reveal You Secret Key. It's certainly possible that you deleted the Starter Kit items in the purge you did due to the import issue. But if this is the same account and that was within the last year, you may still be able to find them in 1Password.com > Trash > Deleted Items. Of course that could be easier said than done if you deleted a ton of stuff, but otherwise you can always create a new login yourself and save your account credentials there. The Secret Key will not fill automatically though, only (email) username and (Master) password.

  • utcv
    utcv
    Community Member

    @prime When you say that you made a login, do you mean it auto fills all of those fields including the key?

  • prime
    prime
    Community Member

    @utcv

    I did, it works on my main account, but I can’t get it to work on my work account. My work account, It fills, but it gives me the error that something is incorrect. So I just copy the info and paste it. On my iPad I can just drag and drop the info. It takes a few seconds to get into the account.

  • utcv
    utcv
    Community Member

    @prime

    Did you make this manually? I haven’t yet figured out how to make custom entries.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @utcv: After creating the Login and saving your username and password there, you can add a custom field for the Secret Key:

    How to customize your 1Password items

    These cannot be filled by 1Password, but can be added to any item. Cheers! :)

  • prime
    prime
    Community Member

    @brenty thanks for that link. I was going to see if I could find something like that link and you did it :)

  • Manaburner
    Manaburner
    Community Member
    edited May 2018

    Whenever I have to login to the website to confirm a member or for other administrative tasks, I'm using 1Browser inside the 1Password iOS App. As it fills all the fields using the "Startet Kit" login item, I don't even have to type anything. Works perfectly for me.

  • utcv
    utcv
    Community Member

    @brenty I found that item in the Trash and have restored it. Thanks for the tip.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: :) :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Manaburner: That's a neat hack! :chuffed:

  • AGAlumB
    AGAlumB
    1Password Alumni

    I found that item in the Trash and have restored it. Thanks for the tip.

    @utcv: Awesome! I'm glad to hear it! Personally, I love item history too because I get rid of stuff I shouldn't more than I should... :unamused:

  • prime
    prime
    Community Member

    @brenty what @Manaburner said:

    Whenever I have to login to the website to confirm a member or for other administrative tasks, I'm using 1Browser inside the 1Password iOS App. As it fills all the fields using the "Startet Kit" login item, I don't even have to type anything. Works perfectly for me.

    I would LOVE if 1Password can make it so this is the only wait to log into the online account. So if I have this feature enabled, it will not let me or anyone let log into my account from a browser, just 1Browser inside 1Password itself.

    I know we talked about this before, just an idea. I know some people freak out logging on a browser, so this can help with these people.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: Indeed, it's a cool idea. I'm not sure how we could enforce that in 1Browser, but if it could be done securely (not using user-agent of course) it seems promising. :)

  • Manaburner
    Manaburner
    Community Member

    I'm not quite sure however if the "Clear Web Data" button does what it says. When I open the 1Browser and go to my 1Password Familiy login page, it seems to have remembered my email address as well as my secret key. It does that even if I hit the said button.

    Or does it only seem that way? Does 1Browser already fill email address and secret key because I'm signed in to that account in the app?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yeah, it's confusing because we don't have direct control over this, as the in app browser is Safari. 1Password.com doesn't use cookies, and clearing Safari's local storage isn't an option for us.

This discussion has been closed.