Account recovery in Family... means my key is different?
All of the documentation that I've seen says that my data is only encryped with my master password and my secret key.
However if you forget these then one of the family account options is to initiate an account recovery. My family organizer does not have my master key, nor my secret key. If they are able to initiate a recovery then obviously my data is not encrypted with my master password and my secret key but with something else entirely. More concerningly, it also implies that my family organizer and/or 1Password essentially have access to this other key.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Thank you for your question. I believe the technical details are explained in our white paper: https://1password.com/security/
To describe it in just a few words -- every user has a keyset that contains their public and private keys. When the vault access is granted, the vault key is provided to you by encrypting this key with your public key. During the recovery a new user keyset is generated and all vault keys are re-encrypted again with your new public key, giving you access back. The family organizer belongs to a special "recovery group" behind the scenes and this special group has access to the vault keys (for recovery) but not to the vault contents.
0 -
Thanks @roustem I'd obviously missed that when reading the whitepaper (not sure how).
One follow-up question re the whitepaper which states:
A member of a recovery group will only be sent the encrypted vault keys after the user requesting recovery has re-created their account.
Doesn't this mean that 1Password themselves store this in some way? (I know public key cryptography can get a bit circular but it would seem that the protection of the recovery key really just comes from access control and that 1Password fundamentally control that access?)
0 -
You are very welcome, @wraith!
1Password does store encrypted vault keys but only the team/family member that created the vault or given access to the vault can decrypt these keys.
The recovery group is special in the sense that it is given access to all vault keys in the account. This allows decryption and re-encryption of the vault keys during the recovery. It can only done by the person that belongs to the recovery group. Note that the recovery group permissions do not allow any access to the encrypted vault data (only the vault keys) and this permission is enforced by the 1Password server.
The access to the recovery group is done through the public/private keys as well. When a team member is added to the recovery group, a new group membership record is created and this record stores the recovery group keyset that is encrypted with the team member's public key.
All this allows the team admins/owners and family organizers perform the recovery within their accounts without requiring full access to all the vaults. When the admin or family organizer clicks the "Complete Recovery" button the web app re-encrypts all vaults keys and sends them back to the server.
The nice thing about this entire process is that there is no point at which our company employees have any access to the unencrypted customer data.
0