My iOS device didn't ask for the Secret Key
Hello everyone,
I'm a user of 1Password with a 1Password subscription and I have a question about the Secret Key.
Some days ago I've received a new iPhone and I was surprise because the 1Password app didn't ask for my Secret Key. It just figure out (I don't how) my Secret Key and I just had to write my Master Key.
I can understand that 1Password app knows my email but how does the app know my Secret Key? I had understood that the Secret Key it's like a 2FA so if I don't have to write it, is it not a security lack? Is it not be more secure if the user must to write the Secret Key?
Thank you in advance.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: iOS 11
Sync Type: 1Password subscription
Comments
-
Hi @mglolmos
The Secret Key isn’t quite like 2FA. The premise of 2FA is “something you know (a password), and something you have (a hardware token of some sort).” We refer to what we’re doing with the Secret Key as “two step verification (2SV).” Arguably what most people think of as 2FA (TOTP) is closer to 2SV than it is to real 2FA.
But in any event... the reason for this is if you have iCloud Keychain enabled 1Password will store the Secret Key there. You still maintain “two step verification” because you have to have not only your Master Password, but also your Apple ID/iCloud password. The advantage is that you don’t have to memorize your Secret Key, which is fairly impractical. One of the more common problems we see is folks losing their credentials for 1Password, which is something we can’t do anything about after the fact. As such we have to take some reasonable precautions (such as this one) to help be sure the credentials aren’t lost in the first place.
I hope that helps!
Ben
0 -
Thanks a lot for the explanation!!!
I would take the opportunity, if it's possible, to ask another question.
I also have the 2FA (TOTP) activated an question is: Do you have plans to send the 2FA (TOTP) by SMS?
Thanks again!!
0 -
You’re welcome. :) We do not plan to send TOTP codes via SMS, for a lot of reasons, but some of which are discussed here:
https://discussions.agilebits.com/discussion/65775/is-otp-more-secure-than-sms-code
The video I linked in the last post of that thread is a little long, but worth watching if you’re using SMS as an authenticator.
Ben
0 -
Thanks a lot!!!
0