Why wasn't Secret Key required?
I just finished setting up my wife's new iPad. It was set up as a new device. My wife and I have a Family 1Password account membership. I downloaded the 1Password iOS app. I told the 1Password app upon setting it up that my wife was an existing 1Password member. The app then populated the sign in screen with the correct name of our family account, and asked that her master password be entered. I entered her master password (which I know), and her account was populated with all of her login information. I was never asked for my wife's secret key, or required to scan in the bar code information from one of her other devices.
For security purposes, shouldn't the Secret Key or setup scanned code have been required? This was a new device, and had never accessed 1Password before. Does this mean that a hacker could likewise set up a new device and access our family's 1Password account with just my wife's master password, and without the extra security of the Secret Key. Also, I'm not sure how the 1Password app knew to populate the sign in screen with our family's account name without me even providing an email address or other identifying information. (I am pretty sure I didn't provide an email address, but maybe I'm wrong on that part.)
I am a longtime 1Password customer, and am hoping you can reassure me that my experience as described above does not mean my data is less secure than I hope it is! Thank you,
Mark
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:secret key
Comments
-
@MarkDres Thank you for writing in with your security concerns! The secret key along with your email address and server are stored into iCloud keychain so that should you delete the app you don't lock yourself out. We've seen a number of people that don't even realize they have a secret key get into a situation where they've now put all their data into their 1Password.com account only to find that upon deleting the app that they're suddenly and irreparably locked out of their data. It is meant as an additional safeguard against losing your account key.
You can read about it in more detail in this post by @AGKyle: https://discussions.agilebits.com/discussion/comment/373216/#Comment_373216
0