Doesn't a secure, random password make the "secret-key" sort of pointless?
I was not sure where to post this, but I was genuinely curious about this. I understand that for users with a weak password, a secret password could greatly strengthen their security, but couldn't relying on a one-time-generated, impossible to remember, secret-key, actually be more cumbersome for people with already strong master passwords?
I imagine a scenario where for some reason I am need of my passwords for an emergency, but for some odd reason the app has been reset in my phone or device, and I am not currently home or do not have access to a hard or soft-copy of my secret-key on hand at that moment. Without a secret-key, I would just be able to re-login, but as it stands now, I will locked out until I am able to retrieve my secret-key from wherever I had placed it. That seems like a bad situation to be in.
A lot of services rely solely on TOTP instead of a master secret-key, which in my opinion is probably an easier approach to understand for most people. I understand that you can enable TOTP for your account (which I have done), but I now I have both 2FA and a secret key.
Is there a way to disable the secret master key?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Is there a way to disable the secret master key?
There is not.
A lot of services rely solely on TOTP instead of a master secret-key, which in my opinion is probably an easier approach to understand for most people. I understand that you can enable TOTP for your account (which I have done), but I now I have both 2FA and a secret key.
TOTP strengthens authentication. The Secret Key strengthens encryption. They serve different purposes, and one does not negate the need for the other. They supplement each other.
I imagine a scenario where for some reason I am need of my passwords for an emergency, but for some odd reason the app has been reset in my phone or device, and I am not currently home or do not have access to a hard or soft-copy of my secret-key on hand at that moment. Without a secret-key, I would just be able to re-login, but as it stands now, I will locked out until I am able to retrieve my secret-key from wherever I had placed it. That seems like a bad situation to be in.
It is good that you're thinking about possible scenarios you may end up in. The next step is to consider how to best avoid finding yourself in such scenarios. One person (perhaps jokingly) suggested printing a copy of the Secret Key and keeping it in the bottom of their shoe. I actually think that is a pretty neat idea. It probably would be a good idea to laminate it, though. ;)
I was not sure where to post this, but I was genuinely curious about this. I understand that for users with a weak password, a secret password could greatly strengthen their security, but couldn't relying on a one-time-generated, impossible to remember, secret-key, actually be more cumbersome for people with already strong master passwords?
It is definitely more cumbersome. That is part of the tradeoff. We're always trying to balance convenience and security. This is a case where security won. You can read more about the value of the Secret Key here:
About your Secret Key | 1Password
If you're interested in the nitty gritty, we go into much greater detail in our security design white paper:
1Password Security Design White Paper | 1Password
Ben
0