New 1Password sign-in from...
I have installed 1Password on my Mac, my iPhone, and my iPad and am happily in the process of moving all of my data over from my previous password manager. I think the product is fantastic but there's a glaring security hole.
When I sign in from a new device or browser, I get an email with the subject "New 1Password sign-in from (wherever)". That's fine as far as it goes, but suppose my 1Password account is somehow compromised (e.g. some gets their hands on my 1Password emergency kit). The intruder can get into my passwords, discover everything there is to know about my email, login to my email, and delete the notification. If they do it fast enough or they do it at a time when they know I'm otherwise indisposed, I may not notice the email notification on any of my devices before it's deleted.
In addition to being sent by email, the "New 1Password sign-in from..." notification should be sent directly to all devices. There's still a hole if the intruder also has access to my devices and my device passcodes are stored in 1Password, but the hole is much smaller.
Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:new sign-in notification
Comments
-
LastPass uses an (additional) security email address for this:
https://lastpass.com/support.php?cmd=showfaq&id=2465
Might be something for AgileBits to consider?
0 -
@kevin_dean: I may be misunderstanding what "security hole" you're referring to, so I'd appreciate any clarification you can offer. From your comments, it almost sounds like you're saying that having 1Password.com send you an email notification when a new device/browser is authorized is a security issue, and I'm not sure I follow your logic.
You're right that email is not a secure channel, and that's why we don't include personal information or account details in those. Any of that can only be accessed by logging into your 1Password.com account. Only you have your Master Password (which you choose) and Secret Key (which is generated locally on your device), and neither are ever transmitted.
So it seems to me that someone being able to access your email account won't automatically be able to access your 1Password data, and if they get your Master Password and Secret Key from you, they'd have access to everything you've stored in 1Password, not just your email login. This is why we recommend using a long, strong, unique Master Password which cannot be guessed, not sharing it with anyone, and also the Secret Key is used to encrypt your data to ensure that a brute force attack against your Master Password will not allow them to decrypt your data.
With all of that in mind, and, again, unless I'm missing something, this doesn't seem like a "security hole" since it depends entirely on both your Master Password and Secret Key already being compromised. However, I do really like the idea of push notifications to authorized devices, not just as dumb notifications, but also perhaps as a form of two-factor authentication (confirm or deny) using the apps themselves, similar to what Apple is doing. I can't "confirm or deny" that it's something we'll do in the future, but it's certainly intriguing. Let me know what you think. :)
0 -
The point of the email notification is to alert the user that their account has been accessed from a new device, just in case the access is illegitimate. This is fine under most use circumstances but it falls apart when a savvy malicious actor is involved.
Let's suppose that you and I are business partners. We each have 1Password setup under our business accounts and for continuity purposes we have each other's 1Password Emergency Kit in a sealed envelope. (The right way to do this would actually be for us to put the envelopes in escrow with strict rules around the circumstances in which they are to be released but perhaps in the early days of the business we're short of the time, money, experience, and paranoia necessary to do this.)
Now something goes wrong. We start to disagree on the direction of the business. Our arguments get more heated and each is convinced that the other is driving the business off a cliff. In an effort to get a grip on things, I wake up at 3am one day when I know you're likely to be asleep, open your emergency kit, get your email password, login to your email, and delete the new sign-in notification and for good measure purge it from your deleted items. Because the email is no longer in your inbox, the notification that was sitting on the home screen of your phone for you to see when you wake up disappears completely.
I now have complete access to your side of the business and you know nothing about it.
If, on the other hand, every device with which you use 1Password gets an app notification, you're going to wake up the next morning with your PC, iPhone, and iPad all telling you that someone, somewhere, got into your account. It does nothing to solve the immediate business problem but it gives you plenty of reason to ask the board to relieve me of my duties.
Similar scenarios exist for husband and wife, child and aging parents, etc.
0 -
Thanks for the feedback, @kevin_dean. I can't make any promises, but we appreciate you taking the time to share this scenario with us.
For what it's worth you can check which devices have been authorized on your account from the My Profile page within your 1Password.com account (available through the web interface).
Ben
0 -
Personally, I don't think that there is ever a need to fill out, and or print, the Emergency Kit. Doing so creates a potential security breach where there needn't be one. My Secret Key is embedded in an electronic document that is full of technical information....most of which is nonsense. I know that the only real information in that document is my secret key, which looks very similar to various other fictitious keys contained within the document, but nobody looking for credit card info, passwords or whatever, would have any interest in a meaningless technical document that bores the reader to death within seconds of opening it. I think that people just need to be a little creative in this area. :)
0 -
Thanks, @Ben, that's useful to know. @TDK1044, I'm with you on the issues with the Emergency Kit in general, but ultimately there has to be a way for an outside agent to get in under the right circumstances. Part of the "what if" planning my wife and I are doing includes not only life insurance and wills but also access to each other's digital life in the event of death or incapacitation. The Emergency Kit is the only way in that I can see.
0 -
Hi @kevin_dean - I'm glad the information helped :smile: My wife and I have done something similar and it's a good to plan ahead in the case of an emergency. My wife and both printed our Emergency Kits and keep them somewhere safe. We didn't write our Master Passwords on the Emergency Kit but keep that in a separate location. I've heard from a couple of customers that have added the Emergency Kit to their wills, others keep it in a safe or safety deposit box. If you have any additional questions, don't hesitate to ask :+1:
0
