iCloud sync question

I have a 1Password.com account that I use on my iOS devices and PC. My question is if I have a separate vault that I sync only with iCloud, and someone happened to have my master password and secret key, would the only way they have access to that vault be if they got past Apple's two step verification? I would be comfortable with that. I just want to be sure there's no other way they could have access to it other than if they had one of my Apple devices.

The only reason I want a second vault is because I use 1Password on Windows and if somehow someone captured my secret key (I know it's only entered once and the odds of someone capturing it are very small but I know a PC is far more likely to be compromised than iOS or Mac) I wouldn't want them to have access to a few specific things.

Do you need to subscribe through iTunes to sync through iCloud?

Comments

  • BenBen AWS Team

    Team Member

    Hi @xjustintime,

    Thanks for taking the time to write in.

    I'm a little confused here. If you have a 1Password account, why are you storing 1Password information in iCloud as well? That would not be the recommended approach. By doing so you lose the protection of the Secret Key for the information stored in iCloud. Secret Keys do not protect data in iCloud (or anywhere other than 1Password.com membership vaults).

    and someone happened to have my master password and secret key, would the only way they have access to that vault be if they got past Apple's two step verification? I would be comfortable with that. I just want to be sure there's no other way they could have access to it other than if they had one of my Apple devices.

    If your device is already authenticated with your Apple ID and someone turns on iCloud syncing within 1Password that will not prompt for Apple's two step verification. As the device is already authorized the request will go through without additional verification.

    Do you need to subscribe through iTunes to sync through iCloud?

    You do not, no.

    Ben

  • Hi Ben,

    Thanks for responding. The reason I wanted to sync a few things on a local vault was because I'm concerned about the small (remote?) possibility that my secret key was captured by a keylogger. I know how vulnerable PCs are.

    I was thinking that if I had some information on a local vault, someone wouldn't be able to access it unless they had my phone.

    When you mention turning on iCloud syncing and it not prompting two factor or two step, do you mean on my own trusted device?

    My thinking is that if someone tries to either install the app with my password and secret key on their own iDevice or Mac, they can't access the local vault. If they try to do a restore from my iPhone's backup, they would need my code that Apple sends.

    I would prefer to use everything in my 1Password account but if somehow someone had my master password and secret key, I wouldn't be able to do anything, although I think I would receive an email notification about a login.

    Maybe that still is safer than using iCloud with my scheme. I welcome any input and suggestions.

  • BenBen AWS Team

    Team Member

    The reason I wanted to sync a few things on a local vault was because I'm concerned about the small (remote?) possibility that my secret key was captured by a keylogger. I know how vulnerable PCs are.

    Using a local vault would not protect you against that. No password management solution will. If someone has a keylogger installed on your system then they can simply steal your passwords from the web pages you fill them into, as you fill them, or use some other method to obtain the information (such as recording your screen and waiting for you to reveal the passwords).

    If your computer is compromised there is no way for any software solution to protect you. This is why we recommend only accessing your credentials and protected websites from trusted computers.

    When you mention turning on iCloud syncing and it not prompting two factor or two step, do you mean on my own trusted device?

    Correct.

    Maybe that still is safer than using iCloud with my scheme. I welcome any input and suggestions.

    Our recommendation would be to use 1Password.com vaults over vaults stored in iCloud, yes, and to use only trusted devices regardless. If you can't trust the device then we cannot recommend accessing your 1Password data or entering any of your credentials on it.

    Ben

  • Thanks for the information. If I have 1Password backing up through iCloud (not syncing a primary vault) am I losing the benefit of the secret key?

  • Drew_AGDrew_AG 1Password Alumni

    Hi @xjustintime,

    I'm not sure what you mean, as 1Password doesn't have an option to store backups on iCloud. Local vaults (i.e. the kind that can sync via Dropbox or iCloud and aren't part of your 1Password.com account) are backed up locally on your Mac, and the data in your 1Password.com account is backed up on our own servers. Perhaps I'm misunderstanding your question - can you please elaborate on that? Thanks! :)

  • Hi Drew,

    When I go to iCloud on my iPhone settings it lists 1Password as one of the apps using iCloud.

  • Drew_AGDrew_AG 1Password Alumni

    Hi @xjustintime,

    1Password can use iCloud to sync your local/Primary vault, so it's listed under "Apps Using iCloud" in Settings > Apple ID > iCloud. But I'm not sure how that relates to your question about backups?

    Your Secret Key is only used to access your 1Password.com account data. For example, if you sign into your 1Password.com account on a new device, you'll need your Secret Key to do that (as well as the sign-in address, email address, and master password for your account). If you also have a Primary vault, that's a local vault which is not part of your 1Password.com account, and therefore has nothing to do with your Secret Key. So, if you sync that Primary vault to another device via iCloud, you won't need a Secret Key to do that.

    Does that help to clear things up at all?

  • Okay, I see now. It's it's only for local vaults. Thanks to you both for taking the time to answer my questions. Your product is great!

  • Drew_AGDrew_AG 1Password Alumni

    You're very welcome, I'm glad that helped! (And sorry for any confusion about all that!)

    We're always happy to help, so if you need anything else, please don't hesitate to let us know. Enjoy the rest of your week! :)

  • Hi @Drew_AG

    Doing some reading and I noticed that the secret key is stored in the keychain, and that one of the reasons for this is to prevent people from losing their secret key if they never printed their emergency kit.

    How does this make an iCloud vault and a 1Password vault different as far as the requirement of the secret key?

  • Drew_AGDrew_AG 1Password Alumni

    Hi @xjustintime,

    I'm not sure if I fully understand your question, because having the Secret Key stored in the keychain doesn't change anything about the difference between a 1Password.com account and a local vault that syncs via iCloud. Access to your 1Password.com account still requires your Secret Key - if it isn't found in the keychain when you sign into your account in the 1Password app, you'll need to enter it. A local vault (regardless of whether you sync it with iCloud) is not part of your 1Password.com account, and therefore has absolutely nothing to do with your Secret Key - so you won't need a Secret Key to sync that vault to another device.

    Or to put it another way: A 1Password.com account has a Secret Key. A local vault (the kind that can sync via Dropbox or iCloud) does not have a Secret Key.

    I'm not sure if that helps? If I misunderstood your question, please let us know. Have a great weekend! :)

  • I think I was thinking if someone was to login with my 1Password credentials on another phone, they'd have access to my keychain backup which contains my secret key. So my secret key wouldn't be protecting me anymore than a regular iCloud vault backup.

    But I assume if someone if someone installed the app on their phone and used my credentials they wouldn't have access to the keychain unless they did it from one of my trusted devices.

    I've come to a point where I'm comfortable with my security setup and am not worrying about all these things related to the iCloud Keychain, etc.

    Thanks for taking the time to explain things!

  • BenBen AWS Team

    Team Member

    You're very welcome, @xjustintime. :) It is certainly important to think about these sorts of things, but I would suggest anyone doing so also consider:

    1) The threats that are most likely to be faced. e.x. Are you someone who loses your phone all the time?
    2) The likelihood of a particular thread. e.x. If you lose your phone and someone picks it up, what are they likely going to do with it? Are they going to try to steal your data, or are they going to pawn your phone?
    3) What protections do you have in place that would help mitigate the threat?
    4) What options do you have to alleviate the problem if a threat becomes a real concern? e.x. When you do lose your phone, what recourse do you have?

    Thanks!

    Ben

This discussion has been closed.