You will need both your Master Password and your Secret Key on every new device or browser on which you want to use your 1password.com account. [..] you can always copy over your Secret Key from that device. But if you know you'll be going somewhere that you'll be likely to need to use 1Password on a device you don't own and haven't used before, take your Secret Key.

So, the Secret Key is simple a sequence of code, that I could write it down, right? And the web app asks simple to type it?
So, when it's stored on devices it's just a text file with the sequence inside? If so, can I remove this file from the hard drive and simply pass both Master Password and Secret Key to unlock my 1P app? At least this is what actually happens for the web app, right? :chuffed:

1password.com account sync via the 1password.com service, not by third-party sync APIs such as Dropbox or iCloud. The data is stored on the 1password.com servers, with a local cache on every device on which you sign into your account.

Are you thinking to add a possibility to choose other service than 1password.com for subscriptions? I know that your servers are safe and reliable, and you cannot decrypt my data as you don't know both Master Password and Secret Key. However, lack of alternatives raises suspicions as in fact you own the power. I read a comment that 1p.com services gives you possibility to add extra features that cannot work without your server-side. Simple solution would be to disable these non-compatible features if user decide to sync with someone/something else than the 1p.com service (this is what actually happens for standalone license users, right?). I'm pretty sure that well presented warning about disabling features would have a huge impact for most users to rethink the idea and stay with your servers. It's fair solution. It's a way better solution for paranoid people, like we are :blush: I mean even if I would decide to go with the 1p.com service I would still have better sleeping that I decide for myself, not another company. Isn't it what it's all about? :chuffed:

This would actually give you another score to stop supporting standalone license at all. As this is a primary argument to keep away from the subscription (apart from money costs).

1Password 6 for iOS will work with both 1password.com accounts and iOS 10. If you've got a device running an older version of iOS, and you've previously downloaded an earlier version, the app store you should be able to download the correct version for iOS 10. If you've never downloaded 1Password for iOS, however, you'll need to update your iOS version to iOS 11 before you'll be able to use 1Password on iOS.

This is a fine policy for a random application. However, we talk about security here, don't we? This actually means that you simple can add security fix for the newest version of the 1P app that would force me to upgrade my iOS. And you shouldn't be in power to make this decision for me. I mean, sure for a game app, it's fine. But as running 1P app without this security fix would be danger for my data, I actually have only 2 options then: a) upgrade iOS and 1P app, b) uninstall 1P due to the flaw and probably switch to other alternative app as using iPhone without password manager with all auto-generated passwords would be useless. IMHO this is very danger situation from personal security strategy point of view while deciding which password manager to use.

Thanks Ben for a quick answer. Just for clarification:

You could certainly subscribe to a 1Password.com membership and then use standalone vaults synced via Dropbox. We wouldn’t recommend it, and it isn’t going to be the best experience, but it is possible if that is the road you want to take.

Oh, I didn't know about it. So, basically it's possible to use the subscription version and 3rd party file service for my vaults? Could you confirm that 1P wouldn't store any data on your servers?

Once again, thanks for all your comments. I really appreciate how you manage your support role at AgileBits. Congrats!

As I haven't used the 1P in the past and just recently turned my eyes to your app, some obvious things can be too obvious for others and simple done by shortcuts etc. So, for this particular reason and also as I am original poster of this thread I would like to get some easy to understand answers, for both technical and business questions.

Some technical aspects

I'm still looking for details regarding how the 1P works. For now, I can basically say that from security point of view the 1P uses Master Password + Secret Key + SRP + several rounds of AES encryption for our vaults. Is it correct? Is there anything else that I miss and increases the general security?

Regarding the MP and SK features. As the SK is simple string of text, I am not sure how it differs from the MP.
From my point of view:

• SK - string of unique text. In fact, it's quite similar to generated password by 1P. It's stored locally in file but if not, I can just pass it, same as MP;
• MP - the only differences from SK are: you have to type it, there is no need to save it in local file as SK does (however you can tick 'remember' even if not recommended). It's not auto-generated, so basically it can be less secure than auto-generated SK.

This actually means that the SK and MP are actually really the same thing. SK is a bit more secure as we are not allowed to use weak passwords by our choice and is easier to use as you don't have to type it every time as it's stored locally.

If all above is truth, I can't understand why the SK would be any better than 2FA (I recently read a very nice thread here that what was about advantages over 2FA, can't find the URL now).
Unfortunately, I couldn't find any technical relation between SK and MP. So, what relation is between them? Do you concatenate them together and then use it as a "final password" for encryption? So the hash sent to the 1P service is actually calculated by using both MP/SK? Or maybe 1P use few rounds of encryption with SK and another few with MP? So, basically you do encryption of already encrypted vaults just with different password? If, so does it mean that technically 1P could just ask about: Password1 (MP) and Password2 (SK)?

Some business aspects

I understand that AgileBits is not really interested in promoting standalone licensing and there is no official comparison page to see differences. I also found this thread: https://discussions.agilebits.com/discussion/83647/1password-7-status-update even if's focused on the Windows application there is talk about standalone licenses and seems like AgileBits is aware of the problem which is promising for the future of standalone licenses!

So again, as I haven't used 1P so far, I need extra explanation here too :blush:
I will use bullets here to make better understanding of my understanding 8-) , so it will be easier you to follow me up and answer :-)

Standalone license:

• You pay for major desktop (macOS, MS Windows etc.) releases such as 4.x, 5.x, 6.x, 7.x etc.
• So far, you had to pay for upgrade to the next major release, usually about 1/2 of original price. This can change anytime (same as subscription price actually).
• You have no guarantee how long the release you own will be supported by newer versions of the Operating System (LTS is only for subscription model).
• If you own the desktop license, you can use 1P on other devices such as iPhone, iPad etc. In this case, you have to buy another standalone license for each device (or group of devices? like everything via AppStore is a one group? So one license for iPhone/iPad and another license for Android system?). Fortunately, this license is a way cheaper, like $10, right?
• By using standalone license you don't have to sync your vaults online. You can store them locally only. In this case, you can sync them by using WLAN server or shared folder etc. More info here: https://support.1password.com/sync-options/
• You have a choice to sync vaults online. You can use 3rd party file storage services such as Dropbox or iCloud. You cannot use the 1Password.com service, though.
• You don't have access to the 1Password web panel.
• Secret Key is not being used for standalone license (only Master Password and AES encryption).
• SRP is not available as 1Password.com service is not available.

Solo subscription model:

• Every update on every device/desktop is free of charge.
• You can sync with 1Password.com service, 3rd party services or keep everything offline (same as for standalone license).
• Secret Key and SRP are enabled. SRP is only used for syncing to 1Password.com service (not to Dropbox and others). Secret Key is being used everywhere[1].
• You have access to your vaults via the 1Password web panel (if you decided to sync with the 1P.com service).

So, the only differences between standalone license and solo subscriptions are:

• 1Password.com accounts are only for subscription model and features: sync, web access and SRP.
• SK is available for subscription model[1].
• Annual payment vs Major Release payment.
• You have to pay extra for additional devices (standalone license).

[1] Ok, this is probably easy for anyone who used 1P before the 1P.com service era. Do Dropbox/iCloud and other services handle our vaults in any special manner? I don't think so as basically we sync back to our device and use the vaults locally? So, basically it's being used only for our backups and to sync files between devices, right? This means the SK is not uploaded there. In this case, I actually don't understand why SK feature is not available for standalone license. Is there any technical limitation or rather business model to advertise the subscription model? Or maybe I misunderstood when Lars said:

All 1password.com accounts utilize the Secret Key, including Individual accounts, but standalone 1Password uses only the Master Password.

Thanks for the upcoming answers. It really helps me to find the best solution/work flow.

Ok, I decided to rewrite my last post. There are basically 2 main aspects here: technical and business. I'm not longer sure if I used the correct sub-forum for this, if so don't hesitate to clean it up and reorganise. Also, please keep in mind that I don't have previous experience with the 1Password, so sometimes I don't understand some shortcuts that can be obvious for experienced users.

Technical Aspects

So, 1P uses 4 features at the security level:

• Master Password
• Secret Key
• SRP
• AES encryption (few rounds of them actually)

Here is my summary regarding the MP and SK:

• SK - autogenerated strong unique string of text that is stored locally in a plain text file, so you don't have to remember the value;
• MP - auto or manually generated password that you have to memorise.

IMHO both things are exactly the same. The only difference is that SK is for sure a strong password and user cannot set it by hand. You could simply call them Password1 and Password2. You still have to know the SK if you need a web access to 1P or login on unknown device. You can still use "remember me" feature for MP which actually will behave exactly as SK behaves (no need to type it). Am I correct?

I'm just not sure what is relation between these passwords? Are they concatenated and then use a single password for encryption process? So in fact, when 1P app sync with 1P.com service the calculated hash value is based on both passwords (and then salted)?
Or some rounds are encrypted by using MP and another rounds by using SK?

Business Aspects

Here is my summary about Standalone License and Solo Subscription Plan. Please comment if I am wrong:

Standalone License

• Usually, the desktop standalone license is only valid for the specific major release such as 6.x or 7.x.
• You have to pay to upgrade your license to the next release (usually about 1/2 price of a new license).
• A new major release usually takes place every 1.5-2 years.
• You have no guarantee that your version of 1P will be supported in next releases of Operating System of your choice.
• You have to pay a little extra for using 1P on your other devices (like $10 for iPhone). Is it one-time payment or for next major release I would have to pay once again same as for the desktop app? Is it per device or per ID (like I pay once for my AppleID and can use it for all my ipads and iphones that are associated with the same AppleID)?
• You can store your vaults offline. You can sync with your devices by using WLAN server or shared folder: https://support.1password.com/sync-options/
• You have a choice to sync online with Dropbox or iCloud. These services are used just to store your encrypted files and from Dropbox point of view they are "just files" as other stored on your account. The decryption is done locally after syncing. So the benefit of using online sync feature is only for making syncing between your devices easier and to have a backup of your encrypted vaults.
• There is no web access to manage your vaults.
• You can't sync with 1Password.com service (you can't have a 1P account)
• No Secret Key support
• No SRP support

Solo Subscription Plan

• All further updates are free of charge for any of your devices.
• Same as for standalone license, you can store your vaults offline (with keeping the 1P.com online vault empty).
• Same as for standalone license, you can use 3rd party file storage providers such as Dropbox.
• You get a web access to your vaults (as long as you know both Master Password and Secret Key).
• You have 1P.com account so you can use 1P.com service for syncing online.
• SRP is supported while syncing with the 1P.com service.
• Secret Key is enabled[1].

So, apart from difference in pricing model, the main differences between standalone and subscription plan are:

• No 1Password.com account for standalone license -- no web access, no 1P.com sync, no SRP
• No Secret Key for standalone license[1]

Please give me a comment if I am wrong in my summary.

Also..the web access is a nice feature to have it especially while using unknown devices. So my question is, what can I do in the scenario that I don't have/want to use the web access and I have to use an unknown device? I guess I can simply install 1Password application or Web browser extension on the computer, then log in my accounts, sync the files locally from 1P.com/Dropbox/iCloud and just use it. Is it the only way? If so, how to be sure that I erased everything from the computer after finished my work? What if I use public computer and I don't have privileges to install applications/extensions/plugins (and obviously my phone is dead, this is why I had to use a public computer)? What is a work flow here? I am interested in both workflows for Subscription and Standalone model.

[1] This is actually what I don't understand. Is there any technical reason why standalone licenses don't support Secret Key feature? As the SK is not synced and stored only locally why it's not supported? Is it just a business decision made at AgileBits?

Bart