Why can I still see the contents of my vaults after invalidating secret key?

I like the idea of regenerating / invalidating my secret key in 1P. The 1P apps neatly notify me that the secret key is no longer matching and that I need to correct that. However, at least on iOS, I can skip this and see all the contents of the vaults, as long as I can enter my master password correct on app launch. It doesn't even nag me all the time to fix this, nor do I have to enter the master password on the "sign in" screen where I have to fix the secret key.

@cdj: You've already authorized that device and had it download and cache your data there. Otherwise 1Password wouldn't work for you at all offline, ever. If you try to do anything that requires a connection to the server, you'll need to re-enter your account credentials since you've changed them — which seems to be what it's prompting you to do. You won't receive any further changes otherwise, so probably a good idea to sign in. :)

I think this is a security flaw. I must be able to trust that once I regenerate my secret key, because it might be compromised, everywhere sessions are ended and the user in control of that device can't access anything in the vaults until that problem is fixed. You can see everything in the app and have complete freedom, even though the secret key is invalid.

Anyone (including you) would need to be able to unlock 1Password on the device to even get to that point. Can you tell me the specific threat you're concerned about?

Fair point about being able to do things offline. But once 1P has detected that a session / key is invalid, it should lock up, in my opinion.

@cdj: Thanks for the feedback. That's not how 1Password has ever worked though, and though we have gotten some requests for an offline mode and other related features, it's not something we have plans for currently. The vast majority of people expect this, and, frankly, there is no "session" in your example: the app is completely offline with regard to 1Password.com. More on that in a bit.

Granted, you already gained access to 1P by correctly entering the master password, but what exactly is the idea behind the secret key if you don't really need it anyway after first set-up? I see it as a certificate of sorts that can be revoked. I would feel more safe if 1P would simply say "We detected that this certificate (secret key) is no longer valid. Even though you've entered a correct master password, we won't allow you to access the contents of this vault until you enter a valid key (renew certificate) again".

Great question! The sole purpose of the Secret Key is to protect you from attacks against your data if it is stolen from us, from our server. This way, even if someone breaks in and gets the encrypted database, they cannot even perform a brute force attack against your Master Password. Locally, your Master Password is protecting your data in the app. You should assume that anyone competent who steals your device to try to get your data can get the Secret Key from there. After all, you do not have to enter it to unlock the app, only your Master Password.

Since you didn't propose any specific threat scenario, I'll take the liberty and do so, because it's helpful to illustrate: Somebody discovers your Secret Key. That's not good, but whew! They don't know your Master Password. No problem: you can change the Secret Key. At that point, they cannot access anything anyway, since they'd need your Master Password to access your data on one of your devices, even if they got one. And they'd also need it (along with your other, not-so-secret account credentials) to sign into your account on their own device. So already they're not going to get anything from you.

But let's take it a step further: say they discover your Master Password in the future. By changing the Secret Key today (or whenever), they still won't have the proper credentials to access your current (in the future) data. They would only have the means to decrypt data which was stored on a device prior to you changing both your Secret Key and Master Password. That's a little bit scary, but you'd probably have long known if one of your devices was stolen from you, and you would have until the time when they also got your Master Password to change passwords for the account that could be compromised by them getting your old-Master-Password-and-Secret-Key database.

So in the worst case scenario involving a situation where you'd need to change your Secret Key, a lot of other stuff would have to go wrong for it to impact your security in any way: both your (old) Master Password and a device with the old-Master-Password-and-Secret-Key database would need to be in the possession of the attacker who also has your (old) Secret Key. And note that if this is the case, even if 1Password worked the way you're suggesting, all the attacker needs to do is keep the device offline to avoid it getting "invalidated" by the server. Admittedly it can be a bit confusing, but hopefully that helps put things into perspective. :)

Amen to that! And you're very welcome! Thanks for asking the hard questions. As you can see, I rather enjoy talking about this stuff, and it's great to discuss it with folks like you who are equally as passionate. :chuffed: