What if I lose my device while traveling, and don't have another device with me.

If you lose your device, your website (https://support.1password.com/lost-device/) says to login to 1Password and "remove the device" from your account and generate a new secret key.

What if you're traveling and only have your phone with you when it's lost, and no other device that has been previously logged in with existing secret key, and you don't carry your Emergency Kit with you because it's at home in your safe deposit box, so you don't have the secret key with you? It doesn't seem like you'd be able to login from a newly purchased computer or phone to remove the lost phone from your 1password.com account?

I can see why this is a vexing problem to solve while maintaining your excellent security standards. Please let me know if there is a solution but, if there is no solution to this problem, will you provide an option on your profile to require Two-Factor Authentication at each login from any platform, which I personally would turn on whenever traveling. Thus, as long as your second factor is not the lost device, rather a security key for example, your 1password data on the lost device would be protected by your master password plus the second factor which, hopefully, is still in your possession?


1Password Version: 7.6.793
Extension Version: 1.23.1
OS Version: Windows 10
Sync Type: Not Provided
Referrer: forum-search:lost device

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @jfarnsworth!

    It doesn't seem like you'd be able to login from a newly purchased computer or phone to remove the lost phone from your 1password.com account?

    Indeed, you need your login credentials to access your 1Password account on a new device. I have heard of some people who keep a printed copy of the Secret Key in their wallet (assuming you also remember your Master Password of course).

    Thus, as long as your second factor is not the lost device, rather a security key for example, your 1password data on the lost device would be protected by your master password plus the second factor which, hopefully, is still in your possession?

    Your second factor would not help for the protection of the data, because your 1Password data is encrypted with your Master Password and Secret Key only, regardless of whether you have 2FA enabled or not. This article from our security team has some more details about this:

    Authentication and encryption in the 1Password security model

  • jfarnsworth
    jfarnsworth
    Community Member

    Hi @ag_ana

    Thanks for your prompt reply.

    So what's the advantage of requiring MFA on the first login from a new device?

    If there's an advantage to requiring MFA on the first login, what's the reason that you don't offer an option to require MFA at every login?

    Again, I would only activate this option when I was traveling and (having only one device with me) not able to deauthorize a lost device. (I realize it would be a pain to require MFA on each login from a device under non-travel circumstances; which is why I'm suggesting an option, not a requirement.)

    Thanks again!

    Jay

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hi Jay,

    So what's the advantage of requiring MFA on the first login from a new device?

    The purpose of MFA is to add another layer of security on the first authentication of a device, making it harder for remote attackers to log into your account. Most attacks these days are performed remotely (online), which is where MFA shines as an added security layer for authentication. But once you authenticate, all the data is downloaded into your device and is present there, MFA won't help or add any security to the local data that is present on your device.

    If there's an advantage to requiring MFA on the first login, what's the reason that you don't offer an option to require MFA at every login?

    As stated above, requiring MFA for every login attempt is useless because the data is locally present in your browser/device after the first successful authentication. It's added value is zero, and it makes the user experience a lot more cumbersome.

    When you are travelling (I do too), here are some suggestions to keep your data safe:

    • Use Travel Mode if you don't need 1Password to be available at the time of travel: https://support.1password.com/travel-mode/
    • Make sure your device has a passcode or is locked with biometrics - that's crucial. If the device is unlocked constantly, this is the biggest security threat.
    • Go into the 1Password app's settings and adjust the security there to keep the app locked as soon as you close it. Do not let it remain unlocked for long periods of time.
    • Keep a copy of your emergency kit, whether printed or on a USB, without the Master Password on it. That way, if you lose the device, you can go to any other computer/device, log into your account and do what is necessary.

    I use these guidelines constantly when travelling and it pretty much covers all bases of staying secure, even if you lose the device. It is actually more worrying to not be able to log into your 1Password rather than someone being able to access it, because whoever got the device will need to:

    • Be able to unlock your device.
    • Needs to know what 1Password is.
    • Needs to know how to unlock your 1Password (with your Master Password).

    That's too many "if"s and is very unlikely, unless someone has targeted you for that exact reason. Most chances are, if your device is lost/stolen, the thief would probably turn it off and format it as soon as he can to prevent you from being able to find it.

  • [Deleted User]
    [Deleted User]
    Community Member

    @jfarnsworth 1Password's 2FA protects against the case where an attacker has your Secret Key and Master Password, but doesn't have a copy of your password database. Once the database has been downloaded to the new device then there is no point performing additional 2FA checks. An attacker doesn't need to use the 1Password app to open the database, they can use their own decryption software. So additional 2FA steps would inconvenience the legitimate user without increasing security.
    More generally, 2FA is good protection against remote attackers. It is not good protection against local attackers who have access to your device. It is a form of authentication and so can be bypassed. Your 1Password database is protected by encryption which cannot be bypassed without knowledge of the Secret Key and Master Password.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for clarifying things further @missingbits :)

  • jfarnsworth
    jfarnsworth
    Community Member
    edited April 2021

    @ag_ana, @ag_yaron , and @missingbits,

    Thank you all for such a detailed and cogent explanation.
    It's just what I needed to feel comfortable having 1Password on my phone.

    Sincerely,

    Jay

  • ag_yaron
    ag_yaron
    1Password Alumni

    If you have any further questions or concerns, we're always here to help :+1:

  • kram5819
    kram5819
    Community Member
    edited April 2021

    I have a comment hopefully it's okay to comment and ask here?.

    I wanted to post my comment here because like the original poster, I would worry about losing my device. I hope it's okay to post my comment/question here.

    I don't travel much, but I do go out often to restaurants or shopping. I always have my phone with me & I've never lost it, but there's always that first time that it COULD happen.

    I have a ZTE Axon 10 pro smartphone running Android 10,

    I'm wondering how good fingerprint lock is compared to using a pin? It's so convenient to put my fingerprint on the sensor and the 1password unlocks.

    I'm debating if I should change it to a pin? If I do, hopefully I would be able to make it an eight-digit pin?

    It's a pain in the neck though every time having to put in a PIN, and that's why I like biometrics, but the security of somebody not being able to get into my password manager without knowing a pin especially if they can get past my locked phone and get into my apps has me questioning the security of biometrics vs pin.

    I wonder what everybody's thoughts are on this? I'm not certain/ sold on the idea that Biometrics is a secure way to secure things and I won't consider face unlock. I've been using Biometrics for a couple of years now & never had a problem.

    When I go out I don't let my smartphone out of my sight there is always that one time though that it could happen, and I could leave it somewhere or lose it.

    Currently, I'm using Biometrics to lock most of my apps.

    I installed 1password today it is all set up both on my Chromebook and on my android phone with two-step authentication everything went without a problem very smooth set up process. Now I need to figure out security and make sure if somebody **ever **were to get their hands on my phone that they wouldn't be able to get into my 1password or any of my other apps for that matter.

    I got security handled with my Chromebook I have a very long password it's very secure

    I'm worried much more about my mobile device any thoughts I hope it was okay to post this here.

    Lastly, my device is set up so that after 5 tries you have to wait a few minutes before you can try again. I also have my phone set up with my Google account where I can wipe my device if it's ever lost or stolen.

  • [Deleted User]
    [Deleted User]
    Community Member

    @kram5819 Your device PIN/passcode will always be the last line of defence against a local attacker, so choose a strong one. Try to avoid dates of birth, years within your lifetime and easy patterns. Biometrics offer a short-cut which avoids you needing to enter your PIN/passcode multiple times per day. In most cases they don't reduce your phone's security, but there have been some notable exceptions.

    https://www.wired.co.uk/article/phone-lock-screen-password

  • ag_ana
    ag_ana
    1Password Alumni

    @kram5819:

    I'm wondering how good fingerprint lock is compared to using a pin? It's so convenient to put my fingerprint on the sensor and the 1password unlocks.

    I'm debating if I should change it to a pin? If I do, hopefully I would be able to make it an eight-digit pin?

    A PIN is yet another thing that you have to remember though, and it could be guessed by an attacker, especially if it's a weak PIN. Biometrics cannot be guessed that easily :) If you are happy with the way biometrics works, I don't believe that switching to a PIN would be necessary.

  • kram5819
    kram5819
    Community Member
    edited April 2021

    Your probably right

    but what I did do is I use a app lock so once you log into my phone you have to then get past a four digit PIN to get in any app then after that for example my 1 password will then ask for the biometric again to log back in

    So, if you manage to hack into my phone and get past the four digit PIN on all of my protected apps via a app lock then do biometric again to get in to the protected app.

    I think I've got it pretty well covered.

    It seems like a lot but you can never be too careful.

  • ag_ana
    ag_ana
    1Password Alumni

    @kram5819:

    but what I did do is I use a app lock so once you log into my phone you have to then get past a four digit PIN to get in any app then after that for example my 1 password will then ask for the biometric again to log back in

    1Password will be locked even if someone managed to access your device however, so you are protected that way. Currently you can unlock 1Password either with a PIN or with biometrics, not both. And if you use biometrics and you fail to unlock the app for a few times, 1Password will still ask for your Master Password, so you have an additional layer of protection already.

  • ag_yaron
    ag_yaron
    1Password Alumni

    I will also note (again) that unless a professional person/organization specifically targets you for the sole purpose of getting into your 1Password, most chances are the finder/thief would just erase the phone so they can sell it or use it themselves. Ain't nobody got time for passwords cracking and phones hacking without a really good reason :pirate:

This discussion has been closed.