Password reset with Secure Remote Password

thedean
thedean
Community Member

I recently ran across this blog entry from Skiff: https://www.skiff.org/updates/death-taxes-and-forgotten-passwords.

They, like you, use the Secure Remote Password (SRP) protocol for authentication. And they, like you, they claim their system operates with zero knowledge of the user's password. However, unlike you, they offer a mechanism for their user's to reset a forgotten password. They do so by implementing a recovery key along with Shamir's Secret Sharing. See the blog entry for details.

When I read it, I immediately thought that this would be something that could be implemented in 1Password. The recovery key could be just another item contained your Emergency Kit. And it would give your users something they don't have now: the ability to reset a forgotten password. I know that I could just write down my master password on the Emergency Kit, but I don't like the idea of writing down my master password anywhere.

Is this something your security team has investigated and are thinking about doing in the future? If not, why not?

Thanks,
Dean


1Password Version: 1Password 7 Version 7.8.7
Extension Version: 2.1.0
OS Version: macOS 11.5.2

Comments

  • Hi @thedean,

    I'll be happy to mention this to our security team. :) Could you please help me understand though... what about having a secret that allows recovery of the account password on the Emergency Kit is more secure than having the account password on the Emergency Kit?

    Ben

  • thedean
    thedean
    Community Member
    edited September 2021

    Ben:

    Good question. When you put your username, secret key, and master password, all in the emergency kit, if that emergency kit is ever lost or stolen, then the thief has 100% of what he/she needs to break into your 1Password account, and steal all your passwords.

    On the other hand, if the the emergency kit only contains your username, secret key, and part of the recovery key, then the thief cannot break into your 1Password account without 1Password providing the thief with the remaining portion of recovery key. It is assumed that 1Password would require some sort of identity proof before offering up their remaining portion of the recovery key. In the case of Skiff, they do that via email confirmation or via another secret key held by the browser from the last successful log in to 1Password.

    The best analogy is that it always takes 2 people to launch a nuclear missile, never just 1 person. And mostly importantly, 1Password could achieve this while still having zero knowledge of master password, or even the capability to derive the master password (since both 1Password and the user only have access to a portion of the recovery key). I hope you can see why this is much more secure than writing down your master password in clear text in the emergency kit.

    Dean

  • shaywood
    shaywood
    1Password Alumni

    Dean,

    We have an account recovery process in place for Team, Business, and Family accounts and have investigated methods for adding a similar account recovery feature to our Individual accounts. Unfortunately, we do not have a timeline for implementing this feature.

    Thanks,
    Stephen

  • thedean
    thedean
    Community Member

    Stephen:

    I am glad to hear you are least thinking about it for individual accounts. The fact that you have implemented account recovery options in your Team, Business and Family accounts tells me that you recognize this is a valuable feature.

    I mentioned the Shamir Shared Secret protocol, as it appears to be a rather simple, straight forward method for providing for account recovery in an individual account, while preserving your zero knowledge architecture.

    I look forward to you taking this step to improve the recovery of your individual accounts in the future.

    Dean

  • @thedean,

    On behalf of Stephen, you're welcome! :smile:

This discussion has been closed.