Bulk removing "old" authorised devices/browser sessions (And is it unnecessary?)

Hello

I have just accessed my 1Password for Families account via a web browser as I needed to deauthorise a specific device (it had been stolen).

In the process of doing this I noticed that I have an enormous list of 'authorised devices' going back as far as 2015. These were primarily browser sessions. I appreciate this is probably caused by the fact I clean my browser cookies regularly and so each time I access the 1Password portal and new autorisation is made. But this raises 2 questions in my mind:

  1. I wanted to remove the authorised devices that were clearly out of date/unused, but had to do so 1-by-1. There were around 30 of these and so a bulk delete capability would have been very helpful. Does one exist?
  2. How necessary is it to do this? What is the security risk of having such legacy authorisations that are no longer being used? (FYI: As a result of this I've now found the same issue with other accounts (eg Dropbox) so am keen to understand the security implications in general)

If someone more knowledgeable could advise I'd appreciate it

///Paul

Comments

  • BenBen AWS Team

    Team Member

    Hi @sphardy,

    When you authorize a device your Secret Key is stored on that device. In either the event the you remove that authorization through the web interface or if you've removed the Secret Key from it by clearing the cache or other means then the Secret Key will need to be input in order to log in. The fact that it is listed as an authorized device is essentially irrelevant if you've otherwise removed the Secret Key from it. I can't really comment on the implications for things other than 1Password.. There is no reason to assume that because what I've said here is true for 1Password that is also true for other services or apps.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file