Bulk removing "old" authorised devices/browser sessions (And is it unnecessary?)

Hello

I have just accessed my 1Password for Families account via a web browser as I needed to deauthorise a specific device (it had been stolen).

In the process of doing this I noticed that I have an enormous list of 'authorised devices' going back as far as 2015. These were primarily browser sessions. I appreciate this is probably caused by the fact I clean my browser cookies regularly and so each time I access the 1Password portal and new autorisation is made. But this raises 2 questions in my mind:

  1. I wanted to remove the authorised devices that were clearly out of date/unused, but had to do so 1-by-1. There were around 30 of these and so a bulk delete capability would have been very helpful. Does one exist?
  2. How necessary is it to do this? What is the security risk of having such legacy authorisations that are no longer being used? (FYI: As a result of this I've now found the same issue with other accounts (eg Dropbox) so am keen to understand the security implications in general)

If someone more knowledgeable could advise I'd appreciate it

///Paul

Comments

  • BenBen AWS Team

    Team Member

    Hi @sphardy,

    When you authorize a device your Secret Key is stored on that device. In either the event the you remove that authorization through the web interface or if you've removed the Secret Key from it by clearing the cache or other means then the Secret Key will need to be input in order to log in. The fact that it is listed as an authorized device is essentially irrelevant if you've otherwise removed the Secret Key from it. I can't really comment on the implications for things other than 1Password.. There is no reason to assume that because what I've said here is true for 1Password that is also true for other services or apps.

    Ben

  • Further to this - I have a guest user for our Team who is a Virtual Assistant. The old VA is gone, and I've just onboarded the new VA, which I've achieved by initiating a Recovery Action.

    Will all of the old VA's authorised devices be invalidated by the creation of the new Master password (via Recovery Action)?

    TIA

  • I would recommend keeping the device list clean, so you immediately see if there‘s a device on there that should not be. I check the list regularly for my account.

  • BenBen AWS Team

    Team Member

    @memeLab

    Will all of the old VA's authorised devices be invalidated by the creation of the new Master password (via Recovery Action)?

    Only in that they will be prevented from receiving updates to data created or edited after this change. Their access to existing data on their devices is not revoked. The only real way to "revoke" access to data is to change that data. Also, it might be worth considering what benefit re-using the same 1Password account for the new VA provides, vs deleting the old account and creating the new VA their own. Especially considering this is a guest account I'm not sure I see the benefit of doing recovery vs deleting and creating new.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file