Feature Request - Disable forced download of secret key for non-admin accounts

This is a follow on from the thread at the bottom.

I love 1Password but some of the approaches I believe assume the user is technical and this is one of them. When you sign up to 1Password it forces you to download the secret key document before you can proceed. My request is have the ability to either turn this off completely or make it optional (you can proceed without downloading the document).

Why does this make sense (to me)

  • Forced download makes sense for Personal accounts as there is no other way to recover. Business accounts however can recover via an admin and it already strongly reminds you to have 2 admins.
  • For business accounts a lot people are non-technical, they don't care about this document they are never going to print it
  • It's also something that they get confused by, the first question I get with any new user is what is this and why do I need it (despite the documentation)
  • Worse, most people will simply download the document to proceed and then leave it in their downloads folder creating a vulnerability

I don't believe the solution is shared access for admins to the security key or document as that violates the zero knowledge approach however having the ability to turn this off for users keeps the security while closing a potential attack vector and making the process simpler for non-technical users.

https://discussions.agilebits.com/discussion/101614/so-all-my-people-get-issued-a-secret-key-and-theyre-supposed-to-do-what-with-it


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    One of the biggest issues facing 1Password users has been getting locked out of their own data. Even those who are part of family and business plans. There is no guarantee that there will be multiple admins or that any of them will be available. Banking on that means a lot of people lose everything unnecessarily. It is not a "vulnerability" to have the Emergency Kit in the downloads folder because it does not include the Master Password, as that is stored only in the brain of the individual. Someone who got that would not have everything they need to access the account. And, frankly, if someone has access to the device in order to get a file from it, there's a lot more they could do -- including installing malware to collect account credentials even if there is no Emergency Kit saved. So that would be an operational security issue entirely outside of 1Password.

    You make good points about user confusion, etc., but weighed against people losing their data I'm not sure that some inconvenience for a minority (admins) would justify many others losing their data. It's something we'll continue to discuss and evaluate, but we do not currently have plans to change this. It may be something that could be made optional for businesses in the future, but it's something best discussed via email at [email protected] so we can get a clearer sense of your specific use case, as there may be other things that would help that wouldn't put our customers at risk of losing their data. Data availability is necessarily part of data security.

  • I agree with forcing admins to download the file, but given that in a business account the admin can help recover account access for users, what value is there in increasing the onboarding friction for less technical staff?

    Sure, if (all) the admin(s) with recovery agent capabilities lock themselves out at once then they have a problem, but is one more non-technical user being locked out on top of this really the problem to solve?

    Maybe make the prerequisite that a company must already have at least 3 admin users, at least 10 total users, and at least 2 admin users enable the feature? And perhaps even start politely requesting admins enter their secret key once in a while, asking more and more frequently if they skip, so that they periodically prove they can come up with their secret key when needed?

    I'm not a business customer and don't see my current employer being interested at this phase, so I have no dog in this particular race, but in my experience about half of the non-technical users that I've tried to get hooked on 1Password simply don't make it through the learning curve to get going. I doubt (m)any give up because they need to download a file they don't want, but it is really tough to overcome the upfront pain of getting started when typing MySekretPassw0rd! into every site is just so much easier and every additional drop of "Why am I doing this" pushes them closer to just not bothering.

    And hey, if it isn't a big deal to leave secret keys laying around then here is mine:

    A3-XVD3AD-G5JQFE-HNAMY-BYFZA-AYDHQ-FCXHX.

    ;)

  • brentybrenty

    Team Member

    @TheDave: I hope you're joking. If you read the earlier discussion, you'll see that what's being talked about is having the Secret Key on a person's computer, not posting it on the public internet. If that's really your Secret Key, I'd suggest changing it from your account's Profile page.

    Getting back to the Emergency Kit being saved locally on a device, unless the person is literally not signed into 1Password anywhere on that device (unlikely, given they just saved the Emergency Kit), the Secret Key is already stored there, regardless of whether or not the Emergency Kit is present. That was what I was getting at, but I guess I should have been more specific.

    I think it's great if you folks all have solid recovery plans in place, but that isn't something we can assume of everyone. We know this from experience, with the messages we get from customers. There's been a significant decrease in people getting locked out -- of individual, family, and business accounts -- since this was instituted. So it is going to take a lot to justify changing this, because it affects not just those asking for this change, but potentially all 1Password users.

    I think that you both make good points as far as this potentially being less of a concern within a business, and also some good suggestions as far as how to go about even allowing something like this in the first place. It's something we'll have to discuss. I just want to make it clear that there's a high bar because right now what we have helps many people not lose their data at the expense of some inconvenience to a few, so the alternative being proposed needs to somehow mitigate this damage or do enough good to offset it. And that is not an easy calculation to make, nor one that any of us are going to make lightly.

  • I am joking (the first two blocks are from a discontinued Secret Key, the rest is courtesy of strongpasswordgenerator.com :)

    One of the things stressed in any modern security training (our company forces us through a couple for insurance/compliance reasons) is that you cannot trust unencrypted storage, nor your local filing cabinet or garbage can.

    Just because someone can read your files does not put them in a position to otherwise compromise you.

    Backups are often not treated with the same care and attention as primary storage (e.g. strong local encryption, with recoverable encryption being used on a cloud backup solution), old hard drives are not necessarily wiped (I've bought used equipment from a recycler that guarantees all drives are wiped or physically shredded -- Want to guess what I found on a used drive I bought?), cleaning staff might poke through your garbage or filing cabinet (especially if left unlocked, but most filing cabinet locks can be opened using a low-skill raking attack), users will backup their documents directory to a USB stick or even a second drive within a laptop (MicroSD cards can be used as a target for Windows File History or MacOS Time Machine type backups which maintain copies of old files even after the primary is deleted, both of which can be stored on unencrypted media).

    And do you really want to bet the proverbial farm on users creating good passwords? The last family member I got on 1Password liked the idea, understood the risks of reusing passwords, etc. And even started to use some unique passwords on other services. I was helping her out on her iPhone and I guess I rebooted or something because Touch ID wasn't offered so I asked her to punch in her password and she told me "Oh it's my usual password, with my favourite number on the end". I would be more comfortable publishing my own email address Secret Key in this post than hers because at least I know my 1Password password is both strong and not guessable. In other words, I consider the secret key to be the key to the encryption, the password is just to stop casual snoopers.

    (While I'm complaining, I should file yet another report with Microsoft because Bitlocker is even more annoying -- When you first encrypt your boot/OS drive it will require you to store your recovery key on unencrypted media or attached to your Microsoft account or you cannot enable Bitlocker. I can't even store it on the encrypted USB stick which contains all my encryption recovery keys, nor my encrypted cloud storage service -- I get not accepting the local drive as a safe backup location, but refusing to use external independently encrypted media is going too far).

    Am I paranoid? I prefer security conscious, but I'm not saying no. I don't think anyone is out to get me, but I still put in strong locks when I move into a new home and request the post office swap my lock rather than relying on the previous user to turn over all the keys, and I certainly never trust users to come up with a strong password.

  • @brenty thanks for the response, this is actually one of the reasons why I chose to move away from Lastpass to 1Password is the community engagement. With security there is never a perfect decision it's all a bunch of trade offs so I love the openness and engagement we get from you and the rest of the team.

    Re: the security key existing on the drive, I take your point. They aren't going to write the master password on it so it's only 1 piece of the puzzle so the risk is low.

    On the usability side, this is the major one for me. The problem I have is we always have people who already think a password manager is too complicated for them. This is only a minor thing but it is a complexity, during the crucial signup process. To a non-technical person it's something they really don't understand at all and adds to their belief that password managers are too complex for them. This just adds to my battle.

    For a windows user this document would have sat in their downloads folder until one day they clean it up and then its gone anyway. So for my non-technical people it doesn't help in the long term (I would have assumed). There is a flip side to this, the people that will store the document forcing them to do it at the time means they actually do it rather than just say I'll do that later and never get around too it.

    For me I know most of my users will not fill out the document and it will be deleted out of their downloads folder within the next week to 6months. We are also confident in our ability to always access and recover through our admin accounts so for me it's a hurdle with no benefits.

    I'm at a startup at the moment with only 15 people so I can easily work around this but when I think of previous large organisations where I have rolled out a Lastpass this would have been a pain.

    For me I would have the feature work like this

    • Feature is disabled unless you have a minimum amount of admin accounts setup
    • In the admin console I have the ability to turn on optional secret key downloads for users
    • If turned on you could go two ways
    • Option 1 - Same login flow but you are able to proceed without physically downloading the document. Ie we can tell users to skip this step
    • Option 2 - (my preference) They are given a decision page to either download the key or proceed with not downloading it and telling them the risks / benefits of each.

    I understand there is always a lot to weigh up and there is never a perfect answer so that is why this was a feature request rather than a demand :)

    @TheDave regarding bitlocker, your encyrpted USB key is decrypted at the time you are accessing it so it doesn't provide any benefit over saving it to your local machine first and then moving it to an encrypted key or copy and pasting it into 1Password. If someone has access to your bitlocker key at the time you are generating it then it doesn't really matter where you are saving it, they have it (and everything else).

  • brentybrenty

    Team Member

    I am joking (the first two blocks are from a discontinued Secret Key, the rest is courtesy of strongpasswordgenerator.com :)

    @TheDave: That makes me feel better. Thank you. :lol:

    One of the things stressed in any modern security training (our company forces us through a couple for insurance/compliance reasons) is that you cannot trust unencrypted storage, nor your local filing cabinet or garbage can.

    We're certainly in agreement on that.

    Just because someone can read your files does not put them in a position to otherwise compromise you.

    But this seems to contradict your previous point, though I'm sure you have some specific nuance in mind that you're not mentioning.

    What I'm saying is that someone who has access to the downloads folder, etc. also has access to other data stored on the machine which is not encrypted, and that would include the Secret Key if you're signed in there. It is obfuscated, but we should assume that anyone smart enough to try to get it could also figure out what to do with it when they did. It's purpose is to protect data in case we are compromised, not in case you are, because at that point, with an attacker inside you machine, all bets are off. I appreciate that you are not necessarily screwed if a novice is the attacker, but I don't think it's safe for anyone to assume that would be the case; so we should give attackers the benefit of the doubt with regard to competence and use appropriate security measures to keep them out accordingly.

    Backups are often not treated with the same care and attention as primary storage (e.g. strong local encryption, with recoverable encryption being used on a cloud backup solution), old hard drives are not necessarily wiped (I've bought used equipment from a recycler that guarantees all drives are wiped or physically shredded -- Want to guess what I found on a used drive I bought?), cleaning staff might poke through your garbage or filing cabinet (especially if left unlocked, but most filing cabinet locks can be opened using a low-skill raking attack), users will backup their documents directory to a USB stick or even a second drive within a laptop (MicroSD cards can be used as a target for Windows File History or MacOS Time Machine type backups which maintain copies of old files even after the primary is deleted, both of which can be stored on unencrypted media).

    That's a really good point. But it's just not reasonable or responsible of us to presume that only "cleaning staff" will ever be in a position to "attack" or that they are non-technical. We can sit here all day concocting different scenarios, but ultimately we each need to take the necessary precautions based on our own personal threat models, and it just isn't realistic (without sticking to contrived hypotheticals) to treat the Emergency Kit as the weak link here, since there are other ways someone in that position can get the same information.

    And do you really want to bet the proverbial farm on users creating good passwords?

    We don't bet anything on users creating good passwords themselves. We know better from experience -- and with years of research and password dumps from website breaches to draw from. We encourage people to use long, strong, unique passwords. But we can't force people to do that because we can't know anything about our customers' passwords. That's why the Secret Key exists: so that someone stealing encrypted data from us cannot perform a brute force attack against the user's Master Password. But that is certainly possible if they have access to one of your devices where you use 1Password. So long as you're using a good Master Password, it will take them longer than they have. But if you're using something weak or just reused, part of a password dump, it will not take long at all. That's just not something we have control over: user choice, and personal security -- i.e. leaving your computer open to being rifled through by cleaning staff; there are protections against that which anyone can use. That's far outside the scope of 1Password though.

    The last family member I got on 1Password liked the idea, understood the risks of reusing passwords, etc. And even started to use some unique passwords on other services. I was helping her out on her iPhone and I guess I rebooted or something because Touch ID wasn't offered so I asked her to punch in her password and she told me "Oh it's my usual password, with my favourite number on the end". I would be more comfortable publishing my own email address Secret Key in this post than hers because at least I know my 1Password password is both strong and not guessable. In other words, I consider the secret key to be the key to the encryption, the password is just to stop casual snoopers.

    Definitely don't think about it that way. Day to day, your Master Password is your best defense -- and only defense, if we're talking about a device where you've signed in and unlock with just your Master Password, since your Secret Key is stored there.

    (While I'm complaining, I should file yet another report with Microsoft because Bitlocker is even more annoying -- When you first encrypt your boot/OS drive it will require you to store your recovery key on unencrypted media or attached to your Microsoft account or you cannot enable Bitlocker. I can't even store it on the encrypted USB stick which contains all my encryption recovery keys, nor my encrypted cloud storage service -- I get not accepting the local drive as a safe backup location, but refusing to use external independently encrypted media is going too far).

    That's a whole other can of worms. Good idea, not storing it in your account. But yeah, I do wish it were easier to manage that for Windows.

    Am I paranoid? I prefer security conscious, but I'm not saying no. I don't think anyone is out to get me, but I still put in strong locks when I move into a new home and request the post office swap my lock rather than relying on the previous user to turn over all the keys, and I certainly never trust users to come up with a strong password.

    You're in good company then. :) Better safe than sorry. I'm just pointing out that you're focusing on the wrong thing in this case. It's important that we all think about these things though, and hopefully my explanation helps you or others better focus that great paranoid/security-conscious energy where it can do the most good. :)

  • brentybrenty

    Team Member
    edited May 30

    @brenty thanks for the response, this is actually one of the reasons why I chose to move away from Lastpass to 1Password is the community engagement. With security there is never a perfect decision it's all a bunch of trade offs so I love the openness and engagement we get from you and the rest of the team.

    @Lee_B: Hey, likewise, thanks for engaging! It's easy when we've got so many smart, passionate people to talk to about this stuff, like you and TheDave. The alternative is kinda scary, to be honest. :lol:

    Re: the security key existing on the drive, I take your point. They aren't going to write the master password on it so it's only 1 piece of the puzzle so the risk is low.

    Indeed, they could get the Secret Key another way, and likewise the Master Password, if they're at all competent and in such a position. That's my concern as far as security: it would be misleading for me to say "Sure, we'll ditch the Emergency Kit because that would solve this". It wouldn't, and it brings us right back to the original problem of people (not you I'm sure, but definitely others, believe me) getting locked out. Security becomes a moot point when it means the owner can't even get their own data. If that was the goal, we'd all just secure erase everything -- same result: no one can access it. :ohnoes:

    On the usability side, this is the major one for me. The problem I have is we always have people who already think a password manager is too complicated for them. This is only a minor thing but it is a complexity, during the crucial signup process.

    That's where I totally get you: usability. I think you said this really well:

    To a non-technical person it's something they really don't understand at all and adds to their belief that password managers are too complex for them. This just adds to my battle.

    That's 100% our battle. It shouldn't be yours. I'm sorry this is something you're dealing with as well. I'd encourage you to reach out at [email protected] to discuss your situation more in-depth. It's definitely something we want to improve. I'm not sure what the solution is, bearing in mind the concerns I've raised above. But it helps a lot to brainstorm, talking with people about the specifics of what they're facing as far as deployment and adoption. Part of us helping you is giving you better tools where we can, but support is crucial as well, since we've got experience helping people from a wide range of backgrounds become 1Password pros. We've learned a lot over the past decade or so, and we're always learning more and improving where we can.

    For a windows user this document would have sat in their downloads folder until one day they clean it up and then its gone anyway.

    Okay I will say that terrifies me too. It seems like it was fairly recently that Downloads was included with the clean up, but I may have just not noticed for a while. It's something worth considering.

    So for my non-technical people it doesn't help in the long term (I would have assumed). There is a flip side to this, the people that will store the document forcing them to do it at the time means they actually do it rather than just say I'll do that later and never get around too it.

    I am not really following you here. Can you clarify? I want to make sure I'm not missing your point.

    For me I know most of my users will not fill out the document and it will be deleted out of their downloads folder within the next week to 6months. We are also confident in our ability to always access and recover through our admin accounts so for me it's a hurdle with no benefits.

    That's awesome! I'm really happy to hear that. I agree it would be nice to be able to "reward" (probably the wrong word) folks like you in this position by streamlining things, if we can find a good way to verify that we're not just giving a company an easy way to shoot themselves in the collective foot. Put another way, your point earlier about companies being in a better position to have a means of recovery is a good one...but the corollary is that a company potentially has a lot more to lose than an individual or family getting locked out of their data, since there are probably many individuals and families dependent on the success of the company.

    I'm at a startup at the moment with only 15 people so I can easily work around this but when I think of previous large organisations where I have rolled out a Lastpass this would have been a pain. For me I would have the feature work like this

    • Feature is disabled unless you have a minimum amount of admin accounts setup
    • In the admin console I have the ability to turn on optional secret key downloads for users
    • If turned on you could go two ways
    • Option 1 - Same login flow but you are able to proceed without physically downloading the document. Ie we can tell users to skip this step
    • Option 2 - (my preference) They are given a decision page to either download the key or proceed with not downloading it and telling them the risks / benefits of each.
      I understand there is always a lot to weigh up and there is never a perfect answer so that is why this was a feature request rather than a demand :)

    That makes a lot of sense. Very thoughtful. I'll bring it up with the team. :)

    ref: b5/b5#6054

  • @TheDave regarding bitlocker, your encyrpted USB key is decrypted at the time you are accessing it so it doesn't provide any benefit over saving it to your local machine first and then moving it to an encrypted key or copy and pasting it into 1Password. If someone has access to your bitlocker key at the time you are generating it then it doesn't really matter where you are saving it, they have it (and everything else).

    This might be pedantic, but stick with me: My USB key is absolutely not decrypted at the time I am accessing it. Within the OS, sure, I can access the unencrypted data (it would be useless if I couldn't), but the physical bytes on the physical media are encrypted.

    Why this isn't pedantic and is a real-world consideration?

    1) My USB stick is already encrypted. Every one I own is other than my Windows 10 installation disk is. I need to either grab a new one from a package and use it, or decrypt/format a USB stick and reencrypt it again (which means storing even more recovery information, although I don't get forced to save this unencrypted anywhere).

    2) You cannot trust deleting content from flash media to actually remove anything. You cannot even trust that overwriting the entire disk actually overwrites everything either as all SSD drives and at least some flash media have slack space which the drive controller allocates on the fly. Certainly doing a full overwrite makes it likely that the content is gone as the drive certainly won't have 50% slack space, but you can't guarantee it.

    Only by ensuring that your content is never ever written to media (be it flash storage or paper) unencrypted, not even once, can you make any guarantees so this is my goal when I approach data that requires encryption (which is everything -- I have client data in my Contacts list which would be subject to mandatory disclosure should I lose an unencrypted copy).

  • brentybrenty

    Team Member

    I don't quite follow point 1, but #2++. Not something that is relevant to everyone, but it makes sense -- especially in your use case. Cheers! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file