Old email not rejected for login after I changed email for my 1Password account

I changed my email for the 1Password account using its web interface at https://my.1password.com/profile . Now the new email is shown as my email, so it seems I could have successfully changed my email.

However, I found I can still log in using my old email (of course with the valid secret key and master password). I logged out, and then tried logging in with the old email. I used Safari's private window to make sure any information is not stored in the browser. And I could successfully log in with the old email, and after the log-in, the browser shows the new email. I tested the same using totally irrelevant email as well, and in that case login rejected, which indicates my old email is still stored with my account.

Is this an expected behavior? How can I remove the old email from the account information?


1Password Version: 7.5
Extension Version: Not Provided
OS Version: macOS 10.15.5
Sync Type: Not Provided

Comments

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @tkr, and well-spotted! :) The 1password.com server will allow you to sign in with either the old or new email address for up to 30 days after you change your email address (provided no one uses the old email address to create a new, different 1Password account). This is both in case you forget and use the old email address, but also allows the client apps (which need to authenticate to the server) to sign in using the old email address and be silently and invisibly updated to the new one, without you having to go re-sign-in on all devices. It's basically a convenience feature, to save you some time. :)

  • tkrtkr

    Thank you very much, Lars. So it's an expected behavior. However, I would say doing that without an explicit explanation to the user is a bad idea.

    With this user interface, the user would naturally understand that the old email is immediately invalidated. I agree that it's convenient for the purposes you mentioned, but at the same time it could be risky if the purpose of changing registered email is to invalidate the old email. So the only way to remove the old email is to wait 30 days or to make another dummy account using the old email address?

    My suggestion is a more explicit UI for this. You may show the old email in the user profile page while it's valid with a button like "Remove" to allow the user to immediately invalidate the email.

  • DanielPDanielP

    Team Member

    @tkr:

    I discussed this behavior very recently (just a couple of weeks ago if I am not mistaken), so it's great that you brought this up. If you don't mind, I would like to ask you a couple of questions to understand if there is a smart way we can change this without breaking existing features (and in fact, if it makes sense to do so). As Lars said, this is a convenient way to avoid all clients having to reauthenticate manually, so it would really be nice to keep doing this if possible (if you are like me and use 1Password on several devices, you can surely appreciate the convenience :) ).

    I agree that it's convenient for the purposes you mentioned, but at the same time it could be risky if the purpose of changing registered email is to invalidate the old email.

    Can you give me an example of a scenario where you would want to immediately invalidate the email? I think I know where you are coming from with this, but remember that the old email is used exclusively to sign in from that point on (and for only 30 days). The old email should not be used for communications or notifications anymore from that point on, and even in the case where this email was compromised, you would not be able to login to the 1Password account without the Secret Key and Master Password anyway.

    My suggestion is a more explicit UI for this. You may show the old email in the user profile page while it's valid with a button like "Remove" to allow the user to immediately invalidate the email.

    We have to be careful here I think. I can see a scenario where you do this, which then causes the user to get a notification on all of their devices to reauthenticate, and the user then dismisses some of them for lack of time. This means that 1Password on those devices would effectively go offline. And the user might only realize the need to reauthenticate at typically the worst possible time, e.g. when traveling.

    The challenge in that we should be mindful of data availability as well. Because the old email won't be used for anything other than to allow convenient client updates, I believe the current implementation managed to strike a sensible balance in this case. But I am happy to hear your example scenarios, perhaps there is something that we have not considered, and that we keep in mind while we continue improving things.

    ===
    Daniel
    1Password Security Team

  • tkrtkr

    DanielP,

    My concern is simple. The system seems to store some information without telling the user that it stores the information. This is by itself a bad behavior in my opinion. After knowing this behavior, naturally, some may now wonder what other information the system may keep and how long. If the UI I supposed could cause problems, then I think the system may just provide a clear message, saying the old email will be kept for 30 days. I still think the user should be able to control what user information is stored in the system though.

    A very simple scenario in which a user may try to invalidate the old email is that he or she lost a post-it memo on which all the login information is written. I don't do that but some may. And because the current UI behaves like the login email can be invalidated by registering a new one, the user may think that it's safe by just changing the email, without changing the master password. The user should have a chance to know that it's not safe.

    But again, even without such scenario, I think storing some user information without notifying the user and with behaving as if the information is deleted is not good by itself.

  • DanielPDanielP

    Team Member

    @tkr:

    A very simple scenario in which a user may try to invalidate the old email is that he or she lost a post-it memo on which all the login information is written. I don't do that but some may. And because the current UI behaves like the login email can be invalidated by registering a new one, the user may think that it's safe by just changing the email, without changing the master password. The user should have a chance to know that it's not safe.

    I find it hard to imagine that a user, knowing that their login credentials have been fully compromised, would assume that changing the email address without changing the Secret Key and Master Password would be enough to secure the account again. In my personal experience helping 1Password customers over the years, I actually noticed the opposite: users who realized their credentials had been exposed tend to reach out to us asking how to change Secret Key and Master Password, and I cannot remember a discussion where I was asked the same thing specifically about the email address in such a scenario.

    I think this is the same behavior you typically see when any account gets compromised: your first reaction is to change the password for the compromised account, rather than the email address. But then again, I have no way to scientifically prove that this is always the case, so I think we are looking at the topic from the wrong perspective.

    I can see the reason behind making it clear that the old email address can be temporarily used to avoid lockouts though. Perhaps there is something we can do to make that clearer. I will bring this up with the team at the next opportunity and will have a discussion with them.

    ===
    Daniel
    1Password Security Team

  • tkrtkr

    Daniel,

    I know that the scenario I wrote is not likely to happen. I can guess you have never experienced such a user. But that is not the point. The user in the scenario is logically correct based on the information provided by the current UI. And actually I think there's a motivation not to change master password. Without the device like Touch ID, a user may need to type master password many times, but not the email. The user may want to keep using the same master password to avoid remembering a new one. I know this is also a stupid idea, but it's logically correct.

    By the way, probably even a simpler scenario is that a user just wants to remove the email address from your server. How can this be achieved?

  • DanielPDanielP

    Team Member
    edited May 29

    @tkr:

    If you mean how to expire this email that you have just changed from, and this email alone, currently you would wait the 30 days. On the other hand, if you mean how to remove everything altogether from the system, you would delete the account.

    ===
    Daniel
    1Password Security Team

  • tkrtkr

    I see. So, the right way to change the email and remove the old one from your server immediately is for now to delete the account and create a new account with the new email address instead of using the change email UI. This was the question I made on this topic. Thank you very much.

  • DanielPDanielP

    Team Member

    @tkr:

    You are welcome. For reference: if you want to discuss data removal in more detail now or in the future (it sounds to me like you are asking about GDPR rights in your last message), I encourage you to reach out to us via email as [email protected], so we can handle this privately without having to share account information here in public.

    ===
    Daniel
    1Password Security Team

  • tkrtkr

    Daniel,

    Maybe related to, but I don't think I was talking about GDPR rights. I will contact you if I want to control some personal information which obviously I can't control through the UI. The issue here is the system's UI that pretends that the old email is deleted by registering a new one, but actually not. I noticed by chance that it was not actually deleted. But most likely no one would notice it since the system behaves like it was deleted. Don't you think this is a problem?

  • XIIIXIII

    Is this behavior documented somewhere?

    For me it was an unpleasant surprise...

  • ag_anaag_ana

    Team Member

    @tkr, @XIII:

    Thank you both for your thoughts on this! As Daniel said, he will discuss this internally with the team :+1:

  • tkrtkr

    I have a follow-up question that I mentioned briefly in one of the comments above, which hasn't been answered.

    What other information might the system keep in the same way? For example, is the device information deleted immediately when the user deauthorize one? How about credit card information?

    I'd say it is natural that some users may have these kind of concerns, based on the fact that we now know that the old email address is kept in the 1Password system without notification.

    I'd appreciate if you would make it super clear how the system handles user information including these.

  • LarsLars Junior Member

    Team Member

    @tkr - as mentioned above, the previous email address is kept in the system for 30 days, so users don't have to immediately re-auth in all 1Password apps they use. They will have to reauth if there are any 1Password apps they don't open for more than 30 days after the change, because we do remove the previous email address after that.

    We use Stripe as our payment processor for 1password.com accounts, so we never have your full information at all, even while accounts are active. That's handled transparently and securely via Stripe, and they are PCI-DSS compliant .

    In terms of the 1password.com account itself, you can delete your entire account using these instructions. Hope that's helpful.

  • tkrtkr

    How about devices? Also are there any other information stored without telling users so? Is the whole behavior discussed here documented somewhere? These are already asked above and I'd like to know these too.

    By the way, what disappointed me through the conversation in this topic is that you seem to consider that convenience is more important than transparency. You guys always emphasize how it improves users' convenience before discussing the problem. As I already said above, I understand that feature is useful for the purpose you explained. But I don't think it can be a reason of disregarding transparency. I'd expect that the company especially of the product like 1Password should give the highest priority to transparency of user data handling.

  • LarsLars Junior Member

    Team Member
    edited June 5

    @tkr - I don't understand your initial question ("How about devices?"). Can you elaborate? Regarding transparency, your points are well-taken and, along with DanielP, I'll share them internally.

  • tkrtkr

    For example, is the device information deleted immediately when the user deauthorize one?
    Also are there any other information stored without telling users so?
    Is the whole behavior discussed here documented somewhere?

    I mentioned the device for an example. The second and the third questions are the more general questions that I'd like you to clarify.

  • LarsLars Junior Member

    Team Member

    @tkr - thanks. Devices are deauthorized immediately once you deauthorize them in your profile. The fact that a deauthorized device was once active is not deleted. We do indeed document these things, in both (primarily) our Privacy Policy and our Terms of Service.

  • XIIIXIII

    I don’t see the behavior discussed in this topic (keeping old email addresses) in the Privacy Policy.

    Best match would be the 35 days on backup, but that’s not the same, I think.

  • LarsLars Junior Member

    Team Member

    @XIII - it's not, you're right. We established that earlier in the thread. :) My understanding of the question was: do you document your data/privacy policies generally, to which the answer is: yes, we do.

  • This question is unanswered: What other information might the system keep in the same way?

  • XIIIXIII

    @Lars Oh, then I misunderstood. Sorry!

  • The silence of 1Password in response to this question is telling.

  • ag_anaag_ana

    Team Member

    @soshiito:

    This question is unanswered: What other information might the system keep in the same way?

    Those included in the privacy policy and terms of service linked to above :+1:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file