To protect your privacy: email us with billing or account questions instead of posting here.

Account Key storage for remote access?

lehrblogger
lehrblogger
Community Member

I'm in the process of evaluating whether the new 1Password Accounts for Individuals service meets my needs. I appreciate the focus on security, but worry that the Account Key makes it too slow to recover from certain situations. For example:

While traveling abroad, my phone is damaged. I'm able to get it repaired, but in the process the device is erased. The only other person with access to the safe deposit box is traveling with me, so I have no way to recover my Account Key, and am locked out of all of my accounts until I return.

The options I see for preventing this scenario are:

  1. Memorize my Account Key, which is difficult without having to type it regularly
  2. Bring a printed copy of the Account Key with me when traveling, which is somewhat brittle (what if my wallet is stolen?) and a bit of a hassle.
  3. Save the account key to some password-protected cloud-based service, so I can access it from anywhere.

Does anyone have any recommendations for this scenario? Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:account key cloud

Comments

  • Hi @lehrblogger! Welcome to the forum, and thanks for asking about this. We all work remotely here at AgileBits, which means we travel a bit now and again. I personally travel all the time and am currently in Europe for a few months. I carry an iPad, Mac, and iPhone with me (Apple Watch doesn't count for 1Password right now). So I definitely hear your concern. To help, I would usually recommend carrying your Emergency Kit with your passport and other special documents. However, I personally just carry the Account Key for my main account, which has all my other account info in it. I know the Master Password and sign-in address so I would be all set with that.

    To keep it nice and easy to read, I printed it in a large courier font. That's what I would recommend to a fellow traveler, since it works very well for me. I've never had to use it, though, because I have three devices with my Account Key on them. I also have a flash drive with my Emergency Kits. Hope this provides some inspiration. It's a bit basic, but hey. :sunglasses:

  • lehrblogger
    lehrblogger
    Community Member

    @Jacob, thanks for the response! That sounds like a pretty good setup.

    I somewhat recently got a Yubikey to help mitigate inconvenience from a damaged phone, since I also rely on it to access my 2FA accounts. Would it be possible for 1Password to add support for a dedicated device like that, which could substitute for the Account Key?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lehrblogger: Just to expand on what Jacob said, remember that you can access your Account Key from any authorized device/browser. So unless you literally only bring your phone, you probably have another way of getting to it already! Like Jacob, I usually have way more devices with me than seems reasonable.

    We can certainly consider adding other security measures, but our chief concern is making sure they are easy to use and available. For now we're sticking with the Account Key, which is great because it's never transmitted anywhere. And we're also testing Duo in 1Password Teams. Thanks for letting us know your preference! :)

  • lehrblogger
    lehrblogger
    Community Member
    edited November 2016

    @brenty, thanks, and sorry for my delay responding. I've finally come up with a possible answer to my question, and I thought you, @Jacob, and other users on this forum might be interested. Feedback is definitely appreciated!

    My favorite vacations tend to be those on which I bring the minimum number of devices, so I don’t want to rely on having a backup device with me. The obvious places in which I might put a slip of paper with my Account Key – my wallet, or with other important documents like my passport – are, like my devices, targets for thieves. I also feel that it’s too easy to accidentally lose or damage paper, and I don’t want to be preoccupied with checking to make sure I still have it. I do always have my keys, however, which is why something on my keychain sounds appealing[1].

    I did some more investigation into the capabilities of my Yubikey, and learned that it actually has two configurable slots. The first slot is used (by factory default) for generating the one-time passwords required by various 2FA accounts, but the second slot ships empty and can be configured using their personalization tool to “type” a static password up to 38 characters in length[2]. Account Keys are 40 characters in length, but it seems like the dashes are always in the same places, so the Account Key could be stored without them and then the dashes could be re-inserted manually when needed. It made me slightly uncomfortable, however, to have my Account Key accessible in plain text to anyone who had my Yubikey; it’s almost always on my person, but I didn’t want to have to worry about it lying around.

    For peace of mind, I decided to use OpenSSL to encrypt the Account Key before saving it as a static password on my Yubikey. It was a bit of a puzzle to make this work within the constraint of 38 characters – not even 38 bytes, but 38 characters that can be “typed” by a device pretending to be a keyboard.

    1. I needed to use a counter cipher to do the encryption, such as aes-256-ctr[3], so that the output was the same number of bytes as the input.
    2. I needed to specify the output as base64, so that the resulting characters are type-able by the Yubikey. Unfortunately, base64 would require more characters than output as raw bytes due to the limited character set, which was a problem until...
    3. I realized that the original Account Key is already base64, so I can first decode it as slightly fewer bytes, and then, after it was encrypted and spit back out as base64, it would fit on the Yubikey.
    4. To get the base64 padding to work out, and remind myself about the dash locations, I kept the first two and replaced them with pluses, which are valid base64 punctuation not otherwise in the Account Key.

    The resulting shell command looks like this:

    echo -n "A3+C8SDV+5KG65JDJWKS7VM7EZDR2D24RB8P" | \
    openssl enc -base64 -A -d | \
    openssl enc -base64 -aes-256-ctr -nosalt -k 'this will be a strong password' | pbcopy
    

    Then, to recover the Account Key, I just need to reverse the process:

    pbpaste | \
    openssl enc -base64 -aes-256-ctr -nosalt -k 'this will be a strong password' -A -d | \
    openssl enc -base64
    

    Note that the password I choose will be one I have to remember, but also different from my Master Password; if the Internet-café machine I'm using to recover my Account Key is somehow compromised, I don't want to be entering both credentials for my account. I imagine it might be a bit of a hassle to find a machine that has, or on which I can compile, the proper version of OpenSSL, so I might set up a simple website that I can use for the decryption.

    If you made it this far, thanks for reading! Does this sound workable? Is there anything I've overlooked?


    [1] I realize that storing my Account Key on an encrypted USB flash drive would accomplish basically the same thing. I prefer the Yubikey, however, because it's already always on my keychain, so I don't need to carry another object. Also, the Yubikey is slightly more likely to be compatible with whatever machine I'm using to recover the key, and slightly less likely to become accidentally erased.
    [2] There is an option for using a slot to generate a static password up to 64 characters in length, but I don’t think you can actually choose what that password is, so it doesn't work for this use case. Alternatively, I thought about using the challenge-response option for the empty slot, but I think I'd need to brute-force HMAC-SHA1 to end up with a response – my Account Key – that corresponds to the desired challenge – my password. That's mostly infeasible, and even then, I don't think the responses are long enough anyway.
    [3] The version of OpenSSL that ships with macOS Sierra, 0.9.8zh, didn't have counter ciphers, so I had to download 1.1.0b from openssl.org.

    [Edited for typos and clarification.]

  • lehrblogger
    lehrblogger
    Community Member
    edited October 2016

    Edit: Made the necessary corrections, so this can be safely ignored. Just keeping it here for context.

    I noticed there's a typo in the first shell command – there's a ` that should be a ' at the beginning of the password. I also forgot something in the second footnote, so I'd edit it to read as below.

    (If someone with edit permissions wants to make those changes and delete this, that's fine with me.)


    [2] There is an option for using a slot to generate a static password up to 64 characters in length, but I don’t think you can actually choose what that password is, so it doesn't work for this use case. Alternatively, I thought about using the challenge-response option for the empty slot, but I think I'd need to brute-force HMAC-SHA1 to end up with a response – my Account Key – that corresponds to the desired challenge – my password. That's mostly infeasible, and even then, I don't think the responses are long enough anyway.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lehrblogger: Ah, interesting: old-school Yubikey! That definitely sounds workable, but I have to say it's more trouble that I'd be willing to go to just to avoid bringing my iPad with me on vacation. But I guess it depends on where you're going and what you'll be doing. I admire your dedication! :) :+1:

    I've made the changes you suggested to your previous post. Just double-check it for me. Good stuff! :sunglasses:

  • lehrblogger
    lehrblogger
    Community Member

    Yep, looks great, thanks! Feel free to delete these comments about it too ... I couldn't bear the thought of someone copy-pasting the command and being frustrated when the string wasn't properly quoted :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2016

    @lehrblogger: No problem! If you don't mind, I've updated that post but left it for context so we don't sound like two crazy people. Thanks again for the correction there. That will definitely be less confusing for someone else who wants to try your method. Cheers! :)

  • lehrblogger
    lehrblogger
    Community Member

    Sounds good, and thanks again!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise! Have a great weekend! :) :+1:

  • lehrblogger
    lehrblogger
    Community Member

    @brenty Alas, I noticed there's another, somewhat trickier mistake in the second shell command. It should actually be as follows, and you can again feel free to edit accordingly. Sorry about that!

    pbpaste | \
    openssl enc -base64 -aes-256-ctr -nosalt -k 'this will be a strong password' -A -d | \
    openssl enc -base64
    

    The difference is that -A in the second line, which is "used with -[base64|a] to specify base64 buffer as a single line." Without it, the commands work properly if you just use the output of the first directly as the input of the second, but if you actually try to copy the encrypted Account Key from text written by the Yubikey, it won't have the newline, and will mysteriously fail to decrypt. I think I had it there previously, but got overzealous when trying to clean everything up for the forum post :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lehrblogger: Ah, good catch! It also doesn't help that formatting is a bit weird sometimes for things like that here. I've updated your original post. Thanks again! :)

  • lehrblogger
    lehrblogger
    Community Member

    @brenty Thanks! Yesterday I got everything migrated from Dropbox syncing to the new hosted account service, and everything is great so far. Next, I might try to figure out how to use CryptoJS or similar for the Account Key decryption, so I can do it from anywhere without first installing OpenSSL...

  • Sounds great! Feel free to post what you find best here. I'm sure folks would love to learn from it in the future. :)

This discussion has been closed.