How to handle security while traveling (and potentially losing devices)

slobizmanslobizman Junior Member

I've been thinking alot about security and access to accounts should I lose my phone (and potentially robbed of all devices with me) while traveling in a foreign country. I have done all the right things: 2FA (with Google Authenticator) on important accounts, including gmail and Apple; random, unique answers to security questions; etc. I've been researching what the steps would be required to access accounts, particularly Google (gmail) and Apple (icloud), without my phone or secondary device in another country (outside the US). It's not pretty. Without my iphone or other trusted device, I'm not going to be able to use 2FA. And if I lose my phone and still have my macbook (not if I'm robbed), Authenticator does not work on it.

If I were without access to my accounts, some important things I do each day, work-wise, would not be able to be done, and I might have to end the travel early.

So, what to do? Switching to 2-Step Authorization (SMS) isn't helpful as I would not be able to receive the text. And SMS is not secure anyway . I'm considering turning off 2FA while on a vacation. With the random, complex, and unique-to-each-account Security Question Answers I use (stored in 1Password), no one would be able to pass a security answers test. They wouldn't get my password in the first place since they are super strong. So, what would be the problem with this method while on vacation? Please blow holes in the idea and offer any suggestions on how to otherwise handle travel and security.

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • edited September 2017

    Some services, like Gmail, give you the ability to generate a series of one-time passwords (OTP). You could store those in 1Password as a note.

    One neat feature I tried today on Windows was setting up live.com to use two-factor authentication. I set it up on my phone again (a destroyed phone in the recent past) and then used the built-in scanner feature to scan the QR code again into 1Password's OTP feature.

    Then again, even w

  • jessycjessyc

    Team Member
    edited September 2017

    Hi @slobizman,

    This is a very good point that many people overlook, so kudos for even thinking about it.

    This should come in handy : https://support.1password.com/one-time-passwords/
    Advanced level : You could even print the QR code/back up code of each service individually and store it in a VERY secure location.
    Ninja level : Tell the person you trust the most where it is stored in case you are unable to access it (you never know, right?!)

    Finally, I'd suggest to prepare your 1 Password Emergency Kit

  • slobizmanslobizman Junior Member

    @AlwaysSortaCurious:

    Yes, I have my set of one-time passwords for google in 1pw. (I don't think Apple has any for 2FA, but I'll double check). On the Google one-time passwords, I've never used one; can I then use that to get in without my 2FA code with that? If so, then I can turn off 2FA at that time while out of the country.

    Also, I heard someone say you can use each one more than once. Do you know if that is true?

  • brentybrenty

    Team Member

    @slobizman: First of all, I hope you're not working while you're on vacation! ;)

    In all seriousness though, AlwaysSortaCurious and jessyc have some great suggestions. I'd take it a step further and suggest leaving a copy of your Emergency Kit in a place where you could have someone you trust access it for you in case of an actual emergency. I'd consider storing multifactor "recovery codes" for important accounts with the Emergency Kit if you're not storing them in 1Password itself. But either way, you'd be able to sign into your 1Password.com account with your credentials to access everything you'd stored there. I hope this helps. Be sure to let us know if you have any other questions! :)

  • slobizmanslobizman Junior Member

    @jessyc:

    I didn't even know 1pw could do 2FA authorization codes from the mac! Nice. I'll check it out.

    Can it do it from the IOS 1pw?

    This doesn't really help if I lose my devices out of country, but it's going to be useful to me regardless.

    And yes, I do have my Emergency Kit. :)

  • slobizmanslobizman Junior Member

    @brenty:

    Always got some work to do no matter where I am in the world, but sporadic. :)

    Good idea on giving hard copies of some security codes and such to a trusted friend.

    Wish Apple had one-time codes for 2FA users.

  • brentybrenty

    Team Member

    I didn't even know 1pw could do 2FA authorization codes from the mac! Nice. I'll check it out. Can it do it from the IOS 1pw?

    @slobizman: Yep!

    This doesn't really help if I lose my devices out of country, but it's going to be useful to me regardless.

    Totally! It's good you're thinking about this, so you can put the necessary contingencies in place...and then forget about it and enjoy your travels! :sunglasses:

    And yes, I do have my Emergency Kit. :)

    ;) :+1:

    Always got some work to do no matter where I am in the world, but sporadic. :)

    Haha I hear you! I did manage to take an actual vacation-vacation (i.e. no work) this time...but I'd be lying if I wasn't a bit relieved to get back my routine afterward. :lol:

    Good idea on giving hard copies of some security codes and such to a trusted friend.

    Glad if that helps! It's good to have options. :chuffed:

    Wish Apple had one-time codes for 2FA users.

    They don't offer a "recovery code" option as some services do, but they do have a pretty decent recovery option (with a failsafe against attackers trying to trigger this). Definitely worth checking out. Cheers! :)

  • dancodanco Senior Member Community Moderator

    It could be worth writing down your 1PW account key and keeping that in your wallet or belongings or elsewhere on your person. Your Master Password is presumably in your memory (as would be the login address on 1password.com), so the only further item you need is the Account Key, which you aren't likely to memorise.

    Obviously there is a certain lack of security in this, but realistically it is extremely small, since it would not be clear what it was the key to, and the other information would not be revealed.

  • beyerbeyer

    Team Member

    I completely agree with @danco. If all the devices you use 1Password on are stolen, lost, or damaged, having a hard copy of your Secret Key in your wallet could be extremely beneficial. Many people have photos of their important documents, like passports, visa, etc. which can be extremely helpful.

    To help make your Secret Key a little less recognizable, you could strip the version number A3 and the dashes. Then, when entering your Secret Key from hard copy, you'll need your version number, but the dashes aren't required.

    If you're like me and carry a YubiKey, you could also store your Secret Key on it as a static password. I find this slightly easier than paper and I figure I'm more likely to get my wallet mugged than my keys. Especially after they see my 15-year-old Prius, no one wants to steal that. :tongue:

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Hi 1Password,

    I'd like to ask, has your answer to this question changed in the last year and a half?

  • BenBen AWS Team

    Team Member

    Reading the above responses I can't think of anything off hand I'd recommend different, @wavesound. :)

    Ben

  • wavesoundwavesound
    edited July 22

    I'd like to get your feedback on the following scenario:

    A 1Password.com account user is traveling alone in a foreign country and they are robbed. Their only 1Password device, their wallet, passport and luggage is stolen. Consequently, they don't have any usernames/passwords, no banking information, no phone numbers, no credit card numbers because they are locked up in their 1Password.com account. How can they recover their account without the 1Password Secret Key?

    They cannot buy anything, call anyone, cancel their cards, access their accounts, etc.

    This scenario does happen to travelers including clients of ours and I think it highlights a design limitation with your service. Carrying a copy of your "Secret Key" is not an acceptable workaround because that would likely also be stolen. "Security by obscurity" is a completely unacceptable suggestion for keeping secret keys in plain-text for our clients and the recovery mechanism cannot involve other people so phone calls are out of the question.

    Other products that our customers use do not require this and although I understand the intent of the "Secret Key", the way you have implemented it complicates the fundamental human limitations that 1Password was meant to address. As your name implies, I should only have to remember one password not two.

    It seems like if you use the 1Password.com service...it should be called 2Password since you need two credentials to access your data. Am I missing something in this analysis?

  • brentybrenty

    Team Member

    A 1Password.com account user is traveling alone in a foreign country and they are robbed. Their only 1Password device, their wallet, passport and luggage is stolen. Consequently, they don't have any usernames/passwords, no banking information, no phone numbers, no credit card numbers because they are locked up in their 1Password.com account. How can they recover their account without the 1Password Secret Key?

    @wavesound: They can't. It's entirely up to you how you plan for that sort of contingency, but personally I leave a copy of my Emergency Kit with someone I trust. Whether I end up needing to call them to get it myself or they need it if something happens to me, it's covered.

    Other products that our customers use do not require this and although I understand the intent of the "Secret Key", the way you have implemented it complicates the fundamental human limitations that 1Password was meant to address. As your name implies, I should only have to remember one password not two.

    Without knowing what we're talking about I can't really speak to specifics, but it is the case that 1Password is more secure than most products, and a big part of that is because of 1Password's design, using 2KSD to protect against attacks against us. More on what that means below.

    It seems like if you use the 1Password.com service...it should be called 2Password since you need two credentials to access your data. Am I missing something in this analysis?

    As I'm sure you're aware it's not uncommon at all for services to be compromised and for attackers to steal, and sell, customer data, etc. Many web services especially store users' passwords, payment information, and many other sensitive details. Heck, that's the stuff each of us saves in 1Password! The difference is that what's on our server is an encrypted blob, and we literally never have the "keys" to decrypt it: the Master Password is chosen by the user, the Secret Key is generated locally on their device during signup, and neither are ever transmitted to us. That may seem academic, but it's really important because using both to encrypt the data means both are required to decrypt it. We don't have them. But users don't always pick the best passwords. And if the data is only encrypted using the Master Password, and an attacker steals the encrypted database from us, the attacker can perform a brute force attack against the user's Master Password. But because the (128-bit, randomly-generated) Secret Key is also needed, that becomes infeasible.

    I get that it would be more convenient to not have the Secret Key at all, but it would also make us, and therefore all 1Password users, a more appealing target, because if one attacker was able to steal the database from us, they could take all the time they need to guess people's Master Passwords. The Secret Key all but eliminates that attack vector.

    But, perhaps more practically, almost no one ever needs to know and/or enter their Secret Key. it is only required the first time when setting up a device, and if any other devices are already using the account, it can be viewed there anyway, without having to have it printed or written down somewhere else (though it's good to do that in case you do lose devices, etc.)

    I know this is a lot to take in, but hopefully this helps tie everything together better. And if you have any other questions, be sure to let me know. Happy to answer them. :)

  • @brenty,

    Thank you for your response. It's not much to take in since I am very familiar with the role that the "Secret Key" plays in protecting the 1Password.com account from data theft.

    However, based on your response, I am left to conclude that you have no work-around for this situation. If one is traveling alone overseas and their devices and and belongings are stolen, their data is locked away with no hope of accessing it without being able to make a phone call or take advantage of some other arrangement to retrieve the "Secret Key" and log in using a web terminal or a new device.

    But, perhaps more practically, almost no one ever needs to know and/or enter their Secret Key. it is only required the first time when setting up a device, and if any other devices are already using the account, it can be viewed there anyway, without having to have it printed or written down somewhere else (though it's good to do that in case you do lose devices, etc.)

    That's the crux of the issue here. Most of the time you won't need the Secret Key and you'll be able to get along with out. I appreciate the attention to detail designing for the worst case scenario of data theft, but in doing so, you created the threat of a customer losing access to their data and being digitally stranded with no means of recovery when they need it most without special assistance, planning or some technical savvy on their own part. I should point out that this is not a hypothetical situation, one of our customers faced this situation recently and would not have been able to reach out to an emergency contact. Thankfully they were on a standalone account syncing though iCloud.

    I expect critical software to be adaptable and flexible to accommodate the reasonable limitations of the people that use them and more we work with 1Password.com in real environments I am becoming less convinced that 1Password.com is the right to tool for everyone.

    As a technical consulting firm, 1Password works for us, but for our non-technical clients, it has been impossible to move beyond the Standalone product based on the real-world scenarios that they encounter in their lives.

  • brentybrenty

    Team Member

    @wavesound: I would love to understand how a standalone vault in iCloud is more accessible than data in a 1Password account. Earlier you made the obvious joke (I think it was a joke, anyway) that "it should be called 2Password"...but to get to 1Password data in iCloud, you would need:

    • an Apple device
    • Apple ID username and password (assuming you use the same one for both the App Store and iCloud)
    • possibly two-factor authentication for the Apple ID
    • a stable internet connection to download 1Password
    • the Master Password for the vault in iCloud

    To access data in a 1Password account, you would need:

    • any device with a relatively recent web browser
    • Secret Key
    • Master Password for the account
    • possibly two-factor authentication, if you've enabled that feature

    We can probably quibble over hypothetical scenarios, but that's what I see in the real world every day.

    I don't think anyone here would claim that 1Password is "right to tool for everyone". It isn't. We do our best, but our focus is on security, and making it available to as many people as possible. But we can't accommodate every use case (nor do we want to, when it conflicts with our core values, and/or the purpose of 1Password itself).

    1Password isn't perfect, but a wide range of "non-technical" people use it successfully, and even enjoy it. So I'd be interested to pursue this with you more in detail to see what the differences might be. :)

  • Ill tell you quite honestly, that i dont think it is for everyone but it dose fill that need. I think almost everyone who uses Facebook well should be able to handle 1password, but there is this human mental block that prevents a lot of those same people from being able to confidently handle email or anything else more technical than that. But where Enterprise passwords are concerned or high credentialed individuals, got to be 1password

  • brentybrenty

    Team Member

    @AlwaysSortaCurious: You make a really good point about there potentially being perceived hurdles. Certainly something seeming intimidating can effectively make it so. I think we have work to do with making 1Password more...comfortable, for lack of a better word. Part of that, and I think with the Secret Key especially, is it's something different from what people are used to. In a direction comparison of what's involved with syncing using iCloud versus 1Password.com, the latter technically requires less...but I think it's fair to say that more people are familiar and therefore more comfortable with iCloud, because they're used to it, and because it uses a more traditional username/password model (though two-factor and other things add complications). Maybe that's similar to what wavesound is getting at.

  • wavesoundwavesound
    edited July 22

    @brenty,

    You’re right, I used “2Password” to make a point about this scenario.

    In this case, we don’t advise that our clients use randomly generated passwords for their Apple ID since restoring a iCloud backup from a lost device at the Apple Store requires the Apple ID to gain access to their iCloud backup and to regain access to messaging and other essential mobile communication tools and data before they can re-install 1Password. We don’t make this recommendation because it addresses a “hypothetical” situation. This actually happened to a client of ours traveling on vacation that dropped her iPhone into the ocean. She had no other devices with 1Password available to her while traveling. She had two-factor enabled on her Apple ID but Apple uses SMS-based backup that enabled her to regain access to her account.

    I don’t like SMS generally because it practically turns your cellphone carrier into an authentication provider and some carriers do this better than others, but it seems to be a necessary tool for people who can only remember a couple of passwords and provides some protection from total lockout.

    I would also take issue with your use of the word “comfortable.” We have to accommodate mechanisms/controls implemented by other vendors that your software/service relies upon. 1Password.com technically requires less, but practically requires more. Improving that is my challenge to you as an organization if you want to appeal to a broader mainstream audience beyond “techies.”

    If you only want to appeal to “techies”, I understand. All of the “Customers” on your “Customers” page are all tech companies and I’m the technical person managing my business and my family account. But I will have to consider other tools for clients that will, despite all of my efforts, lose or forget everything.

    Encryption offers a lot of protection over people’s data but it’s a two edged sword and I’m very worried that the other edge will “cut” several of our clients by unwittingly locking themselves out of 1Password.com accounts with no recourse to regain access in situations where sharing “Secret Keys” is not possible.

  • BenBen AWS Team

    Team Member

    There are always tradeoffs. Which ones will make sense are likely to vary from person to person.

    But I will have to consider other tools for clients that will, despite all of my efforts, lose or forget everything.

    There is really only so much that can be done for someone who will lose or forget everything. For such a client have you considered storing their Emergency Kit for them? Obviously this would require that they have an extreme amount of trust in you, but trusting someone is really the only alternative if they're prone to lose or forget everything. Normally I'd suggest recovery, which requires less trust, but in this situation they likely don't have access to their email either.

    We have to accommodate mechanisms/controls implemented by other vendors that your software/service relies upon. 1Password.com technically requires less, but practically requires more.

    I'm not sure I follow. In what way does it require more? Could you please elaborate?

    Ben

  • dancodanco Senior Member Community Moderator

    One possible solution though it may be considered insecure.

    Store your secret key in the cloud using a different email address from the one you use for 1PW and a memorable (generated by 1PW as words) password for the cloud account. Even if the cloud account was broken into it's unlikely that anyone would recognise the text as a 1PW secret key (it could always be obfuscated) and anyway a thief would not know the other account details.

    It does mean a need to remember another password, though.

  • My personal preference is having another family organiser who can recover my account, that person also has a shared vault with myself containing the log in details of both our respective email accounts to assist with recovery.

    The reality is there is no situation where either of us could start recovering an account by 'accident' or without the other knowing, due to "new sign in notifications" etc. I personally have enough trust that nothing malicious will be done by either of us, however for those with a little less trust, that could make you feel easier? as you could stop the process upon receipt of these warnings.

  • BenBen AWS Team

    Team Member

    All are certainly valid thoughts for consideration. :+1:

    Ben

  • I'll echo some of the interest in these scenarios, as that's what led me to this forum this morning. I've been a 1Password user for about a month now. Earlier this morning while on travel, I thought I had lost my cell phone. I tried to log in to 1Password at the AirBnB I am staying at, but without that secret key it was worthless. Nobody has land lines any more, so I couldn't call anyone to assist with recovery, and I couldn't even send an email to someone for assistance because my email account is 2fa protected.

    After an hour of searching, I found my phone, to my great relief. But it does beg the question...what should I have done differently in this scenario? I guess carrying a piece of paper with my secret key written down?

  • BenBen AWS Team

    Team Member

    @KnnNike

    After an hour of searching, I found my phone, to my great relief. But it does beg the question...what should I have done differently in this scenario? I guess carrying a piece of paper with my secret key written down?

    I'm glad to hear you were able to locate your phone. In part I think it is important that we stress how important it is to not access any of your accounts especially 1Password from a device that isn't yours. You have no way of knowing what sort of malware might be present on such a device. As far as an official recommendation: wait until you get back to one of your devices, or purchase a new device, to access any accounts. Beyond that, yes, traveling with a copy of your Emergency Kit is probably a reasonable precaution. Let's say you really did lose your phone... when you were able to purchase a new one you'd need the Secret Key in order to set up 1Password on that.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file