Strategies for Secret Key

I won't mince words: The Secret Key drives me up the wall. Here's the basic issue: It's labled an "emergency," and yet you need it very, very often.

@utcv: I'm sorry to hear you're having some frustration. I'd like to understand why. Of course it will vary based on each of our individual usage, but personally I enter it maybe once a week -- and that's, worst case scenario, a copy and paste. And usually I just scan the Setup Code so I don't have to even to do that. I think maybe I've typed it in by hand once. This past week, however, I've signed into my account on a new device I purchased, so there may have been more than that. I have a few accounts, and I probably signed into one somewhere else to test something. But that's definitely not typical for most people. We don't buy new devices frequently (I don't think), and I'm a bit of an edge case because it's my job to try to break things, and that means a lot of resets.

Just today I had an example. I was on my phone and I got an email from 1Password saying that my family member had created an account and it wanted me to confirm it. No problem! Well, yes, there is. I clicked the button and the damned site wants my Secret Key. I don't have it. It's an emergency and in a safe place. So, I can't login.

As **danco **mentioned, it's probably not a common occurrence for most people to invite new members. I know I haven't this year (unless you count imaginary people in a test account). But, regardless, are you not using 1Password on your phone already? If so, you'll have your Secret Key right there in the app, both in your account settings and, probably, in a Login item in your vault (that's the Starter Kit he referenced). Is that not the case?

I've taken to putting it in a bunch of places trying to obscure it so it's not obvious what it's for, but doesn't this weaken security? I can not possibly remember it and yet I have needed it multiple times for whenever I log into something that 1Password doesn't recognize as a trusted source. I get it. I understand, but it's still inconvenient.

If you're thinking about signing into your 1Password.com account (or accessing any sensitive information) on an untrusted device, please stop and think again. This is not a safe thing to do. I know it's tempting to think that two-factor authentication can protect you, but it can't.

What are some strategies for keeping this key without compromising security?

Getting back to the Secret Key, the great thing about 1Password is that you don't have to try to obfuscate things there. And it requires your Master Password to unlock. So having the Secret Key available there means you'll always have it with you so long as you have an authorized device. The Emergency Kit really is just for emergencies: if your devices are lost, stolen, or destroyed, you'll still be able to access your account on a new one using that.

In my opinion? For those of us using 2FA, the website should allow the option of 2FA instead of the Secret Key for the times when it's not available. It is something I've run into enough for it to be a hindrance for me. Perhaps it'll become less of an issue for me over time. It sounds like it. I still think it would be a good idea to offer 2FA during those times. I have that setup in my account and I think it's a good substitute for the Secret Key.

It's not possible because 1Password's security model is based on encryption: both the Secret Key and Master Password are needed to decrypt the data. If we made it so you could sign in without the Secret Key, you would still not be able to access your data; it would be encrypted and unreadable. Two-factor authentication means that you're proving that you have something in addition to your static login credentials in order for you to access your account, but that's completely separate from how 1Password protects your data. Authentication just protects against access to your account by preventing new devices from being authorized without it. The "keys" to the data are also needed.

For now, I've put the secret key directly in 1Password. As long as I can access it in a quick-copy way, I should be okay. That's why my question was about strategy for keeping it handy more than about the necessity of the secret key in general. At least, that's how I wanted the message to come across. Admittedly, I came here pretty frustrated after trying all kinds of things to get logged in on my phone's browser. Thank you for your response.

That's definitely one thing we recommend, and recent 1Password.com signups generate the Starter Kit automatically. This is like keeping a spare key to the safe in the safe, so it isn't a security risk. So long as you know your Master Password and have an authorized device you can unlock with it, you'll have everything you need to setup a new one, even without the Emergency Kit.

Definitely an interesting discussion. It sounds like you've got a good system now, but I appreciate you bringing this up since others can benefit too. Cheers! :)

@danco: There isn't really a way to copy it from the account settings, only display it as large type onscreen. But for most 1Password.com members, it can be copied from the Starter Kit login item. And anyone else can create their own. I actually made all of mine before we had the idea of having something like that generated during sign up. So mine are a bit less pretty. Crude, but effective. :)

@Manaburner: That's a neat hack! :chuffed: