Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Secret Key auto generation on someone else's device?
Hello!
I was reading this article about the Secret Key. It states this, under "What’s a Secret Key?":
This key is stored on all devices you’ve used to sign in to your account...
If I were to sign into my account (through the website) on someone else's device, the Secret Key would be downloaded to that person's device? I realize that person would would still need to have your Master / Account Password and the 2FA (if enabled) but is this not a security risk?
Thank you!
4 Replies
Thank you AJCxZ0 and 1P_Dave for your replies!
I forgot about Private / Incognito modes. And a good note about the "This is a public or shared computer" option (which I assuming works the same as Private / Incognito modes). But I suppose it's best practice to only sign into your 1Password account on your own, trusted devices if possible.
- 1P_Dave
Moderator
Let us know if you have any other questions in the future! 🙂
-Dave
- 1P_Dave
Hello ScarySulley! 👋
Thanks for the question! Like AJCxZ0 said, using a private/incognito window is the best option in order to avoid your Secret Key from being saved on a particular device when signing into 1Password.com. You can also check the "This is a public or shared computer" option when signing in to avoid the browser from remembering your account:
That being said, I recommend that you only sign into 1Password on devices that you trust. You can read more about your Secret Key here: About your Secret KeyI hope that helps.
-Dave
The risk of unintended disclosure of your Secret Key and account password when using a web browser on someone else's device depends strongly on your information hygiene when doing so.
If they create an account for you on the device with its own encrypted storage, then your credentials and secrets should remain undisclosed in any web browser, however you use it.
If they let you use their account for this one task under their supervision and you use only a Private or Incognito browser session, and you log out and exit the browser session as soon as your task is finished, then there should be no stored data from that session remaining.
Anything less careful than this creates an opportunity for disclosure, however it's unlikely that there will be a trivial way for them to discover your credentials without some forensic cleverness, or use these to access your account without the TOTP, or if you are foolish enough to leave yourself logged in.These considerations conveniently ignore the device owner having the intent and capability to compromise your account, in which case there can be no "safe" way to use their device.
The usual caveats of casual risk assessments apply, with the constant danger of cutting yourself on edge cases.
