3

I've noticed that when I restore my old iPhone's backup to a new iPhone, 1Password's master-key (which is never supposed to leave the device 1Password is installed on, and you transfer manually), my TOTP credentials (in Google Authenticator or a similar app), the Steam authenticator-key, etc … still seem to exist on the new, restored, device.

This implies that they're also sitting around in my backups — and possibly in iCloud?

How can I back up my device without compromising the uniqueness of my second factor of authentication?

ELLIOTTCABLE
  • 275
  • 2
  • 9
  • 2
    Encrypt your backup? – thel3l Apr 21 '17 at 07:16
  • That's not enough; the point here is to preserve the *second factor*. Having it exist anywhere else in your possession, even encrypted — *especially*, in fact, if it's on the same system as your password-manager tools — makes it a mere “1.5-factor” system. Might as well just send login-verification emails or some trash. – ELLIOTTCABLE Apr 21 '17 at 12:58
  • It depends on the soft token you are using if it backs up the data in a encrypted or unencrypted iTunes backup (via keychain or app database). I prefer to backup my OTP seeds in a Offline password safe so I can actually migrate the tokens if needed. – eckes Apr 21 '17 at 15:58
  • @eckes can you elaborate on this? (possibly in an actual answer so you can get credit?) – ELLIOTTCABLE Apr 21 '17 at 20:07
  • @elliottcable I don't know how the 1password app works, but on iOS you can use different APIs and Flags (on the keychain API) to protect data. There is a level which is never backed up, only protected wit the device key (I.e. Not migrateable = Only restoreable on same phone), there are levels which are only included in password protected backups or in all backups. The iOS security whitepaper describes those modes (it sounds like 1password is not using the most secure mode): https://www.apple.com/business/docs/iOS_Security_Guide.pdf – eckes Apr 21 '17 at 20:15
  • Oh, it's not *just* 1Password — updating the question, my bad. – ELLIOTTCABLE Apr 21 '17 at 20:20

1 Answers1

1

Yes, from your description it sounds like 1password does not use the most paranoid key storage (class) on iOS (for the master secret). A good overview of different modes can be found in the iOS Security Guide.

You have been looking for more security, that depends on the software vendor. If you want to ensure portability of the OTP secrets I typically use the manual (text vs. QR Code) secret import step and copy the text secrets to another offline store location (password safe) before sealing them (more or less reliable) into a mobile soft token. This totally depends on my ability to responsible protect those secrets, so it might not be the way to approach that for everybody. Giving those secrets to 1password might be however even more risky than having a offline backup.

But back to your question, the app has to declare sensitive information in the right way to keep it secure (or out of the backup), there is nothing much you can do yourself. (Setting a Backup password in iTunes and turning off iCloud Synchronisation is all you could change).

eckes
  • 962
  • 8
  • 19