[YawningAngel]

Replying to this as I can't reply to the other child comment: The secret key is emailed given to you when you enroll and is used, frequently, every time you enroll a new device. 1Password would have to screw up catastrophically to just not use it.

Obviously they _could_ screw up catastrophically, but if you don't trust them to operate their service with a basic level of competence you probably shouldn't be using them as a password manager to begin with.

[vc8f6vVV]

The comment above says Secret Key is generated on my device, how can it be emailed anywhere? I don't quite understand how one can enroll other devices with local Secret Key, so I assume Secret Key has to leave my device and travel over the wire. Which raises even more questions, but even if it's not the way it's generated makes a big difference.

[AGKyle]

It is NOT emailed to you.

It is generated locally as I indicated, and as outlined in our white paper.

Where some users get confused, and perhaps rightfully, is that when you sign in you can generate a PDF called an Emergency Kit, that contains the Secret Key. This PDF is generated entirely in JS within the browser. It is not generated on our servers and then downloaded. Some users do get confused about that.

Our web client is effectively a client running in the browser, it's all local and communicates with our servers the same way that a native app would.

Kyle

1Password Security Team