Security and privacy

About the security of signing in to 1Password with a QR code

Learn how 1Password keeps your account secure when you use a QR code to sign in on a new device.

Use a unique QR code to sign in to your 1Password account on a new device. After you scan your QR code with your new device’s camera, you’ll be signed in without entering your account password or other credentials.

Technical design

When you scan your QR code, 1Password creates an end-to-end encrypted channel between your new device and authorized device. 1Password uses the secure channel to transmit session information and key material.

Your QR code contains partial confidential key material for each channel which makes sure they can’t be used later or intercepted by a malicious server.

While QR codes contain time-bound session information like pairing credentials, you have to enter a confirmation code or accept a prompt to confirm your intent to pair your devices.

Security model

The channels 1Password creates between your devices are protected by Noise, a framework for cryptographic protocols. 1Password keeps these channels cryptographically separate for different QR codes and future uses to prevent messages from being mixed, whether accidental or malicious.

Keys are never reused. 1Password generates all exchange keys as needed and stores them only in memory to prevent pre-exchange compromise. New keys used to reconnect devices in the future are rolled over after each exchange. Pre-shared keys (PSK) make sure historical communication can’t be decrypted in the future, even by someone with access to a quantum computer.

Risk considerations

This sign-in process is extremely difficult to phish or manipulate because of the QR code design and the fact you need to verify your intent to pair your devices. 1Password will never reveal credentials to a new device, illegitimate or not, without asking you first.

Learn more

Published: