Your 1Password account is protected by multiple layers of security. Your Master Password and Secret Key encrypt your data end-to-end, and Secure Remote Password (SRP) prevents anyone from stealing your credentials or reading any non-secret information sent to the server.
Your credentials are never sent over the network
Most websites send your password to a server when you try to sign in, leaving it vulnerable to interception. Your 1Password account uses the SRP handshake protocol to authenticate without sending your Master Password or Secret Key over the internet, so they can’t be stolen in transit.
Your information is protected by an additional encryption key
When you sign in to your 1Password account, your information is protected by Transport Layer Security (TLS). With SRP, an additional session encryption key protects your information even if someone manages to decrypt TLS. This includes non-secrets like your name and email address.
The encryption key is different for each session, so an attacker who records one authentication session won’t be able to play that back in an attempt to authenticate.
Your connection is always to the genuine 1Password server
The SRP verification process proves to the server that the 1Password app has a secret that can only be derived using the correct Master Password and Secret Key. It also proves to the 1Password app that the server has the correct verifier, which guarantees that the 1Password app is communicating with the 1Password server, not an impostor.