Rescuing a 1Password account or adding it to a new device is now a little easier, thanks to two new features announced Thursday.
The first, called Recovery Codes, aims to address the nightmare locked-out scenario of both forgetting an account’s master password and losing the alphanumeric “secret key” that's automatically generated at account creation.
The service’s security model has historically required access to one of those to get into any individual account, which can leave unfortunate users with no other option than creating a new 1Password account—and then recreating any of the complex passwords they had generated and saved in their old account.
The new recovery codes option for both individual and family accounts adds a backstop to the secret key: a lengthy, randomized alphanumeric code. You can provide that to 1Password through its web app, after which the service will send a one-time code to the email address on file that you can then use to get back into your account, create a new master password, and generate a new secret key.
The other new 1Password feature, only available in beta but expected to ship later this summer, covers the more common case of adding your 1Password account to a new device. Today, doing so requires typing in your master password and then secret key—or by opening a Setup Code on your mobile device that encapsulates your secret key, then holding that in front of the new device’s camera (if it has one), and finally confirming that with your master password.
The new option flips that user experience around: You display a special QR code on the new device, then scan that in a phone running a signed-in and unlocked copy of the 1Password mobile app. This has the advantage of being snoop-proof: The QR does not embed any permanent credentials, making it “resistant to screenshots and over-the-shoulder scans,” the company explains. Both devices send temporary cryptographic keys to set up "an end-to-end encrypted relay through our server" in which the old device securely enrolls the new device, a spokesperson explained further.
These moves by 1Password come as the market for password managers is seeing increased competition from established players. For instance, Apple introduced a Passwords app for iOS, macOS, and Windows (but not Android) at its WWDC conference earlier in June. Meanwhile, every password manager still must compete with the inertia or exhaustion that keeps people trying to lighten their login cognitive load by reusing passwords.
Editors' Note: We updated this post with more details about the new-device user experience.