What we've learned with Two-Secret Key Derivation presented at BSidesLasVegas 2016

by Jeffrey Goldberg, Julie Haugh,

Summary : Video 1 "Chena creates team, signs up, save Emergency Kit" (MP4, 119.1MB)
Video 2 "Chena adds account to 1Password Mac" (MP4, 56.2MB)
Video 3 "Morgan joins the Team" (MP4, 51.4MB
Video 4 "Morgan gets data recovered" (MP4, 165.1MB)
Submited Abstract:
To ensure that AgileBits does not hold data that can be used for password cracking, we introduced Two-Secret Key Derivation (2SKD) into our client-side KDF. The two secrets are user's Master Password and a high entropy Account Key.
As described in our Passwords15 (Cambridge) talk, we introduced what we are now calling "Two-Secret Key Derivation" (2SKD) in our client side KDF which derives both an authentication secret and a key encryption key.
Our 2SKD combines the user's Master Password (MP) with an high entropy "Account Key" (AK) to derive the keys (or key encryption keys) needed for authentication and encryption. The goal is so that nothing stored on our servers or off of the users machine could be used in a password cracking attack. The AK is a high entropy (128-bit) secret generated by the client when the user first enrolls, and it is stored on the users local device.
At the time we designed this, we had a number of concerns about how well this would work for our users and the additional risks to data availability it creates.
The additional risk to data availability comes from the fact that if they either lose their AK _or_ they forget their MP, there is no way for anyone that they have not already shared their data with to be able to decrypt it. We address this risk through a combination of nudging the user toward certain behaviors and through a user data recovery mechanism that gives team Owners (but not us) copies of certain data encryption keys. These mechanisms appear to be largely, but not entirely, successful.
Additional responsibility is placed on the user to provide the AK when enrolling a new client and so to transport the AK from client device to client device securely. We provide a UI that is designed to alleviate that burden. These will also be described.
At this point, it appears that the largest problem users face with 2SKD is confusion. They do not understand what the AK is for and what it does and doesn't protect them from. This is reflected in the most common complaint that "it isn't really 2FA", a perfectly true statement but is nothing to complain about.