1Password - Device Trust Model: What It Is and Why It Improves Security
What Is the Device Trust Model?
When signing into 1Password on a new device, you must go through a multi-step process that confirms both your identity and the device’s authenticity. The process includes:
-
Signing in with your NetID via Single Sign-On (SSO).
-
Authorizing the device through a previously trusted device.
Once authorized, the device becomes trusted and securely stores a device key that allows it to access your vaults. Without this authorization, access is blocked—even if your NetID credentials are compromised.
Why It Matters
Unlike many password managers that only require a master password (sometimes with two-factor authentication), 1Password’s device trust model offers:
-
Extra protection if credentials are stolen – attackers still can't access your data without a trusted device.
-
Resistance to phishing attacks – login attempts from unapproved devices will fail unless explicitly authorized.
-
Limited access even for administrators – admins can help recover devices, but cannot access your vault contents.
Security Advantages of 1Password
| Feature | 1Password at UW–Madison | Most Other Managers |
|---|---|---|
| Uses NetID Single Sign-On (SSO) | Yes | Rarely |
| Requires trusted device | Yes | Rarely |
| Strong phishing resistance | Yes | Often dependent on 2FA |
| Vault contents hidden from admins | Yes (zero-knowledge) | Varies by provider |
Device Keys and Linked Devices
What Are Device Keys?
- Each device (e.g., phone, browser, or app) creates a unique code (device key) the first time you log in.
- This code helps keep your data secure and makes sure new devices are approved by you.
Linked Devices:
- When you log in on a new device, you’ll need to approve it from a trusted device you’re already signed in on.
- If you can’t approve a new device because no devices are linked, account recovery is needed.
Best Practice:
- Browsers often clear cookies when closing tabs or being restarted, removing their device key.
- If possible, use the desktop or mobile apps instead of just a web browser.
When Will I Encounter This?
You’ll go through the device trust process in these situations:
-
Signing in on a new computer or mobile device
-
Reinstalling the 1Password app
-
Resetting or wiping a previously trusted device
Example screenshot from the device approval process:
If you're helping others at UW–Madison set up 1Password, let them know this step is intentional and enhances account security.
What If I Can't Approve a New Device?
If you are unable to approve a new device—such as when your only trusted device is lost or wiped—you may need to request account recovery. This process allows you to regain access to your 1Password account while preserving the security of your vault data.
Steps to request account recovery:
-
Contact the DoIT Help Desk requesting a 1Password Account Recovery.
- You'll receive an email from 1Password with next steps.
-
Follow the emailed steps to verify your identity using your NetID and Duo 2FA.
- Once your account recovery is approved, you’ll be able to reauthorize your new device. Any previously used devices will need to be re-approved as a trusted device.
To avoid issues with browsers losing their device key and not being considered a trusted device we recommend installing the 1Password desktop app. The app more more security stores its device key ensuring you always have a trusted device from which to approve new logins.
For more information, see: 1Password - Troubleshooting: Account Recovery
Learn More
For step-by-step help adding a new device, see: 1Password - Set Up and Unlock 1Password on a New Device
For high level steps when getting started with 1Password, see: 1Password - Getting Started with 1Password at UW-Madison