Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigqdkfyuy23rhahviuatj6wlrtapyuamcjjld5c545ds3rl3sen4a",
    "uri": "at://did:plc:evwa3wgwmat3eowk6kwcfoog/app.bsky.feed.post/3mf2dhuzdtvg2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreibl6vfd2nx25gnxttx2f4m7wxg2cdscc7nrw277nrf4hdclmgvvbq"
    },
    "mimeType": "image/webp",
    "size": 54370
  },
  "path": "/blog/eth-zurich-zero-knowledge-malicious-server-review",
  "publishedAt": "2026-02-16T00:00:00.000Z",
  "site": "https://1password.com",
  "tags": [
    "_paper_",
    "_Security Design White Paper_",
    "_Secure Remote Password_",
    "_automated provisioning_",
    "_account governance_",
    "_Security Design White Paper_",
    "_bug bounty program_"
  ],
  "textContent": "Today, researchers from the Applied Cryptography Group at ETH Zurich published a _paper_ examining how different password managers uphold their “zero-knowledge” architecture when faced with a fully malicious server. We conducted a thorough review of the paper and confirmed that it doesn’t introduce any new attack vectors affecting 1Password beyond the architectural limitations already documented in our _Security Design White Paper_.__We appreciated the opportunity to speak with the team about their research and value the work they’ve contributed to this area. Open scrutiny and thoughtful analysis ultimately make everyone’s products stronger, and that’s a win for customers everywhere.\n\n## Attack context\n\nZero-knowledge architectures are designed so services cannot read or access customer data. This isn’t achieved by tightening permissions or limiting administrative access; it’s accomplished by ensuring that only the customer holds the keys needed to decrypt their data. Access isn’t restricted by policy; it’s protected by peer-reviewed cryptographic designs. The research presented by ETH assumes a fully compromised, malicious server and explores the types of attacks that could be attempted against password managers.\n\n## End-to-end encryption remains intact\n\n1Password is designed as an end-to-end encrypted system. As our Security Design White Paper states: “Data is only encrypted or decrypted locally on the users’ devices with keys that only the end users possess.”\n\nDecrypting vault data requires three elements:\n\n  * Your account password\n\n  * Your Secret Key\n\n  * Your encrypted vault data\n\n\n\n\nWe designed our solution to ensure that secrets are never transmitted to our server in a way that could be used by a malicious user to compromise your account. The Secret Key resides only on the client, and authentication uses _Secure Remote Password_ (SRP), which ensures that your password-derived secrets are never transmitted. Even if 1Password’s server login data were to be captured, it would not be susceptible to brute force attacks.\n\nThe research does not demonstrate any bypass of these protections.\n\n## Public key authentication and vault key substitution\n\nThe paper discusses both the lack of robust public-key authentication and a vault-key-substitution scenario under a malicious-server model. These are not separate classes of weakness in our view, but manifestations of the same architectural consideration: server-mediated key distribution without strong key provenance guarantees.\n\nOur Security Design White Paper (Appendix C: Verifying public keys) explicitly documents this limitation:\n\n> At present, there’s no robust method for a user to verify that the public key they’re encrypting data to belongs to their intended recipient. As a consequence, it would be possible for a malicious or compromised 1Password server to provide dishonest public keys to the user and run a successful attack.”\n\nAddressing this class of issue requires broader structural work, including:\n\n  * A mechanism for public key verification\n\n  * A group encryption and management model that separates trust in long-term vault data from trust in user-owned keys that may rotate over time\n\n\n\n\nWhile this set of architectural concerns is notoriously difficult to address, it’s important to note that this reflects broader industry-wide challenges in end-to-end encrypted systems. We have publicly discussed improvements in key verification mechanisms in our _automated provisioning_ and _account governance_ capabilities. We remain committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on.\n\n## Conclusion\n\nTo reiterate, we did not identify any new attack vectors impacting 1Password. The limitations discussed in the paper are already disclosed in our public _Security Design White Paper_, and we continue to harden our architecture to address these complex, industry-wide challenges. We greatly appreciate the work of the ETH Zurich team, as this research raises the security bar to protect users' most sensitive data: their passwords.\n\nWe encourage researchers to contribute to our _bug bounty program_ so we can reward security researchers for helping fortify our defenses and protect our customers against evolving threats.",
  "title": "Zero knowledge vs. a malicious server: A look at ETH Zurich’s research"
}