Use multiple 2FA authenticators for 1Password itself

BLD
BLD
Community Member

Didn't find this in the forums after a quick search -- so forgive me if this is redundant, but I thought others might want to do the same thing.

I prefer having 2FA enabled to access 1P itself on a .new client. I'd like to be able to authenticate from multiple devices, e.g., Google Authenticator on my phone, an app on my laptop or desktop, or even another 1P client already signed in. I achieved this by setting up 2FA on 1P, taking a screenshot of the TOTP secret (QR Code) before moving onto verify it (for use on other devices) and then installing on each device (only needing to verify the QR Code once for the first device to generate an authentication code).

_This comes with the hopefully obvious caveat that at least one device must not be a 1P client, otherwise you risk locking yourself out of 1P if you can't get to a client that's already unlocked. (And then you'll have to wait on the wonderful folks at 1P to verify your account and clear the 2FA.) In my case, I use Google Authenticator on my phone and a 1P client everywhere else. And also as hopefully equally obvious, each device should be accessible only by you to generate those authentication codes. _

I only encountered a few glitches with this:

1) There appears to be no way to enable 1P 2FA (or even see that it's enabled at all) but through a web client. I would have expected to be able to do so wherever the client allowed me to change the master password. (I've said this before, lack of feature parity across clients drives me bananas.)

2) The web client only displays the QR code once -- so it's important to take a screenshot before going onto verify the first generated authentication code. It would be nice if all 1P clients could display that right where I can display other account details, such as the secret key and setup code. My workaround is to store the screenshot I took above in 1P as a document. (After the initial setup, I can also see the secret key of the authentication device by viewing in Edit mode the Login item one-time-password I create in 1P for itself -- it's the 'secret' part of the long 'otpauth' URL.)

3) The 1P client that you use to initially store the TOTP secret (QR Code) for 1P itself has to be completely quit (or possibly just locked) and reopened before it syncs to other clients. And all the other clients end up prompting for an authenticator code to keep operating. (Aside -- I consider this another glitch with 1P not syncing when I expect it should.)

Finally, just make sure that any new device you're using displays the exact same authentication code (in the same time interval) as your original device, e.g., in my case Google Authenticator on my phone.

Addendum: A nice enhancement in 1P itself would be direct support of multiple authentication devices (especially given that the 2FA setup screen says "Your second factors" -- plural. ;-)) That way if one device got compromised or lost, I could remove/replace just that one without having to disable 2FA and re-do it on all devices.


1Password Version: iOS 7.2.7, OS X 7.2.4, Windows 7.3.657
Extension Version: 4.7.3.90 on Chrome 71.0.3578.98
OS Version: OS X 10.14.3, iOS 12.1.3, Windows 10 1703
Sync Type: N/A
Referrer: forum-search:1Password 2FA -- multiple tokens

Comments

  • Lars
    Lars
    1Password Alumni

    @BLD - that is some excellent advice for other users, thanks for posting! Taking a photo of the QR code in particular is a fantastic idea, since many 2FA sites don't allow you to see that in the future for existing 2FA -- you have to disable and re-enable it in order to see the QR code again...and then, only during setup again.

    It's quite possible to use more than one authenticator app or hardware device, but it can be much more difficult/cumbersome to do that later, as opposed to during the initial setup itself, so be prepared to have all the apps/devices you want to replicate the TOTP code on ready to go when you begin.

    As to your #3 -- it shouldn't. You do have to take the item out of Edit mode by clicking "Save," but making a local change is among the steps that should force a sync with the 1password.com servers, which should in turn update across other clients that have an active and unblocked internet connection.

  • BLD
    BLD
    Community Member

    @Lars Thanks, I do hope others find it useful. Re #3, yes, agreed, it shouldn't. ;-)

  • Lars
    Lars
    1Password Alumni

    :) :+1:

This discussion has been closed.