2FA is activated, but I am able to access my passwords without using 2FA. How is this possible?

I have 1PW on my Android mobile, Windows desktop and Chrome browser. I have added 2FA (tried Yubikey Google) but in both cases I am able to access my account without filling in the 6 digits. I simply close the box with the 6 input-fields and continue to work in 1PW. Is this the way 2FA should work? I understand that changes made on a device not using 2FA will not be shared over other devices. However, I expected that 2FA would block me from accessing my account. Is this an error I am experiencing?

1Password Version: 7.3.657
Extension Version: Not Provided
OS Version: Chrome
Sync Type: Not Provided
Referrer: forum-search:2FA is activated, but I am able to access my passwords without using 2FA. How is this possible?


  • BenBen AWS Team

    Team Member
    edited February 2019

    Hi @Mileaged

    Not having the correct 2FA code prevents you from connecting to the 1Password.com service. It does not prevent you from accessing the data that is already cached on your device. I wrote more about why this works the way it does here:

    Duo 2 Factor Authentication Security — 1Password Forum

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.


  • Thanks Ben. When I noticed that I did not really have a second layer of protection with my Yubikey (2FA for 1Password), I created a LastPass account to see how this work. It seems like LastPass does block access from accessing (seeing) your passwords unless you use 2FA. But I believe I understand the points you made regarding trade offs. This is what I understood: If someone gets access to my laptop (whether I'm using 1Password or LastPass), they will be able to access all my password data without even having to login to my password manager, because this data is stored locally (whether I use the chrome browser pluggin or the desktop version for Windows). Is this correct?

  • Hello @Mileaged,

    All data stored locally, whether it is 1Password for Windows or our standalone extension 1Password X (which uses the browser for storage) is encrypted. The only way to access the contents of your vault would be either to know your Master Password to decrypt the data or access the device when the data is already accessible i.e. 1Password is unlocked. The ultimate layer is always that the data is encrypted while 2FA is a secondary layer for authentication only. In the past we've had requests to add 2FA to the client even with standalone vaults and the reason we have never done so is because it's trivial to avoid. If the person has access to the machine they can access the encrypted file and then only concern themselves with decryption. They can skip the authentication 2FA brings because 2FA isn't involved in the encryption/decryption process.

    I hope that made sense, please let us know if it didn't.

This discussion has been closed.