2 Factor Authentication and Recovery (Family)

jarflores
jarflores
Community Member

Fairly new to 1Password, but starting to get how things work.

I've turned on 2FA for my account and recommended my family do the same. I've been reading opinions about where to store the emergency kit and also that storing may not be so necessary if there are others who are able to recover your account. I was hoping you might be able to clarify some things for me:

  1. Is the 2FA "password" or "secret" just the QR code? That is the only thing I can find that allows you to setup 2FA on a new device.
  2. If I have 2FA turned on for my account and I lose every device that had 2FA setup, will the recovery process turn 2FA off (or at least provide a new QR code without having to login to my account) so I am able to login from a new device?

If (2) is true, then with 2 or 3 family members who can recover my account, I probably won't stress too much over where I have the emergency kit stored.

Also, the QR code for 2FA worked fine with Google Authenticator, but it did not work with Authy (Android 9). Not a big deal.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • kothman
    kothman
    Community Member

    Hey @jarflores - thought I'd take a stab at answering your questions.

    You're absolutely right, if other family members have the ability to recover accounts, losing your secret key won't mean losing access to all your data. You'll want to make sure that someone else in your account is also a Family Organizer (check out the article for more info on what can be managed in your account as a family organizer). That being said, it's probably a good idea to print out your emergency kit (with a copy of your master password written down on it), filed away with your other important documents (like passport, birth certificate, etc).

    1. The QR code isn't actually what you use for 2FA, this is just used to setup 2FA on your device. Once it is setup, you'll actually grab a 6-digit code from your 2FA app (like Google Authenticator) when you need to log in. A Yubikey is also a great option for 2FA - you can keep it on your keychain, and it plugs into your computer through a USB port whenever you need a 2FA code.
    2. According to this article on 2FA, it does look like having a Family Organizer recover your account will let you gain access again. Maybe someone from the support team could clarify, but I'm assuming 2FA will be disabled on your account once the recovery process is started.

    Hope that helps! Regarding Authy not working, what do you see when you try and scan the QR code? Does it just say it's an invalid QR code?

  • jarflores
    jarflores
    Community Member

    Thanks @kothman

    But just to be certain, the only way to setup 2FA on a new device is via the QR code?

    I would also assume the 2FA would be disabled otherwise the recovery wouldn't help too much. If I don't hear from a support person, I can always test it out...but was hoping to avoid it.

    Also, when I scan the QR code using Authy (on my Android 9 phone), it says:

    "Invalid format... Token format not supported."

  • Thanks for the assist @kothman. I don't think I could have said any of it any better myself.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jarflores: It looks like you and Ben were commenting here at the same time, so he missed yours -- like ships passing in the night! Sorry. Happy to clarify:

    But just to be certain, the only way to setup 2FA on a new device is via the QR code?

    It really depends on the authenticator app you're using. I think most will allow you to scan the QR code or enter the text TOTP secret.

    I would also assume the 2FA would be disabled otherwise the recovery wouldn't help too much. If I don't hear from a support person, I can always test it out...but was hoping to avoid it.

    The account recovery (can only be initiated by an admin on the account, not by us) process allows the user to get a new Secret Key and Master Password, and this also disables two-factor authentication.

    Also, when I scan the QR code using Authy (on my Android 9 phone), it says:
    "Invalid format... Token format not supported."

    I'm not familiar with that error, but based on a literal reading of it and your other comments here, I think there's some confusion between two-factor authentication and the Setup Code in your Emergency Kit. Where are you getting the QR code from?

  • jarflores
    jarflores
    Community Member

    The QR code is in my.1password.com/profile. It's the same QR code I used to setup the Google Authenticator app on my phone. I thought I would test out Authy as well but when I scan the same QR code, it gives the above error.

    Ultimately, I was just curious if it's possible to use my MacBook as a 2FA device as well. Since Authy has an app for OSX, I thought about using Authy on my phone as well so I would be using the same app on both devices. However, I am unable to setup Authy on my phone due to the QR error above, and on OSX the Authy app can't be setup using the QR code and instead asks for a "code provided by the service in which you want to enable 2FA"...but I don't see this in my account anywhere (their example is a string of 4 letter words).

  • jarflores
    jarflores
    Community Member

    And just to be extra precise, when I say "QR code" that I used to setup Google Authenticator (and tried with Authy), I mean the square image with small, scattered black and white squares inside (in the profile, is has the title "SETUP CODE" above it).

  • AGAlumB
    AGAlumB
    1Password Alumni

    The QR code is in my.1password.com/profile. It's the same QR code I used to setup the Google Authenticator app on my phone.

    @jarflores: You're mistaken. It's not the same. Sorry. I think there's some confusion. The QR code you're referring to -- the Setup Code, as I mentioned above -- is for signing into your 1Password account on a new device. You can find more information on that here:

    https://support.1password.com/secret-key/

    That QR code is included in your Emergency Kit. It's only purpose is for you to scan it to avoid having to type in your account's Secret Key on every device. Every 1Password account has this, and it is not involved in two-factor authentication.

    By default, two-factor authentication is not enabled. In order to use it, you'd need to enable it in your account settings:

    https://support.1password.com/two-factor-authentication/

    When you do that, there is both a QR code and text TOTP secret you can use to setup your authenticator app. Again, this is completely separate -- and different -- from your account's Setup Code.

    Ultimately, I was just curious if it's possible to use my MacBook as a 2FA device as well. Since Authy has an app for OSX, I thought about using Authy on my phone as well so I would be using the same app on both devices. However, I am unable to setup Authy on my phone due to the QR error above, and on OSX the Authy app can't be setup using the QR code and instead asks for a "code provided by the service in which you want to enable 2FA"...but I don't see this in my account anywhere (their example is a string of 4 letter words).

    You can definitely setup multiple devices to generate the TOTP codes for two-factor authentication...but it sounds like you didn't save that. You should disable two-factor authentication in your account, and you could set it up again on multiple devices...but I'd suggest maybe it's better not to, since I don't want you to lock yourself out of your account due to some confusion. But let me know if you have any questions.

  • jarflores
    jarflores
    Community Member

    Ah, thanks @brenty , that makes sense.

    So when I go to setup 2FA from my 1password account, a QR code (different from the SETUP CODE) and "text TOTP" will appear that will let me setup the 2FA app on a device? I guess when I started setting up 2FA I didn't realize that these were separate and needed to be saved.

    My final question (if you'll permit me one), is given that I have a family account with multiple managers who can help me recover, etc., what is the best practice when an 1password enabled device is lost? (possibly stolen)

    1. Have family member suspend my account so the bad actor cannot access my data.
    2. Get new 2FA device
    3. Have family member recover account

    ?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, thanks @brenty , that makes sense.

    @jarflores: You're very welcome! I'm sorry for the confusion regarding the different QR codes. :blush:

    So when I go to setup 2FA from my 1password account, a QR code (different from the SETUP CODE) and "text TOTP" will appear that will let me setup the 2FA app on a device?

    Yes, exactly. It looks like this:

    The QR code and text TOTP secret are the same information, just in different forms. Scanning the QR code is easier where available, but the text version will work if you're not able to use the QR code for some reason (also maybe easier to backup somewhere safe).

    I guess when I started setting up 2FA I didn't realize that these were separate and needed to be saved.

    Indeed, I'm sorry about that. To be clear, you don't need both. But I'd suggest saving them both anyway, like you do your Emergency Kit, just in case you ever need them.

    My final question (if you'll permit me one), is given that I have a family account with multiple managers who can help me recover, etc., what is the best practice when an 1password enabled device is lost? (possibly stolen)

    It's important to keep in mind that no matter what you do, a competent attacker will just make a copy of the encrypted data if they want to try to break into that. However, you can do a couple things that would help before someone is able to do that:

    1. Deauthorize the device in your 1Password account's profile page. Then it will no longer get any updates to your account no matter what.
    2. Use the device's secure erase feature (if available) to clear everything off of it.

    Again, if someone already has the device, they can easily take it offline so it cannot receive remote commands to remove data. But even if all else fails, using a long, strong, unique Master Password will prevent someone from being able to brute force your data until long after it could be useful to them.

    Have family member suspend my account so the bad actor cannot access my data.
    Get new 2FA device
    Have family member recover account
    ?

    None of those are relevant, but if you have reason to believe that your Secret Key and/or Master Password have been compromised, you can also change those in your account's Profile at any time:

    https://start.1password.com/profile

    Cheers! :)

  • jarflores
    jarflores
    Community Member

    Thanks again!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Any time! We're here if you need us. :chuffed:

This discussion has been closed.