To protect your privacy: email us with billing or account questions instead of posting here.

Two Factor Authentication

suhas_anand
suhas_anand
Community Member

Hi, I have issues with Two-Factor Authentication, I changed phones and google authentication does restore from backup. I can no longer log in. I have emailed support. My ticket is ZUV-21538-144. All my accounts are inaccessible and completely locked up.

1Password really needs to handle this better to retain user membership.

Could you please help asap ?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @suhas_anand! Welcome to the forum!

    Thank you for letting us know that you have emailed us already. We will get back to you over there as soon as possible.

  • suhas_anand
    suhas_anand
    Community Member

    Hi @ag_ana I just replied, could you please take a look asap ?

  • @suhas_anand

    Our security team evaluates each of these on a case-by-case basis. Once they've had a chance to perform their analysis they'll be in touch via email. That said...

    1Password really needs to handle this better to retain user membership.

    I'd be interested to hear what suggestions you might have for how we could do better here.

    Ben

  • suhas_anand
    suhas_anand
    Community Member

    @Ben Change of phones/breakage/water damage is a common thing, during the process, its insane to expect users to go through this horrendous process of reset that takes more than 24 hrs. I use 2 factor with amazon, google, dropbox and many other... never I had this experience .. this exact issue, is making me ponder if I need to look for another password manager ...

  • peacekeeper
    peacekeeper
    Community Member

    @suhas_anand So you want to change password-managers because the process of deactivating 2FA is too secure? I am quite unhappy with how easy it is to disable on some services... What I would recommend in your case (and what I do too) is using a 2FA App that has the possibility to backup the secrets (Authy does that for example). What you could do as well is printout or note the 2FA secret on your Emergency Kit and store that in a safe place, so you can regain access to your account in case you lose access to your 2FA generator app.

    What indeed could improve in my opinion @Ben is including some hints on how to backup the 2FA code properly if it is activate and/or including it in the emergency kit if it is enabled.

  • suhas_anand
    suhas_anand
    Community Member
    edited April 2019

    @peacekeeper:

    So you want to change password-managers because the process of deactivating 2FA is too secure?

    Not really, I don't mind it being too secure, but it becomes a pain if I am locked out for days, I am not an expert here, but are you trying to imply gmail/amazon is not secure ?

    What I would recommend in your case (and what I do too) is using a 2FA App that has the possibility to backup the secrets (Authy does that for example). What you could do as well is printout or note the 2FA secret on your Emergency Kit and store that in a safe place, so you can regain access to your account in case you lose access to your 2FA generator app.

    Thanks ! I like that idea. I was not aware of authy .. but again, I would now require to maintain two separate secret manager/password manager

  • peacekeeper
    peacekeeper
    Community Member

    @suhas_anand I only use authy to generate my 1Password 2FA code (I have it installed on several devices, just in case...), all other 2FA codes are generated within 1Password and thus are always backuped and available if needed. That might be the best way forward for you as well if you want to spare yourself the hassle of a lot of additional maintenance (additionally to noting down the secret on the emergency kit. Good we talked about this, I still need to do that myself :) )

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you @suhas_anand and @peacekeeper for the feedback!

    I was not aware of authy .. but again, I would now require to maintain two separate secret manager/password manager

    If you want 1Password to be your authenticator, so you don't have to use a separate authenticator app, the best recommendation we can give you is to make a copy of the 2FA QR code or 2FA secret, as peacekeeper mentioned. When you first enable 2FA, you could either take a screenshot of your QR code (so you can configure your 2FA authenticator anytime on a new device), or store a copy of the 2FA secret in a safe place.

    This will allow you to access your 2FA codes even in the case your device is lost, stolen or damaged, without having to go through the security verification phase with us.

    In addition to this, you can make sure you always have an authorized browser, where you can access your account without having to enter your 2FA code. If you are part of a Families or Business account, you can also have another admin recover your account. So we have several options to prevent this scenario from happening. Should all of these fail, we always have verification by our Security Team, which will evaluate these requests individually to make sure the requests are legit.

  • peacekeeper
    peacekeeper
    Community Member

    Not really, I don't mind it being too secure, but it becomes a pain if I am locked out for days, I am not an expert here, but are you trying to imply gmail/amazon is not secure ?

    I was not referring to those services specifically but there are some (not amazon or google to my knowledge) where you can just deactivate the 2FA with one email link without any further checks. But still, I am not comfortable with something as important as 2FA being reset via an automated process. Thus I prefer 1Password‘s way here and see the reset by one of their employees as a last resort if I lost all my backups (which is very highly unlikely!) and my wive (second family organizer in our Family account) is also unable to reset 2FA for me.

  • gazu
    gazu
    Community Member

    1Password really needs to handle this better to retain user membership.

    @suhas_anand If by 'handling this better' you mean they should let you in more quickly then I'd argue 1Password would lose more customers. I wouldn't want to be a customer of an insecure service.

    Like peacekeeper said, some services let you disable 2SV/2FA with a click of a link. That makes it massively insecure and a total waste of time. Google's backup mechanisms are vulnerable to being deactivated by a malicious user.

    Any service that lets you disable 2SV without extensive checks is vulnerable to being hacked and you're wasting your time enabling 2SV on these services - it doesn't protect you from being hacked, instead it inconveniences you each and every time you have to log in.

    With 1Password you're told to keep a backup copy of your 2SV secret. If you don't do this, then you'll have to wait until 1Password are satisfied you're the genuine account holder.

    You're lucky because if you'd lost your Secret Key then you'd be locked out of your data forever.

    All my accounts are inaccessible and completely locked up

    This is how it should be.

    Your data is secure until 1Password determine you're the legitimate account holder.

    If this is too much inconvenience don't enable 2SV or write the secret in a blank space on your emergency kit.

  • I think peacekeeper and gazu have made a lot of important points, perhaps most importantly:

    write the secret in a blank space on your emergency kit.

    I'm hoping this is something we can incorporate into the Emergency Kit itself in the future, but this is great advice in the mean time.

    Ben

This discussion has been closed.