How Does 2-Factor Authentication Work in 1Password?

Hi! This may seem like a simpleton question, but I keep reading horror stories here in the forums of people having enabled 2-Factor Authentication and then finding themselves locked out of their accounts! It seems like there are more disadvantages to using it than advantages, and I do not want to be locked out of my account!

The other thing that I just don't understand is that in 2-Factor Authentication, a new code is generated every time for a website and the new code is sent to an email or as a text message. So, how is entering the same code into 1Password going to help when you can never use the same code again?

Oh, and please don't tell me just to go and read your articles on 2-Factor Authentication. I have read all of them plus multiple posts and I still am confused as to how it is something that can help me. I like the idea of it as it is more secure, but I do not want all the problems that seem to be associated with it.


1Password Version: 7.3
Extension Version: 7.3
OS Version: 10.13.6 and 10.14.? (Split HD)
Sync Type: Subscription

Comments

  • BenBen AWS Team

    Team Member
    edited June 4

    @glindsey

    It sounds like you're asking about two separate things. There are two ways in which 1Password is involved with 2FA (TOTP, specifically: Time-based One Time Passwords).

    1. TOTP for your 1Password membership account. It is possible to utilize TOTP as part of the process for adding a new device to your 1Password account. When you sign into the 1Password website from a new device, or install the 1Password app on a new device, you'll need to enter a TOTP code generated by a 3rd party app (not 1Password). The amount of security this adds to a 1Password account, compared to the potential pitfalls, is something you have to weigh. Personally I only use it for one of my accounts and only because I need to support it. By and large this option is offered because there was a huge demand for it, and many companies wouldn't even consider using 1Password without it, despite the fact that it offers fairly little benefit. Other protections, such as the Secret Key, offer much more value.
    2. Using 1Password to generate TOTP codes for other websites. For websites other than 1Password that offer TOTP as an option 1Password can generate those codes for you. This is a much more valuable option, in my opinion. If you are going to use 2FA/TOTP for a website being able to have the same app you're using to manage your passwords generate your TOTP codes is super convenient.

    Does that help explain? Please let me know.

    Ben

  • gazugazu

    @glindsey

    My personal opinion is that using 2SV to login to your 1Password account is a complete waste of time and a serious inconvenience if you lose the device upon which you generate the 2SV code with.

    As you've probably read on here it can take some days for 1Password to remove 2SV from your account - because of support queues - and this is a massive problem for many people.

    I'm not blaming 1Password. If customers choose to enable 2SV then they have to live with the consequences of adding that second step as part of the login.

    Does it add extra security to 1Passwword? No - it's security theater to appease people (normally companies) who don't know any better.

    The reason it doesn't improve 1Password's security is because if a hacker broke into 1Password's systems they need two things:

    1. A copy of your database
    2. Your master password and secret key

    If a hacker has those things then the 2SV code doesn't even factor into the equation.

    2SV would only protect you from somebody who has your master password and your secret key but hasn't broken into 1Password. If a hacker has that then you've either been incredibly careless or a hacker has access to your device, in which case 2SV wouldn't protect you.

    It's pure security theater.

    However as Ben says, storing 2SV codes in your 1Password database for other websites is very convenient. But it's unnecessary because if you're using a password manager to create secure, unique passwords then 2SV offers very little extra protection.

    You also defeat the 'second step' by adding the 2SV secret into 1Password.

    In short:

    • if you use 2SV for other accounts (and the only two accounts that really need it are email and online banking) then 1Password is convenient for this. For top security you'd store the 2SV elsewhere on an offline device.
    • there's almost no point whatsoever in protecting your 1Password database with 2SV and it'll cause lots of aggravation for you if you ever lose the device.

    That's the simplest way I can explain it.

  • J_O_DJ_O_D
    edited June 5

    I can agree with the first point - 2FA for 1Password account does not give me anything in terms of security, Secret Key is more useful, in my eyes - as I can view the Secret Key on my phone, it basically serves as 2FA for the first time logging in on a new device.

    Saving the TOTP generator code for other accounts I can imagine to be useful, if you are confident, that whatever device you have 1passowrd installed on, is trustworthy, to get you more convience - that way, when logging in on a random device without 1Password, you would still need your 2FA device to recieve the TOTP code. Of course, you will still have to remember the passoword/view it on other device with 1Password, but it could work. Now, that I think about it, I may give it a shot:-)

  • Ben, gazu, & J-O-D,
    Thank you all for responding! From the sound of it, I am much better off not using 2-Factor Authentication on any of my devices when logging into 1Password. Besides, 2-FA does not seem to offer any real security that already is not being provided by the "Secret Key."

    Now, TBH, I have no idea of the circumstances in which I would use 1Password to generate TOTP codes for other web sites. For instance, when my bank requires 2-Factor Authentication, at no time does it offer me the opportunity to generate my own 6-digit code. The bank supplies the code, and I have no choice but to use the code that it provides. So, please offer a real world example of how I might use this feature.

    Also, gazu, what do you mean by "2SV"? Is "2SV" equivalent to TOTP?

    J-O-D, I am totally in agreement with your first point. But as for the second, I sm still dumbfounded by how and when I would have the need to use the TOTP generator within 1Password. Perhaps, Ben and you would be willing to explain that a bit better!

    Sign me, "Still Confused, but considerably less so."

  • BenBen AWS Team

    Team Member

    @glindsey

    Part of the problem is, frankly, it is a confusing topic. A lot of things are referred to as "2FA" that actually aren't — two factors aren't required; just two steps. This is why I tend to like to refer to the specific technology I'm talking about (e.g. TOTP). Some folks, including us at times, have begun referring to 2FA-like things as "2SV" (two-step verification). It's a lot of different terminology and at the end of the day I'm not sure it makes much difference in the outcome for you here.

    Now, TBH, I have no idea of the circumstances in which I would use 1Password to generate TOTP codes for other web sites. For instance, when my bank requires 2-Factor Authentication, at no time does it offer me the opportunity to generate my own 6-digit code. The bank supplies the code, and I have no choice but to use the code that it provides. So, please offer a real world example of how I might use this feature.

    The bank may not support TOTP, which is the only form of "2FA" / 2SV that we support in 1Password. Many sites do. You can find a non-exhaustive list of them here:
    https://twofactorauth.org/
    The ones listed as supporting a "Software Token" are generally the ones that support TOTP. The way this generally works is you say you want to turn on TOTP, the site gives you a "secret" (often in the form of a scannable QR code), you use your TOTP app (1Password) to scan that code, the site asks you to enter the 6-digit code that is generated based on that secret, and then TOTP is enabled. Every 30 seconds a new TOTP code is generated based on the secret that is stored in the app.

    Does that help?

    Ben

    P.S. Authentication via SMS (where you're texted a code) is generally considered a weak form of authentication: https://www.howtogeek.com/310418/why-you-shouldnt-use-sms-for-two-factor-authentication/ (3rd party article; no affiliation with 1Password)

  • Yikes! Thanks! Still sounds complicated. Ben, when I have time, I'd like to try to set up TOTP on just one of my accounts just to see how it works and whether it is something I want to use or not. I may need you to walk me through the steps! Is it easy to undo TOTP if I decide that I no longer want to use it for a particular account?

  • brentybrenty

    Team Member

    @glindsey: I'd definitely start with one. It's not complicated, but it's certainly a bit different from what we're already accustomed to with usernames and passwords, which we've been using for decades already. I think you'll get it once you use it a few times. I'd say pick an important account that supports it. For example, one of the first things I set it up for was my email account, since so much depends on that -- communication, and every account I've associated with it!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file