Will 1Password allow option to require 2fa with every sign in?

Hello. I’m a Lastpass user considering 1Password (1P). I like the UI and the app very much, except when it comes to 2FA (two factor authentication). I have looked at posts and 1P does not provide an option for users to require 2FA with every sign in. Lastpass does. Will 1P reconsider?

In a world of smartphones that are easily swiped (or accidentally left behind) and where we are constantly subject to video surveillance as we go about our lives — such as when typing in our master password as we are in a restaurant — I want an option where I can be confident that no one is getting into the 1P account on my phone WITHOUT ALSO having access to the yubikey in my pocket. As someone who has accidentally left my phone behind at places, I don’t like having to hope that my phone screen darkened before it was picked up by someone else or depending solely on Touch ID to protect my apps.

This fall, Apple and yubikey will allow for physical yubikey entry on iPhones with Fidou2f as 2FA, when the new iOS yubikeys come out. Indeed, both 1P and Lastpass are partners with that program already.

It will then be possible to configure password managers in such a way that to get into the app on an iPhone, you would need both the master password and one of the 3 yubikeys I plan to own (one on my key ring and two backups housed in two separate locations) and with NO other means of access or recovery. (At least for online access). I am willing to own the risk of non-recovery if I lose all 3 yubikeys, because I very much like guarding the front door of a password manager on a portable computer (smartphone) with more than a master password that can be so easily shoulder surfed or otherwise noticed. Others may not. But I’d at least like the option.

Otherwise, I confess to not really understanding 1P’s current structure for 2fa. You only require it on the initial sign in on a particular device but don’t require it thereafter. But that does not seem to do much more than what the secret key already provides....

What say ye?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2fa

Comments

  • BenBen AWS Team

    Team Member

    Hi @sjdc

    I'd like to offer a couple of resources on this subject that may help better understand how this works and why it works the way it does:

    If you have any questions or concerns not addressed there please let me know and I'll be happy to elaborate.

    Ben

  • sjdcsjdc
    edited July 8

    First of all, thanks for the links and your response. Clearly 1P offers service that beats the competition!

    I guess what I don’t understand is the decision not to make an option for smartphone-only-online-access-via-yubikey-and-master password option. Maybe it is cumbersome and not desired by all. But unless I’m missing something, it would dramatically narrow an attack surface — you wouldn’t be able to either access or decrypt 1P data without a) the secret key already installed on the smartphone, and b) downloading the data through the use of the yubikey and decrypting it with the master password.

    I don’t see the current model as recognizing the fundamental risks that come with carrying a portable computer that is so easily captured — particularly in a surveillance world where recoding the master password is so easy via camera, and perhaps done more often than we realize and unwittingly.

    To put it differently, using Fido u2f via a yubikey adds far more protection for the app than a pin code or even touch/Face ID. Why not eliminate as many attack surfaces as possible — or at least offer the option for potential customers who would like to do so and are willing to own the risks of yubikey loss in doing so? That does not seem like security theater to me.....

  • BenBen AWS Team

    Team Member

    smartphone-only-online-access-via-yubikey-and-master password option

    That might be fine for the very small portion of the world that has access to unlimited mobile data, but for most downloading their entire vault every time they unlocked would be completely unacceptable. I would suspect it would be difficult to justify building such a thing for the handful of people who are willing to both have that kind of data usage and also give up offline access.

    That said we'll certainly continue to evaluate what sort of threats are out there and also what sort of resources customers have at their disposal to make sensible decisions about such topics. Thanks for taking the time to share.

    Ben

  • sjdcsjdc

    Thanks for your responses. I appreciate your taking the time to respond. And it does help clarify that 1P’s present use of 2FA is a choice and not because taking advantage of Fido U2f in other ways would be an impossibility.

    If you do consider other uses of 2FA down the line, I’d note that downloads for most users of 1P are likely to be a few megabytes at most.....

  • sjdcsjdc

    Thanks for your responses. I appreciate your taking the time to respond. And it does help clarify that 1P’s present use of 2FA is a choice and not because taking advantage of Fido U2f in other ways would be an impossibility.

    If you do consider other uses of 2FA down the line, I’d note that downloads for most users of 1P are likely to be a few megabytes at most.....

  • brentybrenty

    Team Member

    Likewise, thanks for the feedback! While I can tell you from personal experience that most people don't have unlimited data, and that "a few megabytes at most" isn't a given since each 1Password account includes a gigabyte for Document storage by default (and many people use a lot of that) with no restriction of file size, it's absolutely something we'll continue to evaluate over time as things evolve. Cheers! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file