Should I start using two-factor authentication?

Calion
Calion
Community Member

Note that I am not talking about 2FA for 1Password itself.

Agilebits seems to have gotten behind using 2FA as much as possible, as indicated by the fact that 1Password points out, in a large purple box, whenever you have neglected to set 2FA up for a site that supports it. This seems to be a change from the stance of several years ago, which was, "If you use 1Password and our Strong Password Generator, then there is little added security gain by using two factor authentication."

That advice still seems sound to me. 2FA, especially when a) it comes over an inherently insecure medium like SMS, or b) is not generated from within 1Password (which is a cool feature) seems like it does not provide enough additional security to justify the hassle, presuming you're already using strong, unique passwords.

Am I missing something here? Is there a massive security advantage to using two-factor authentication that I'm unaware of?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Jim A Syler: That still holds true: "2FA" only protects against a very specific, narrow form of attack: replay. The context of that blog post is important (it was written in 2011, years before 1Password membership accounts even existed much less had a two-factor authentication option, and so refers exclusively to using two-factor authentication for things outside of 1Password), we also need to think of this in terms of whether we're talking about the benefits of 2FA for people who use long, strong, unique passwords versus those who don't. Some two-factor authentication is better than none in the sense that it does offer some additional protection. But if you have a long, strong, unique password for an account, the relative benefit of 2FA is going to be small, and only come into play if you or the website has given away your password. For important accounts though, I'd argue that even the marginal benefit of 2FA is welcome, since we're all painfully aware at this point that website breaches which compromise passwords are not uncommon (though 2FA will do no good in cases where authentication is bypassed entirely). To summarize, 2FA gives the most security benefit when using a weak, compromised, or reused password, and using 1Password means you can and should use a long, strong, unique password for each site. :sunglasses:

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're very welcome! That sounds like a reasonable way of looking at it. Happy holidays. :chuffed:

This discussion has been closed.