Inconsistent application of 2FA on 1PasswordX

I'm a little confused on how this is expected to work and even more confused on how it works now. I have 1passwordX installed on my firefox browser, with the secret key and my id "associated" with it, meaning when I enter my key shortcut or click on the button in the toolbar, i only have to provide my master password. If I simply open up a browser window and go to myspecificdomain.1password.com, none of my data is populated. However, when i click on the button and enter my password, i can then click settings gear -> settings -> personal vault -> open vault, and I'm in, no 2fa. However, when a 10 minute timeout occurs, I am returned to the myspecificdomain.1password.com page with all of the values filled in (sans master password) and after I enter my password, I'm requested to provide my 2FA.

So, why the request after 10 minutes but not before? I'd prefer to enter it every time I am requested to enter my master password to counter keylogger hacks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @jrork1 ,
    I'm a little confused by your confusion :)

    When you go to 1Password.com's login page, you are required to enter your Master password and 2FA, without the email and Secret Key because it should remember you, unless you constantly clear cache and cookies in your browser. If you clear the cache and cookies you will have to enter all of your credentials (email, Master Password, Secret Key and 2FA).

    1Password X is actually your 1Password.com account. When you unlock 1Password X you unlock your account. If you select one of your vaults via 1Password X, then it will take you straight into your account since it is already unlocked. 1Password also contains your encrypted credentials (email, Secret Key and 2FA) locally which is why you are not required to enter those when you get into the web interface via 1Password X.
    The 10 minutes lock timer can be adjusted in 1Password X's settings if you'd like.

    Regarding keyloggers - even if someone grabs your Master Password, he won't be able to log into your account since he doesn't have the 2FA secret (unless he records that as well when you type it, and then he logs in during that very short window in which the code is valid). But 1Password X keeps you safe on that front since it does not require you to type in the 2FA, which means keyloggers won't be able to catch that. It is highly recommended to always autofill using 1Password X and to log into your account via 1Password X for these reasons. The less you manually type, the more secured you are.

    Wanting to type in the 2FA manually every time actually decreases your security, even if not by a lot since 2FA is only valid for less than a minute. The attacker will have to be very quick and do things in real time exactly when you do it. In any way, logging into your account with 1Password X and not needing to input the 2FA every time is the right way to go - security wise.

    Furthermore, we're currently working on integrating 1Password X with the 1Password 7 desktop app, which should provide another layer of defense since you will be able to unlock 1Password X using Touch ID on a Mac and Windows Hello on Windows, which would render keyloggers completely useless since they won't even catch your Master Password. If you have a Mac, we currently have a working beta that you can try: https://support.1password.com/getting-started-1password-x/#to-integrate-with-1password-for-mac

    I hope that clarifies and answers your questions. :)

This discussion has been closed.