At the moment, if you enable TOTP/Yubikey MFA on your account, it prompts during initial login from a new device or the next time you unlock a device after enabling it. This is great! But I'd love some more control. Things like:
- Prompt for X factors before accessing individual items
- Prompt for X factors before accessing items tagged with Y.
- Prompt for X factors before accessing items in Y vault.
- Prompt for X factors before unlocking Y class of device
- Prompt for X factors before Y action for Z group.
For the condition part (Prompt for X factors), I envision an interface that lets you select an arbitrary number of factors in any number of buckets. To pass the condition you need to provide one allowed factor from each bucket (no repeats). Factor lists would be something like: Master Password, Touch ID, Face ID, TOTP, YubiKey, GeoFence (yes, I just made up another feature , Manager's approval (yes, another made up feature). For each condition, choose to apply this rule either: Every time, once per X duration, or once per user. Then apply the condition to any item or action inside 1Password: Individual items, vaults, tags, users, groups, device types (IOS, Mac, Windows, Web) and actions like login/unlock, share item, delete item, delete vault, change item password, etc.
Example "Two Factor" Scenarios:
- Vault full of break-glass accounts which should rarely or never be used and provide superuser access to various items. Require re-entry of master password AND a Yubikey to access items in this vault.
- Require master password AND any of touch ID, Face ID, TOTP, or Yubikey for to unlock 1password on a mobile device.
- Require Master Password or touch ID or FaceID AND Yubikey to unlock 1password on mobile device.
- Require Master Password and any other factor once every 30 days.
- Require initial device enrollment/sign in can only happen inside X geofence.
Example "one factor" scenarios:
- Require Master Password re-entry to access this item.
- Require Master Password to share this item.
- Require a Yubikey or TOTP to access this vault.
- Allow any of: Master password, biometrics, or a Yubikey to unlock a device (yes I realize the latter would "weaken" security)
- Always require Master Password to unlock mobile devices (i.e. block biometrics)
- Only allow access to this secret if you're in one of these two physical locations.
- Automatically unlock 1password if you're in this physical location
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided