You should remove Authy as recommended 2-FA app [Example; not recommendation]

selnomeria

On your page, you have Authy under recommended applications:

https://support.1password.com/two-factor-authentication/

Let's start with the goal - 1password, or any security systems, are mostly created for people who NEED security. To be sincere, the main auditory, it not people under an average Joe, but in most cases, people who care of their internet life, or in many cases, professionals, who try to defend themselves in most professional way.

However, some companies and application providers doesn't understand this fact, and just has a concern toward users to be all "an average Joe". They, who should be regarded as professionals, are considered as "secondary auditory". And among them, turns out to be the Twilio with it's app Authy.
Why I say that...

Let me explain.
As time goes, the technology and software advances and becomes affordable to average hacker, and interpreting SMS (which is unchanged and non-advanced technology from previous century) becomes EASIER to be hacked:
https://security.stackexchange.com/questions/202777/sms-2-step-authentication-should-be-deprecated

Authy has the BUILT-IN base of login/registration/account-recovery using some methods, among them, the major one is the SMS code.
All solid services (say google, facebook, lastpass, etc...) has a way to disable SMS account recovery/authorisation/one-time-codes, if you remove your phone number from account. However, it's "majesty" and "famous" "security" software Authy, doesn't support disabling SMS from your account. So, they are not worth to have, and people should instead leave them. Moreover, the problem could have been somehow understandable, and if authy's developers haven't known about the "sms intercepting" topics (that would have been shame also), but the more problem is that they KNOW the problem, and they willingly don't cover this loophole. Instead, see what a funny thing they say:

https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-

So, "... We have 24 hours to know about hacked SMS" and we can "react" in that time to avoid hacking. (how people can be forced to be on PC monitor during next 24 hours?)

To say shortly, Authy, is SURELY UNRELIABLE and unsecure approach. So, why you recommend us (people) the unsecure app? Why don't you think that among us might be some professional or worth-to-target person? or even if i were below an average Joe, why you ignore the fact that some of us need a REAL SECURITY, instead the offered "half-hackable" solutions?

We have requested from Authy (years ago) and Authy has willingly ignored that request.
So, dear 1Password, please, don't recommend us "half-secure" and inprofessiona, ignorant apps. Please, be professionals.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Ben

Hi @selnomeria

Thank you for the suggestion. I've asked our security team to look into this situation.

Ben

selnomeria

Thanks ben for attention! I appreciate!

Ben

And thank you for bringing this to our attention. I've been consulting with our security team and I think there are two important points to be made here:

1. TOTP is a very small component of what protects a 1Password account. So small in fact that I do not use it to protect my personal 1Password account. With 1Password, TOTP is only used to protect the device authorization process, for which someone also needs both your Master Password and Secret Key. As I'm confident that nobody has either of those things, I don't need TOTP. I've written more about this in the past, e.g. here.
2. I wouldn't necessarily call the list of authenticator apps in our guide a 'recommendation,' though I do see how some may view it that way. The intention is just to list a few examples of the sorts of apps that can serve this purpose. As far as recommendations go, we recommend storing all TOTP secrets in 1Password, and then only using a 3rd party authenticator for your 1Password account's TOTP secret (if enabled).

Regardless of those points, we may look into revising that section of our guide. There is certainly an argument that there are other examples of TOTP-capable apps such as Yubico Authenticator, Google Authenticator, etc, and perhaps we could make it more clear that these are simply examples and not necessarily endorsements.

I hope that helps. Should you have any other questions or concerns, please feel free to ask.

Ben

selnomeria

ben, unfortunately this board just doesn't allow me posting a bit large text answers. so i have again to put the link where you can read my answer: pastebin)dot)com/raw/qatsTFdJ

selnomeria

Ben, many thanks for reply.
i think there are two confusions with regard to my original post.
1) the first is that (problably i didnt explain it well and there has been misunderstanding) that I didn't mention TOTP/2Fa auth with regard to 1P account. Surely, I have nothing to say with regard to that matter how hard is to break in 1P account. So, my post had nothing with 1P account authorizations. I wrote the inquiry regarding to the use of Authenticator applications out there for any websites in internet. and that's why I said, people who will use one or another (from your 2 recommended auth apps) it means that people will use them as their TOTP program too.
2) So, to continue the first part, even though this is not your "recommendations" to say such, obviously and out of question, people listening you and reading you mentioning/linking to the "example" authenticator apps, PEOPLE DO think (95%) that those apps are the ones "that could/should be used". Call it recommendation or not, but that is alike GUIDE. I have reported the same problem to other providers (to Authy directly too) but they drastically ignored my report, even the low level support didn't pass that to the upper dept.
So, as I know 1Password is team of professionals, please confirm the fact or not, that AUTHY has mandatory access to it's account with SMS-way (so, if someone forgots his logic/etc,, looses access, SMS IS ENOUGH to reinstate access into account) and SMS is (given my above link leading to numerous resources of it's wakness and hackability) 5 years ago depreciated by NIST (google this phrase). So, AUTHY IS NOT FOR PROFESSIONALS. IT DOESN'T have an option to completely remove any link to SMS/phone number. So, please mention that in your recommendations page to educate people, to cause the PUSH to service providers to make more attention to security and they didn't think that all people is the same fleet. No, they made mistake, because we are out there who sees the security holes in those apps and the producers of those app just doesn't care. So, they are worth to get the reaction back.

So, it would be a sign of your prof. concern that you made that clear on that recomendation page, to list there the completely (not dependent on SMS or obsolete, inherently hackable channels), like Microsoft Authenticator or alike (even Google Auth is safer).
I know Authy is very handly and conventient, but is not secure, which is the main princinple that 1Password stand onto it. So, authy is not compatible concept with 1P due it's weakness. I see no reason why you would still maintain mentioning Authy there (and please, if you will still retain it there, add the note aside it).
I will be disappointed if my attempt to make the web more-secure will fail with you (1P) too and in such case, i will never have any further motivation to submit any reports to security vendors, because if 1Password ignores such things, then there is no point to try with others.

Ben

@selnomeria

I'm not sure what the difficulty would be with the length of your post... but I've included it here for reference so folks don't have to follow a link:

Ben, many thanks for reply.
i think there are two confusions with regard to my original post.
1) the first is that (problably i didnt explain it well and there has been misunderstanding) that I didn't mention TOTP/2Fa auth with regard to 1P account. Surely, I have nothing to say with regard to that matter how hard is to break in 1P account. So, my post had nothing with 1P account authorizations. I wrote the inquiry regarding to the use of Authenticator applications out there for any websites in internet. and that's why I said, people who will use one or another (from your 2 recommended auth apps) it means that people will use them as their TOTP program too.
2) So, to continue the first part, even though this is not your "recommendations" to say such, obviously and out of question, people listening you and reading you mentioning/linking to the "example" authenticator apps, PEOPLE DO think (95%) that those apps are the ones "that could/should be used". Call it recommendation or not, but that is alike GUIDE. I have reported the same problem to other providers (to Authy directly too) but they drastically ignored my report, even the low level support didn't pass that to the upper dept.
So, as I know 1Password is team of professionals, please confirm the fact or not, that AUTHY has mandatory access to it's account with SMS-way (so, if someone forgots his logic/etc,, looses access, SMS IS ENOUGH to reinstate access into account) and SMS is (given my above link leading to numerous resources of it's wakness and hackability) 5 years ago depreciated by NIST (google this phrase). So, AUTHY IS NOT FOR PROFESSIONALS. IT DOESN'T have an option to completely remove any link to SMS/phone number. So, please mention that in your recommendations page to educate people, to cause the PUSH to service providers to make more attention to security and they didn't think that all people is the same fleet. No, they made mistake, because we are out there who sees the security holes in those apps and the producers of those app just doesn't care. So, they are worth to get the reaction back.

So, it would be a sign of your prof. concern that you made that clear on that recomendation page, to list there the completely (not dependent on SMS or obsolete, inherently hackable channels), like Microsoft Authenticator or alike (even Google Auth is safer).
I know Authy is very handly and conventient, but is not secure, which is the main princinple that 1Password stand onto it. So, authy is not compatible concept with 1P due it's weakness. I see no reason why you would still maintain mentioning Authy there (and please, if you will still retain it there, add the note aside it).
I will be disappointed if my attempt to make the web more-secure will fail with you (1P) too and in such case, i will never have any further motivation to submit any report to any other.

In response:

The support page you're referring to is a page about setting up TOTP for 1Password accounts, so it seems relevant to explain what role TOTP actually plays when it comes to 1Password accounts. The only place we reference Authy is as an example of an authenticator app that could store your TOTP secret for your 1Password account. We recommend all other TOTP secrets be stored in 1Password.

Additionally, as mentioned above:

Regardless of those points, we may look into revising that section of our guide. There is certainly an argument that there are other examples of TOTP-capable apps such as Yubico Authenticator, Google Authenticator, etc, and perhaps we could make it more clear that these are simply examples and not necessarily endorsements.

We haven't ruled out re-evaluating the wording on this page. :+1:

Ben

selnomeria

Ben, can you please put the text in my first post, which i had in reference link? so, there will be no pastebin link and instead the text i wanted to say.

ag_ana

Done @selnomeria :+1:

selnomeria

Thanks.
Unfortunately, this important (security) matter has been ignored since that, and it worries me much, 1Password left us without answers and arguments, why they advocate Authy that much, while there are better alternatives.

ag_ana

@selnomeria:

As my colleague Ben explain in his response above, we do not advocate Authy, but we mention a couple of authenticator apps as an example. None of those is an official recommendation, and you are absolutely free to choose the app you prefer :+1:

Thank you once again for taking the time to share you feedback with us, and we can definitely keep it into consideration if we decide to add or remove more examples from that documentation page in the future.

selnomeria

ag_ana, it is not right what you say.

You can write in your page, "to kill oneself, s/he has to get knife from store and take onto throat" and then say, that "we just say that, dont recommend - if people dont want, they will not do that, they are free to do what they want".
Something like that you say.
1Pass official page is not a mere "we just said and people choose whatever they want". When you write about security in your official blogpost or even site-page, it is taken at the degree of recommendation.
moreover, putting Authy on first place with almost imperative requirement , here quote:

Before you can use two-factor authentication with your 1Password account, you’ll need to install an authenticator app on your mobile device:

Authy
MS auth...

So, let me say, that is not only a mere saying, not only even "recommendation", but even that might be read as a REQUIREMENT by readers!

and even not mentioning the side-threats or security holes. that makes me impression that there are some background subjective bias of 1Pass toward Authy (i dont know whether any sort of affiliation or i dont know), ignoring all my given comments (putting it on first place, hiding and not revealing the security concerns i've been describing, not even revising this matter for months).

So, you shouldnt say that the #1 (self-claimed or real) security program has an official page about "how to secure app" and then saying that "it is not an recommendation". you should lead / guide readers to correct directions, even thought they are "free to do what they want" (which is quite irrelevant quote). sorry dont get me wrong, nothing personal.

Just I see serious backing of Authy over internet (while the findings i've been describing is a mere fact) and the Authy itself, ignoring this matter specially for years (that smells bad), deserves to be revealed to the public.

ttod

Sel, i for sure agree, and my vote for this. thanks for pointing me to this topic, i'll bookmark this for Josh too to read later.

ag_ana

Thank you again for the feedback! The team can certainly keep all of this in mind as we keep improving our documentation, so we appreciate you sharing your thoughts on this :+1:

AGAlumB

To clarify, in case it helps anyone else, this is what's being discussed:

Nowehere do we say that those apps are recommended; rather we have tested those and found that they are compliant with the TOTP standard -- which is not the case for many authenticator apps, and that can cause problems with people trying to login to their accounts.

Whether or not a person chooses to use two-factor authentication for their 1Password membership account at all and what app they use for that purpose is left entirely up to the individual.

In either case, what that entails is authentication only, using TOTP as the mechanism. But the security of 1Password is simply not based on authentication but rather encryption, so, as Ben mentioned, this plays a very small role over and above what actually keeps 1Password data secure. A single TOTP code or even the TOTP secret used to generate them is of no value to an attacker on its own. Cheers! :)

[Deleted User]

I understand the concern to keep 2FA long-term secrets safe, but most users do not want the inconvenience of storing these off-line. I often suggest to people that they print or store their 2FA long-term secrets; I am the only person I know who does this. In addition, a person who is already using a password manager to generate strong unique passwords is more likely to lock themselves out using 2FA than have their account hacked. So I think Authy represents a good balance of security versus convenience for most people and most people are reassured by the recovery process being there, even if they don't use it.

You cannot use SMS to gain access to Authy two factor authentication tokens. All 2FA tokens are encrypted on the local device using the "backups password" before they are uploaded to Twilio's servers and sync'd across devices. When you add a new device by authorising using email, SMS or an existing device, you need to enter the backups password on that new device for the database to be decrypted and the Time-based One Time Passcodes displayed.

Once you have your tokens displayed on all your devices, you can prevent other devices being added by turning-off "multi-device". Then the only way to add a new device is via an existing device or by initiating account recovery. Account recovery is not instantaneous and involves multiple messages by SMS and email. If fraudulently done by an attacker then this can be cancelled by the legitimate owner by using the app or responding to an email.

If the attacker successfully completes account recovery and downloads the database then they will just have a bunch of encrypted secrets. So they will have performed SIM swapping or Signal System 7 intercepts which are considered serious crimes in most countries and just receive a blob of useless data. I don't think this will be worth it for most criminals on a risk/reward basis. Whereas legitimate owners of the account have the reassurance that they can recover the account if they lose all their devices, but have access to their backups password.

@selnomeria Have you looked at the security model for other authenticator apps which backup 2FA tokens, like Microsoft Authenticator? How are the tokens encrypted? Who holds the keys? How does MS manage account recovery?

AGAlumB

Those are good points, but for our purposes here at 1Password, what we're concerned with is the following:

1. Security should be available to everyone, not just "professionals", "techies", etc.
2. SMS is ubiquitous, but not something we can support for authentication because it is not secure.
3. TOTP is a proven, open standard and also relatively easy to setup and use.
4. While we have control over our software and can ensure it's TOTP compliant, we can't have people use 1Password to generate their 1Password two-factor authentication code, for obvious reasons.
5. We can't very well just say "use an authenticator app" and leave it at that, because most people won't know what that even means, and it's very easy to end up with essentially malware disguised as an "authenticator"; even if we made a "recommendation", that would be better than the alternative.
6. We can't reasonably vet all authenticator apps out there, and some of the popular ones aren't even TOTP compliant, so we list some that are reputable and known to work.

That way our customers who want to use two-factor authentication are able to do so easily. While it's not a recommendation, as mentioned previously, we can consider different wording. But regardless anyone can choose to use Authy, Microsoft Authenticator, something else, or nothing at all. Using any authenticator app does not make a user's 1Password account less secure. We don't want to either leave our customers hanging or list apps we don't know will do the job.

Anyway, if there are suggestions with regard to wording and/or other authenticator apps which are suitably reputable and compliant, we're listening. :)