Two factor time based authenticator

Has anyone suggested or looked into adding time based one time passwords to 1Password on iOS? I use the Google one for iOS but it doesn't offer any sort of password protection. The only protection I get is that the tokens expire rather quickly, but it doesn't help if the device is compromised or stolen.

It would be nice to have an option that protects the tokens from unauthorized access. I know that I can kill the tokens but it's harder to do that if the device is missing and the backup is SMS to the lost device.

Comments

  • FooliganFooligan
    edited October 2013

    @ericsnis

    Two factor authentication does not work with the design of 1Password data. It does add security with regard to using it for your Dropbox account (if you use the service).

    Refer to this blog article for details on why it does not make sense for 1P.

  • Perhaps we are thinking of two different things. What I'm was inquiring about is the ability to have 1Password generate the one time tokens for other sites like GMail, Microsoft, etc. I'm not terribly concerned with the ability of 1Password securing the data within the database or its ability to generate good passwords. What I am interested in is the ability to secure the token generator since Google's free authenticator app provides no password protection at all. There are other token generating apps that have PIN codes, but who knows what the actual security level is. With 1Password I feel reasonably sure that everything is locked up with AES and that my ability to come up with good passwords de novo is the only weak link in the chain.

    I guess at least right now someone would have to acquire my iPhone and figure out the master password for 1Password. My understanding is that the website tokens alone aren't useful without the rest of the credentials (username/password pair).

  • I have been using Authy and find it to be quite good. Is there something you found about Authy that caused you to not feel it was not good?

    My understanding of the whole thing is that the design of TOTP is such that there is not a need for it to be secured in any way. It is only one of the factors and it is quite useless by itself. So the whole world is welcome to have a look at my TOTP values, it would do them no good unless they are able to first crack my password. TOTP is just a second layer. What did you feel would be the benefit of having a TOTP generating algorithm be wrapped in some AES somehow?

    I think even the PIN that other apps have is really cosmetic and of very little use.

  • DBrownDBrown 1Password Alumni
    edited October 2013

    ericsnis and fool4, feel free to continue the conversation here, but I wanted to note that I'm not aware of any plan to add such a feature, at this time. Of course, I'm no expert on two-factor time-based authentication, though, so I may be missing something obvious.

    Regardless, we always like to know what our customers would find useful, though, so thanks for bringing it up!

  • @DBrown, I'd also be interested in 1Password having an integrated two factor generator based on the TOTP standard. I already use 1Password to backup the TOTP key so I've already assessed the security considerations I'm going to mention below and decided the benefits outweigh the risks for me.

    @fool4, PINs in protocols like RSA's ACE/SecurID are stored on the server and are part of the algorithm. So instead of TOTP's simple f(time, key) yielding an OTP, they use f(time, key, pin) where the key is from the actual token (and is stored on the server) and the PIN is known by the user (and stored securely on the server). So a little bit more secure if your users actually use secure PINs.

    @ericsnis If you edit the authenticator entry in the Google Authenticator app, there should be a field which lists the key. For right now you can document that key on a 1Password login and plug it into another TOTP generator (there are javascript/java ones, or the google authenticator app on your new phone) to start generating OTPs.

    All that being said, if you are putting your OTP secret into 1Password (either in a notes field as a backup as I am, or if Agilebits implement a TOTP generator) you are reducing your overall security that the TOTP provides in ideal circumstances, because now an attacker by grabbing your 1Password data, and your 1Password secret, now owns both halves of your security. In my assessment I've already given up some of that security by using 1Password in the first place (vs just memorizing the password) but that's the security vs convenience decision we all need to address for our own situations.

    Since I'm already using 1Password for convenience of storing the password (and also backing up the TOTP secret), I'd be all for Agilebits adding a TOTP generator into the app to provide even more convenience when I'm away from my phone and want to login to a TOTP protected resource.

  • DBrownDBrown 1Password Alumni

    Wow, @ragzilla, thanks so much for that thorough post!

    As for 1Password security: assuming your master password is reasonably strong, we believe your 1Password data is, for all intents and purposes, inaccessible to anyone who doesn't know your master password.

  • It is well past time for 1Password to add the option to enable 2 factor authentication, if the user wants it. Google Authenticator is my favourite. I use 2 factor for Gmail, Evernote, Microsoft, Paypal, Dropbox, my bank. Where I cannot use it I move away from the product when I find a replacement that does have it.

  • DBrownDBrown 1Password Alumni

    Thanks for your comment, @localjrw!

  • svondutchsvondutch

    Team Member

    It is well past time for 1Password to add the option to enable 2 factor authentication

    http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

  • I would also love to see 1password support management of OTP tokens. I have about 6 that I need to use on a regular basis now, and I would like to be able to use the password manager I trust to sync these token around my various devices. Adding support for the desktop version to auto-fill would also improve the UX of OTP tokens for me greatly. I would love to pay money for this feature.

  • DBrownDBrown 1Password Alumni

    Thanks for the feedback, @archaelus!

    I hope you won't mind my referring you to the article cited by @svondutch, above, reflecting AgileBits' current position on this issue.

  • I would also love to see 1P integrate OTP management. I could eliminate Google Authenticator (great product, but it was terrible for years); maybe the 'token' could be shared in each of the 1P apps so that you always have access to your codes (a little less secure but high availability; I could lose my phone and be SOL).

  • DBrownDBrown 1Password Alumni

    Thanks for your feedback, Jono!

This discussion has been closed.