Multi-Factor Authentication

[Deleted User]

1. We use primary password to unlock&manage password database. But some of other password manage software (like Kaspersky password manager) can create tokens in USB devices and provide automatically unlock when USB devices plugged. I hope 1password can add such features, that’s really convenience.
2. A dual-authentication system can be used for 1password to improve safety: A primary password to unlock the whole database which allowed user to add/delete/manage/edit their items , configure the preference of software and provide auto-login. An advanced(secondary) password is required to show the clear-text password. Just like what keychain(Apple Inc.) has done:
   
   The 1 password don’t need the secondary authentication for showing the password, it contains the potential threat, i guess :
   
   Those primary/secondary password can be replaced with USB-token or other authentication devices.

chrisdj

Hi @Autonomous‌,

Two-factor authentication is very neat. Our Chief Defender Against the Dark Arts, @jpgoldberg‌, has written much on the subject.

Here are some things to check out:

• http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/
• https://discussions.agilebits.com/discussion/comment/51357/#Comment_51357 (Comment #3)

[Deleted User]

reply to @chrisdj ,

data availability are stripped away with requiring a second factor

(http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/)

Well, I changed my view of the two factor authentication. Just using the Strong Password Generator, avoiding password reuse to get data availability.

But i still hold the view that an alternative primary authentication method, such as USB token, can be considered as a substitution of Master Passwords. Please notice that it is parallel to Master Passwords, their logical relationship is "or", not "and".

I know you are concern about the safety of those tokens, but it's worthwhile to add such feature for single platform users who promise the safety of their tokens.

chrisdj

Hi @Autonomous‌,

While we're not at the point of having a separate token of authentication on the Mac or PC, with iOS 8 we will be taking advantage of TouchID on compatible devices. And you are correct in that it is definitely an or, not an and. In fact, if TouchID does not get a successful read, the user will immediately fall back to the Master Password. This is much like our current use of PIN code. If you enter it incorrectly, you must enter the Master Password.

[Deleted User]

reply to @chrisdj ,

TouchID? It seems that non-iphone users can hardly enjoy such new features.

chrisdj

Hi @Autonomous‌,

Apple provided an extremely secure system to use. While we are definitely interested in biometric solutions on other devices, we have to be certain they are truly secure. It is still early days for these kind of authentication options. We need to see where the road leads.

[Deleted User]

reply to @chrisdj ,

Still have some potential threat by using biometric information, fingerprint can be easily captured and copied, worse, we can hardly change our fingerprint.

Except for such biometric solutions, do you think the USBkeys is reliable and available?

chrisdj

Hi @Autonomous‌,

While it is true that a fingerprint can be captured, it seems TouchID is not as easy to fool, as it needs capacitance to activate the sensor. That means your body's natural electric current is needed. While someone with enough sophisticated equipment could probably fake the effect, you'd need to be very specifically targeted. Also, they would only get one shot. If the first read off TouchID is not good, we're going to fall back to the Master Password right away.

As for USB keys, I personally cannot comment on it. I haven't researched them enough. Perhaps @jpgoldberg‌, our security chief, can comment further when he has a free moment.

jpgoldberg

All I can really say is that all of this is being explored.

As noted above, systems that involve authentication (logging into some system that then grants access) can plug in a second factor into their authentication process. They also face different threats, for which a second factor in authentication is a good defense. For a system that doesn't use authentication (and so doesn't run some of the risks associated with those) integrating a second factor is harder to do right, and the case for doing so isn't as compelling.

But just because it is "hard to do right" isn't a deterrent to us.

[Deleted User]

@chrisdj @jpgoldberg , thanks for your reply, it dispelled my doubts.

sjk

Hi @Autonomous,

On behalf of Chris ( @chrisdj‌ ) and Jeff ( @jpgoldberg‌ ), you're very much welcome!

Christopher Papa

This post confuses me: https://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

Why spend a bunch of time trying to convince your users that "one and a half" factor authentication is good ENOUGH?.... when it's so completely obvious that multi-factor is better, more secure, etc... there are TONS of free services that you could use for example google authenticator, toopher, etc... not to mention your own companion app for mobile or tablet... just tell me when someone tries to access my vault and make sure it's me for crying out loud.... you can even use touch ID!

This is a pay service... there are plenty of free services such as LastPass which use multi-factor authentication and thereby are more secure.... why not deliver the requests of your paying clients, especially when it improves the product?

Malware that records keystrokes can compromise any super-secret extra-secure master password.... so... get with the program maybe?

Ben

Hi Christopher,

I think you've missed one of the key points. 1Password is not a "service." We do not host your data. Your data is stored on your device encrypted. What happens when you type your Master Password is decryption, not authentication. Adding a second factor ('key') to decryption is very different than adding a second factor to authentication.

Also: "more" isn't always "better" (see the argument about 128bit vs 256bit encryption: https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/

All this isn't to say that we definitely won't add two-factor decryption at some point, it is definitely something we're interested in and may implement, but if we're going to do it we're going to do it right and not rush it.

There is a lot of discussion about this here: https://discussions.agilebits.com/discussion/30185/using-security-key-for-2-step-verification

Thanks.