Why not use 2 factor authentication to secure my 1Password Vault?

I have been using 1PassWord for many years and am very happy with the program. My son raised an important question. Why is it not a security weakness that all of my passwords are secured with only 1 master passphrase? What if some focuses their effort on hacking my 1Password Account? Have you considered 2 Factor Authentication for logging into 1Password? Or is there some other reason I need not worry bout this?


1Password Version: 6.1
Extension Version: latest
OS Version: OSX
Sync Type: DropBox
Referrer: forum-search:passphrase

«13456

Comments

  • @mowheelerr -

    There is a very informative blog post about just this issue. I think you'll be reassured. Read it here: Two Factor or not Two Factor

  • Hello @mowheelerr,

    Please do let us know if you have questions after reading the post hawkmoth linked you to. Basically though we make the assumption that if somebody manages to obtain a copy of your vault they won't attempt to gain access via the actual 1Password application and instead will attempt to decrypt it using an application dedicated to the task. Such an attempt would completely bypass two factor authentication which can only be in the application. That's why two factor authentication is seen when you access a server and need to authenticate yourself as the real account holder.

    As I say, if you have questions please don't hesitate to ask :smile:

  • i have converted my vault from being synced on apples account to the 1password account which sync via the server. would it not benefit to use 2 factor authentication now?

  • JacobJacob

    Team Member

    @stevensudbrink Great question. 1Password accounts have something better than two-factor authentication built in actually. :) It's called the Account Key. In the standalone version of 1Password, everything is protected by your Master Password and all the security wizardry in the app. But in an account, the Account Key is used to strengthen things even further. If you have a weak password, it's very unlikely someone will be able to access your data because the Account Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)

    Hope that helps! Learn more about the Account Key and let us know if you have any questions.

  • Actually that makes a lot of sense that the account key would be better than two factor authentication since it is made part of the encryption process. Whereas as I understand it, two factor authentication would only be used to try to prevent unauthorized access to the vault but would have no part in the encryption process of the vault.

  • PilarPilar

    Team Member

    Hi @stevensudbrink

    I'm glad to hear that Jacob's answer cleared things out for you! You got it right, the account key does everything 2FA does and much more on top!

    If you have any other questions or there's anything else that you'd like to know about 1Password please let us know, we're always here for you :chuffed:

  • Any plans to change this, or otherwise render the password and vault access useless, given the increasingly real possibility that people may be compelled to give passwords to immigration control when entering certain countries?

  • Drew_AGDrew_AG 1Password Alumni

    Hi @bUHAHnM4,

    I've moved this discussion to our "Lounge" as this topic is about 1Password and security in general, not specifically about the Mac version of the 1Password app. I hope you don't mind! :)

    Have you read Jacob's response in this discussion (above)? To summarize, 1Password.com accounts use an Account Key, which is a 128-bit string of random characters. Combined with your Master Password, your Account Key works similarly to two-factor authentication but is actually much more powerful. Please be sure to check out this support article for more information: About the Account Key

    I hope this helps to address your concerns - please let us know if you have any questions about that! :)

  • I store my vault locally, never transfer it over the public internet or store it in the cloud, and don't have a 1Password account.

    In that case I don't have an Account Key, correct? And if I give someone the Master password, they can open the vault?

    Basically what I want is for it to make it temporarily impossible for me (or anyone) to access my vault with just the password. That makes the prospect of being compelled to give up my password much less of a concern.

  • BenBen AWS Team

    Team Member

    Hi @bUHAHnM4

    You are correct on both points.

    I'm not sure what you're suggesting is technically feasible. Your data is not stored with us, so we can't temporarily lock you out of it.

    Ben

  • 2FA by OTP would work for my purposes. If I don't have the second factor in my possession, I can't access (or grant access to someone who has a copy of the vault).

  • BenBen AWS Team

    Team Member

    I understand, but there is no authentication happening when you unlock 1Password with your vault stored locally on your computer. You can't have two-factor authentication when you don't have authentication. What you're doing when you enter your Master Password is decrypting your encrypted data.

    Authentication vs. encryption in the 1Password security model

    Ben

  • Is it a bad idea to store the account key on 1P6? I'm currently doing that.

  • brentybrenty

    Team Member

    @Shaguar: Not at all, since it's encrypted in your vault. Just keep in mind that this is a little like locking your keys in the car. If you don't have a spare somewhere else, you won't be able to open it to get that one either...except there's no locksmith that can get you into 1Password. So it would be better to save your Emergency Kit and store it in a safe, just in case. Cheers! :)

  • Just started a trial of 1Password (I've been a LastPass premium user for many years).

    I strongly believe that the arguments provided against the use of 2FA are seriously flawed to start with.

    First there's the human nature and its flaws. The account key, is long, and most humans won't be able to remember it. So you have it printed somewhere, or stored in another secure note app (which would use 2FA hopefully). Worse, seeing that you need it to just login, you need to have access to it often....

    Once that key is compromised, either because you've been required to provide it (and no, this isn't an unlikely scenario. Traveling to the US is all you need to do: they can, and will, require you to provide your passwords along with your social network credentials (e.g. Facebook)). This is happening more and more.

    2FA system such as Google authenticator has the strong advantage being that it's temporary and the 2FA base key can be disabled.
    It's far more usable and convenient.
    1Password doesn't let you change your secret key, once it's compromised, it's forever.

    I hope 1Password will reconsider.
    Having to use an app like LastPass to store the account key, rather defeat the purpose of using 1Password in the first place.

    https://support.1password.com/secret-key-security/#your-secret-key-is-better-than-two-factor-authentication
    so no, secret key isn't better than two factor authentication, they shouldn't even be compared: they have different purpose.

    it should be used WITH 2FA.

  • 1Password doesn't let you change your secret key, once it's compromised, it's forever.

    Actually you can, using the edit button in front of the Secret Key on your profile page on the web version.

  • Worse, seeing that you need it to just login, you need to have access to it often....

    Not really, once you've authorized the app it shouldn't need the account key again. You should only need the account key if you are accessing your vault on 1password.com via the browser or authorizing the app on a new computer/phone.

    Traveling to the US is all you need to do: they can, and will, require you to provide your passwords along with your social network credentials (e.g. Facebook)).

    If you are concerned with this, perhaps removing 1Password from your phone and/or laptop before you arrive at the airport is a good idea.

  • As a brand-new 1Password user I'm glad to see this being discussed, as I had my own question about 2FA. There's a particular scenario where 2FA could add a layer of protection:

    Say I use my personal 1Password account at work, since I need access to my passwords at work. Equally, I don't want my employer to have access to my passwords. If the employer logs my keystrokes, they'll have both my master password, and access to my vault (since my account key is stored on the machine). Technically the machine isn't compromised, and although it would be pretty unethical on their part, I imagine keylogging by an employer isn't actually illegal.

    With 2FA, on the other hand, access to the passwords is only available during the time I'm using the machine, since I control the Authenticator app on my personal phone.

    I could be wrong - and I imagine the solution is "get a separate account for work passwords" - but that's not a practical, real-world solution!

  • brentybrenty

    Team Member

    @jyavenard: No one is arguing "against 2FA". That's actually impossible, as there are so many different implementations. But with that in mind, I will argue strongly against an undefined, generic "2FA" as being a panacea for security. The details matter.

    So while we can also argue over the definition of "two-factor", in my view, the authorized device itself, containing your Secret Key, becomes the second factor that is needed to authorize a new one. After all, you can choose not to save your Emergency Kit anywhere (though a safe deposit box isn't a bad idea), so that you literally need your authorized device to be able to sign in on a new one. How you manage your Secret Key is up to you though, so you have a lot of flexibility to do things the way you want.

    First there's the human nature and its flaws. The account key, is long, and most humans won't be able to remember it. So you have it printed somewhere, or stored in another secure note app (which would use 2FA hopefully). Worse, seeing that you need it to just login, you need to have access to it often....

    Or, you can keep it in a safe deposit box at your bank, or access it in 1Password on one of your authorized devices. It's no easier for someone to lose their Secret Key than it is to lose access to whatever they're using for traditional 2FA such as TOTP.

    Once that key is compromised,

    Just stop there. Change it. A new one can be generated in your Profile page on 1Password.com if you know or suspect that it has been compromised. You can also reauthorize devices there.

    2FA system such as Google authenticator has the strong advantage being that it's temporary and the 2FA base key can be disabled.

    Agreed. But this is a simple login. Here 2FA isn't securing your data, only access to it. That's a big difference.

    I think the most crucial thing is that traditional two-factor is meant to keep you out of an account, not protect the data itself. 1Password is built on encryption not authentication, because we're less concerned about someone gaining access to the encrypted database than we are ensuring it cannot be decrypted without the keys to it: your Secret Key and Master Password. @jpgoldberg had a great blog post on the subject just last week:

    1Password is #LayerUp-ed with modern authentication

    Suffice to say, we realize that 1Password.com is a very attractive target, so we've built 1Password's security from the start so that it doesn't depend on the channel it's sent or it never being captured; because of the Secret Key, your data secure even if it falls into the wrong hands. And since your Master Password is also used to encrypt the data (not just let you login), it cannot be decrypted without both.

    It's far more usable and convenient.

    I disagree. I think a case can be made for either one, depending on the scenario. It's possible to lose either one, impossible to memorize the secret and calculate a TOTP code in your brain, and unreasonable for nearly anyone to memorize their Secret Key (though I'm sure someone will do so).

    1Password doesn't let you change your secret key, once it's compromised, it's forever.

    That's not true, as I mentioned above. I'm not sure where you got that idea.

    so no, secret key isn't better than two factor authentication, they shouldn't even be compared: they have different purpose.

    It really depends on how you look at it, and what you mean by "two factor authentication" since that's pretty broad. But when it comes to decrypting 1Password.com data, I think we can all agree that the Secret Key adds a layer of security, since your Master Password alone is insufficient. If you don't believe me, just try to get in without it. ;)

    it should be used WITH 2FA.

    It's something we can consider for the future, but again, your idea of "2FA" is just as easily lost and can often be circumvented (e.g. "recovery codes" and escape hatches for those who lose access to it). The details really, really matter.

  • brentybrenty

    Team Member

    Traveling to the US is all you need to do: they can, and will, require you to provide your passwords along with your social network credentials (e.g. Facebook)).

    If you are concerned with this, perhaps removing 1Password from your phone and/or laptop before you arrive at the airport is a good idea.

    @jyavenard, @kevlar: This is what I do. Hasn't mattered yet, but I'd rather not take any chances. And it wasn't nearly as much of an inconvenience as I thought it would be.

  • brentybrenty

    Team Member

    As a brand-new 1Password user I'm glad to see this being discussed, as I had my own question about 2FA. There's a particular scenario where 2FA could add a layer of protection:
    Say I use my personal 1Password account at work, since I need access to my passwords at work. Equally, I don't want my employer to have access to my passwords. If the employer logs my keystrokes, they'll have both my master password, and access to my vault (since my account key is stored on the machine). Technically the machine isn't compromised, and although it would be pretty unethical on their part, I imagine keylogging by an employer isn't actually illegal.

    @taras: Great point! Indeed, if you're using their machine on their network, I don't think there's anything stopping them.

    With 2FA, on the other hand, access to the passwords is only available during the time I'm using the machine, since I control the Authenticator app on my personal phone.

    This probably isn't true and we shouldn't assume that it is. If someone else controls your machine, we shouldn't hope that they won't be malicious or negligent (opening a hole for someone else, even inadvertently). If they can capture your credentials, they can probably just as easily perform a person-in-the-middle attack to pose as you and use your 2FA as well. I guess that's assuming TOTP, though. If the 2FA you're using is a push notification on your phone, well...if you're on their network they may be able to intercept that as well. Better safe than sorry.

    That sounds pretty dire, but the good news is that if you access 1Password only on your phone, even on their network, 1Password encrypts everything in both directions, so the only thing that could be captured there is useless to them: encrypted data. And since the keys to it (your Master Password and Secret Key) are never transmitted, they won't have a way to get those either.

    I could be wrong - and I imagine the solution is "get a separate account for work passwords" - but that's not a practical, real-world solution!

    It really is, and while you can take this into your own hands, you shouldn't have to. Shoot us an email at [email protected] — even better if you can get a company representative to do so (if you aren't one yourself). If there's anything we can do help you folks start using 1Password Teams to not only separate your personal and work data, but also easily share important information securely among colleagues, let us know!

    For a real-world example, I keep all of my personal and business data separate. This used to mean separate vaults, but that was a real-world pain to setup each one on every device where I needed it. So now I pay for my 1Password Families account, where I keep my personal data, and also use a 1Password Teams account (which I definitely don't pay for) for my work stuff. After all, if I'm expected to maintain work-related stuff (which I wouldn't need/use otherwise), I shouldn't have to pay for that out of my own pocket! ;)

  • 2SA was one of the reasons why I held out from getting 1Password for Families. After much research, the Secret Key is better security IMO. I've posted a few links in this forum of a few issues. I admit using the Authentication app for 2SA is far better and safer then SMS, but those numbers you get are not an encryption key.

  • brentybrenty

    Team Member

    Indeed, good traditional 2FA can be useful, but it only prevents access to an account and its data, which is encrypted anyway. It may be something we can add in the future, but it's important that we built 1Password from the ground up so that your data — and ours — is secure even if it falls into the wrong hands.

  • @brenty I think in my opinion...
    This isn't an easy task I think. With 1Password for families, everything is now under AgileBits. No more 3rd parties needed anymore for syncing, much easy set up, and very user friendly.

    How can you keep all of this and keep it under one umbrella? If you guys make 2SA and need another app like google authenticator, it won't be as user friendly, and back to relying on a 3rd party app, again in my opinion. I think we all can agree SMS is out of the question for this.

    Just stuff I was thinking will up since 2AM haha

  • brentybrenty

    Team Member

    haha Yeah I hear you. Personally, I'd love to see us do something like Apple's two-factor (pushed to devices). If we end up going that route (or doing something similar), it would take a lot of time and effort across all platforms and on the server side, so that's just a bit of a pipe dream of my own for now. :)

  • Hi @brenty,

    I am considering using 1password and came to this post to resolve my biggest concern. I kinda second @taras that:
    A two-factor system can prevent key loggers (possibly from a virus or trojan) or just looking over your shoulder, which is likely to happen.
    A RSA token like this: https://play.google.com/store/apps/details?id=com.rsa.securidapp&hl=en will solve the problem. Even master password is compromised, as long as this token is not compromised, other passwords are still not compromised.
    I am just nervous if someone gets my master password in those stupid ways, he can use the webapp to reveal or my passwords.
    Please let me know if I am missing something. Thanks!

    Mike

  • primeprime
    edited June 2017

    @zxhmike 2 factor isn't an encryption key, and the Secret Key is one. Personally, I want an encryption key protecting my data along with my master password. Both the Secret Key and your master password can be changed.

    Everyone has posted thier opinions, and many posts on this. 2SA was a reason why I held out too, but doing research, the secret key is the way to go. Every time you log onto a public computer, just change the secret key when you're done. Personally, I would never go on a public computer.

    People also rely on 2SA way too much IMO. Don't get me wrong, it's great, but people think it's 100% safe. LastPass uses 2SA and that wasn't 100% safe either. You can see visually that the secret key is there, 40 characters and all, and nothing like your master password.

  • @prime: I have to ask. What does the acronym 2SA stand for? I've seen you use it several times. I believe everybody else uses the acronym 2FA which stands for two-factor authentication. Just wondering. :)

  • brentybrenty

    Team Member

    @pervel: Ah, good question: Two-Step Authentication. I think that, while it really depends on the implementation, typically the distinction from Two-Factor Authentication is that 2SA uses a second step, after username/password are accepted (often SMS), to complete the login process; whereas 2FA generally implies that a secondary device/dongle/etc. is needed in conjunction with the username/password to authenticate. The confusing thing is that many sites present both as a second "step" in the login process, when they're treated differently otherwise.

    A good example of this is Apple's login mechanisms. Their 2SA sends you a code after you've logged in, which you have to enter to confirm that it's you — and this can be anything capable of receiving text messages; while their 2FA requires a pre-authorized iOS or macOS device which receives a push notification where you have to confirm the login attempt. I'm probably not explaining this well, but hopefully that helps illustrate where they might be different...though some companies use these terms interchangeably. :unamused:

  • Thanks @brenty
    @zxhmike, @brenty posted on the page some info about your question. You can ask him more about this, and he answers in a way for everyone to understand. I hope my answered help with this.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file