Two-factor authentication with 1Password Families?

dking
dking
Community Member

I just migrated to 1Password Families and am trying to wrap my head around how this works when I'm on the road.

When traveling before migrating to a Families account, I relied on Dropbox's two-step verification to access the 1Password web interface. If I accessed 1Password via Dropbox at an internet cafe in Kathmandu where someone was logging keystrokes, that person couldn't access my Dropbox account after 60 seconds without the dynamic six-digit authenticator code.

The Families system seems to rely on the Account Key. So I have to have that code with me at all times when I can't access on of my approved devices?

Your "Understanding the Account Key" page ( https://support.1password.com/understanding-account-key/) says the account key is "better than two-factor." But the key is static. So even if I bring my key to Kathmandu, which might be a hassle, if my keystrokes are logged at that internet cafe, both my password and key are logged.

Am I missing something?


1Password Version: 6.1
Extension Version: Not Provided
OS Version: OS X 10.11.4
Sync Type: Not Provided
Referrer: kb:dropbox-2fa, kb-search:verification, kb:pro-features-faq, kb:teams-families-migrate, kb:how-safe-is-cloud-sync

Comments

  • dking
    dking
    Community Member

    I was missing something: the QR code. Now I get it!

  • XIII
    XIII
    Community Member

    I'm afraid I don't. Can you explain why the QR code adds security?

    (I thought this was just another representation of the static account key and perhaps the URL)

  • AGAlumB
    AGAlumB
    1Password Alumni

    This is a bit confusing, because it's easy to focus on the two-factor thing and lose sight of what we're actually trying to do, which is securely access data on an untrusted machine. And that's something that neither a TOTP nor Account Key can do for any of us; we're relying on the machine itself not being the enemy, and that's not safe bet to make.

    When traveling before migrating to a Families account, I relied on Dropbox's two-step verification to access the 1Password web interface. If I accessed 1Password via Dropbox at an internet cafe in Kathmandu where someone was logging keystrokes, that person couldn't access my Dropbox account after 60 seconds without the dynamic six-digit authenticator code.

    @dking: In this case, someone with control of the computer you're using can simply log anything entered or accessed there, including your Master Password, Dropbox credentials, TOTP code, and the items you view in 1Password.

    The Families system seems to rely on the Account Key. So I have to have that code with me at all times when I can't access on of my approved devices?

    As I mentioned above, the problem you're trying to solve here isn't the real issue, since ultimately you want to protect the security of your data. So ultimately while we're considering the possibility of adding multi factor authentication in the future, accessing sensitive data in an insecure environment simply isn't a good argument for doing so.

  • dking
    dking
    Community Member

    Is there a way that the person who controls an untrusted machine can access Dropbox after 60 seconds, when the authenticator code, which only I have access to, expires?

    Trying to figure out if there's a secure way to access a password on a computer that's not your own if in a remote place where there's no alternative.

  • @dking,

    Is there a way that the person who controls an untrusted machine can access Dropbox after 60 seconds, when the authenticator code, which only I have access to, expires?

    I'm sorry but I'm not sure I can answer that question. It may be better addressed to the Dropbox team.

    Trying to figure out if there's a secure way to access a password on a computer that's not your own if in a remote place where there's no alternative.

    There is not. If the computer is compromised or otherwise cannot be trusted then there will be a way for your credentials to be stolen regardless of any measures anyone tries to implement. Consider even if they are unable to access your Dropbox or 1Password account, they'll at least have access to whatever credentials you retrieved.

    Ben

  • dking
    dking
    Community Member

    Thanks for the reality check about using machines that you can't assume are trusted. I thought double authentication with time-limited codes + copy-pasting was pretty safe, but I guess not as much as I thought.

  • You're very welcome. No, if the machine is compromised or otherwise can't be trusted then the contents of your clipboard can be recorded, your screen can be recorded, etc. It just isn't a good idea to use someone else's computer to access your accounts.

    Ben

  • dszp
    dszp
    Community Member

    To follow up on @dking's question about accessing a service that uses TOTP (like Dropbox) for authentication after the timeout of the token...it's possible (everything @bwoodruff said about huge risks from untrusted machines is true!) but less likely because an attack would need to take the TOTP into consideration and also likely perform the attack in near-real-time. But, this is generally what malware that would take advantage of an account protected with TOTP would do:

    1. Set itself up as a local proxy and send all requests to the protected site (we'll use dropbox.com as an example) through itself to the site and back.
    2. When you type in your TOTP code during login, pass the code to Dropbox in real-time and return the normal results back to you, but save the authentication results.
    3. Make additional requests behind-the-scenes (unknown to you) with the same authentication codes your browser is using now that it's identified as you to pull data from your Dropbox and send it to wherever it wants to. Possibly even send the authentication cookie information elsewhere someone could spoof your active session from elsewhere (unless Dropbox is performing server-side session locking to your IP address, which is possible but only verifiable with testing).

    If the malware captured your 1Password master password (with keylogging most likely, either software or a hardware keylogger) along with exfiltrating your Dropbox data with your 1Password vault using the above methods, they'd have your vault and access to it. If you typed in your Account Key into 1Password Families/Teams they'd have that with a keylogger as well, but the same with your TOTP code which would be usable during the current session. They could potentially also use your current session in Dropbox to add themselves as a trusted application (like your local Dropbox client does) for permanent access to your data unless you review the authenticated apps from your Dropbox account settings and remove them.

    This isn't something I've heard happening with Dropbox accounts "in the wild" but it's technologically possible. Also, it definitely HAS happened with banking trojans that have hijacked online banking sessions in exactly the way I mentioned above, including hijacking the two-factor authentication token, then intercepting the traffic and logging in itself with the token, secretly stealing money in real time but when displaying the account page back to the user, showing that everything is fine, making discovery take longer and giving the thieves longer to cover their tracks. No reason this couldn't be adapted to Dropbox and/or 1Password, but frankly I imagine the banking trojans are more profitable in the short-term.

    Some additional reading about SSL/TLS/HTTPS bypassing with trojans: http://www.csoonline.com/article/2364303/data-protection/new-banking-malware-spotted-with-phishing-attack.html

    A Kaspersky post recently talking about banking trojans using the above methods, though directly on Android phones with a banking app and SMS interceptor (to directly steal the TOTP code) to steal from bank accounts: https://business.kaspersky.com/how-the-banking-trojans-circumvent-two-factor-authentication/5291/

    Bruce Schneier was talking about two-factor bypass in 2009 (unsurprisingly, he's a smart cookie): https://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html

    Here's info on the Dridex trojan that steals TOTP codes and uses them for fraud in real time with banks: http://www.zdnet.com/article/dridex-trojan-targets-uk-banksdridex-trojan-targets-uk-banks-avoids-2fa-checks/

    Conclusion (unchanged): You need a trusted computer running trusted software before you can trust anything on it. Even that just lowers your risk level significantly. Disconnect system from network/power and encase in concrete to reduce risk much further. Sadly, this also reduces usability below acceptable levels ;-)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dszp: Wow! Thanks for the exhaustive summary and links! As terrifying as these sorts of attacks are, it's also fascinating, and understanding the risks is crucial to our security. Ultimately what we put our trust in is an incredibly personal decision, but knowledge is similarly incredibly empowering. :)

This discussion has been closed.