Account Key and Two-Factor Authentication

prime

@brenty I need to stop posting when I'm doing 3 things at once :D

I'll look at the link later, thanks!

rickfillion

Ping us with more questions at your convenience. We're here to help. :)

Rick

prime

@brenty thanks for the link, but...

I didn't have issues signing into the account with the app on my iPad. The issue was signing into 1Password.com with my credentials on my iPad. I typed everything in from my iPhone to my iPad. This is where it would be great a copy and paste from the 1Password app on the iPad and iPhone so I can sign into safari.

AGAlumB

@prime: Ah, I understand. Yeah, it would be a lot easier on the desktop. You can, however, use the 1Password iOS extension in Safari, not to fill the Account Key, but at least to facilitate copy and paste.

I'm curious, I don't use the 1Password.com web interface on mobile devices often, and perhaps we have room to improve there since it's designed for the desktop. Can you tell me more about how you're using it? Is it just for admin tasks?

stevemc

After reviewing the entire discussion I see nothing that dissuades me from wanting 2FA. Please implement. This is a key factor in my decision to proceed with Agilebits family service after my 6 month trial.

@rickfillion, Ideally I'd like to see 2FA as either something like GoogleAuthenticator or even better SMS-based (at least give users the option of SMS). For my use cases, I see no security concerns with getting sms to my phone to enable me to access a password on a friend or co-workers device. I would like to be able to have the choice to trust that device or not. If trusted, I want to only use master password method on that device from then on. I of course would want option to "log out" any one device or all devices from the web admin. I DO NOT want to use the Authentication Key solution - if that was the choice I may as well just view the a randomly generated password on my phone and type it in on the other device. But the pain of this solution is exactly why I'm looking at a web service-based solution.

rickfillion

Thanks for explaining what you'd like to see @stevemc. Can you elaborate on which scenarios you'd like to be prompted to for 2FA? What happens if you're offline?

Thanks

Rick

stevemc

My preference would be 2FA any time I have not indicated to "trust this device" but any time I go thru the 2FA process I'd like to be able to mark the device as trusted and thus no longer be prompted. I don't really see a need in my case for having an expiration on the trust (since I would only do this on personal devices that are protected by other means). If I'm offline and I have not trusted the device, then I'm simply out of luck - no passwords. But if I was offline and I had already trusted the device, then password auth should be available (though I'm not sure I see any value in an offline mode since I don't have any apps that function in offline mode that require passwords.

Hope that clarifies.

john_m

Thanks for the extra detail @stevemc :chuffed:

My preference would be 2FA any time I have not indicated to "trust this device" but any time I go thru the 2FA process I'd like to be able to mark the device as trusted and thus no longer be prompted. I don't really see a need in my case for having an expiration on the trust (since I would only do this on personal devices that are protected by other means).

That is essentially how the Account Key behaves today. When you attempt to access your account from an untrusted device, you are required to provide both your master password, and your Account Key. If you successfully manage to decrypt your data with the details you provide, your Account Key is securely cached on that device as part of establishing a trust relationship. This means that the next time you want to decrypt your data on that device, you do not need to provide the Account Key again. The device will also appear on the "My Profile" page for your account, and you can deauthorise a device from there.

If I'm offline and I have not trusted the device, then I'm simply out of luck - no passwords. But if I was offline and I had already trusted the device, then password auth should be available (though I'm not sure I see any value in an offline mode since I don't have any apps that function in offline mode that require passwords.

And that too is how 1Password works today! When you have successfully decrypted your data via one of the 1Password apps, an encrypted offline copy is kept up-to-date while the device is online. When the device is offline, as long as your previously established trust relationship is intact (correct Account Key is still cached), you can decrypt the offline copy of your data using your master password.

Cheers,

John

prime

@brenty I tried that and nothing. The usethe extension, wouldn't I need to have the account key in 1Password as a log-in?

I'm able to copy and paste the account key on the Mac version to make this easier, it would be great to do the iOS version as well.

john_m

@prime @brenty is busy in meetings today, so I thought I'd jump in here rather than keep you waiting :chuffed:

I have an iPad Air here myself, and just tested signing into my own subscription account from inside Safari; it worked (was able to sign in fine and see my dashboard), but I can indeed see how typing the Account Key in that first time is a touch tedious. I used slide-over so I could quickly bring up 1Password, and used the "Reveal Account Key" option under my account details inside the app to display the full Account Key while I was typing it in. One thing to note - the Account Key is case sensitive, and the dashes are required, so it must be entered exactly as it is specified.

And yes, what @brenty was referring to would be having a record of your account's sign-in details stored in your 1Password account; it doesn't necessarily have to a a Login item, you could store them in a Secure Note as well, for example. That way, you'd be able to securely access the item from inside the 1Password app on your iOS device, and copy your Account Key to the clipboard from there for pasting into Safari if necessary. You can use the "Clear Clipboard" option in Settings to clear your clipboard after 45 seconds as well, if you'd like to improve your security while using the clipboard with 1Password on your iOS device.

Hope that helps!

sjk

I think it would also work to save the Account Key in a custom field (with optional password type) and be able to copy it from there.

prime

@john_m and @sjk I did a secured note and it works. I just figured since I can copy/paste from the Mac version, I could do the same with iOS without having to add it.

stevemc

@john_m, Understood about Account Key but as I said, I do not like the Account Key solution. It is too cumbersome to type in on a device which makes it prohibitively tedious to use on friends or co-workers devices.

cruise2001

Full disclosure: I did not read entire thread.

I programmed my account key into my Yubikey.

But, I also prefer additional 2FA.

prime

@brenty 2SA isn't useless, you're right. I was at my parents the other day and I needed to get on 3 sites from my moms computer. So I figured what the heck, log into 1Password.com and do it the easy way, but it wasn't. This is where 2SA would be awesome. I had to put in between 65-75 characters in for 2 passwords, my master password and the account key. That is not an easy task when you have teenagers yelling in the other room.

This is where 2SA would shine. It's so much easier to type in my master password and a 6 digit code would have saved me so much time and aggravation. I think my younger nephew learned a new swear word or 2 ;) I think the 40 digit account key is wonderful protection, but sucks for speed and typing in a noisy area. So this is not about extra protection at this point, it's about speed and time.

If would be so cool and awesome to type in my master password, open the 1Password app on my iPhone and have a section to get the 1 time passcode (or 2SA). Time is everything, the quicker, the better, and saving customers time and aggravation.

XIII

I had a similar situation yesterday. My 1Password password is more "complicated" (to type) than the Account Key, but it's muscle memory (since I type it multiple times a day). Several login attempts failed; all due to typos in the Account Key (which I hardly ever have to type). A 6 digit 2FA code (or even better: Duo Security integration; approving the login attempt on my iPhone) would have been a much better experience.

prime

@sjk @john_m @brenty
This is what I'm talking about here is a review and on the chart for 1Password for 2SA "no". People don't see "account key" in this review at all. I've said this before, if people don't see this (and don't know what an account key is, and don't feel their data is safe), you lost them.

The account key is awesome, but it's such a pain to type in on another computer to log in. I really believe 2SA would be a great addition for this, and keep the account key too, since if you do have 2SA, you'll need a recover key.

http://www.tomsguide.com/us/best-password-managers,review-3785.html

AGAlumB

@stevemc: As mentioned previously in the discussion, SMS is insecure and therefore pretty much off the table. we have people who work here whose job it is to make sure that "security theater" like that isn't allowed to happen. ;)

Also of note, we discussed earlier how, in most cases, you won't need to enter it manually. And in most cases having to manually enter it is a sign that you probably shouldn't — for example on an untrusted computer (though Prime offered a good counterexample). :)

AGAlumB

@prime: If we can find a way to get that to work securely, that would indeed be awesome! The difficulty lies in the fact that the Account Key is needed to decrypt your data. This is only done locally on the device, so if you aren't able to provide it (along with your Master Password) and it isn't saved locally in the client you're using, it just won't be possible for you to access your data. But man would that be sweet! :)

AGAlumB

@cruise2001: That's a really handy way of using both the Account Key and YubiKey in conjunction. So long as you have your Emergency Kit somewhere (incase the YubiKey is lost, stolen, or otherwise rendered unusable) it sounds like you have a solution that works for you. :)

AGAlumB

@XIII: I hear you. Typing the Account Key is rough, so I avoid doing it whenever possible. While it's still a bit techy, I'm personally enjoying using Duo with my 1Password Teams pro account. Hopefully we can offer that or something similar for other plans in the future. :)

stevemc

@brently, ok, then I may as well cancel my trial for the service now and look elsewhere. Seems google and many other companies do not have issues with sending codes via SMS. I assumed because the SMS goes to another device thru separate communication channel that someone would have to know a lot about you to be able to intercept the code and then use it to log into the account. And if the code is only valid on the device the code was sent for, then I don't really understand the nature of the security flaw you are suggesting. But I guess in the end I'm not going to try to convince you otherwise - seems from reading this thread you are already sure you are right and no one can convince you otherwise.

AGAlumB

Fortunately there has been a lot of research done in this area, so you don't have to take my word for it. SMS goes through the cell networks, which are not using the strongest encryption (and are using broken encryption, in many cases — you have no way of determining which will be used), but more importantly can fall prey to person-in-the-middle attacks (which a lot of "security" software inflicts on the user) since the codes must be transmitted. Since the Account Key is never transmitted, it isn't susceptible to these attacks and would require direct access to your machine to acquire.

prime

@stevemc, @brenty is correct. SMS is horrible for this. I actually posted a video on here how a person got their SIM card cloned by an attaker and their YouTube was hacked into. So not just the encryption issue of SMS, but the cloning and hijacking part too. I bet most people don't have an extra PIN with their cell phone carrier. The idea of this PIN is that a person can't have any changes to their cell phone account at all unless they know this PIN.

jxpx777

This issue with cloning (among other things that have been mentioned in this thread and some that haven't) is why SMS is no longer recommended by NIST.

In a lot of ways, this is similar to the difference between sending a secret for verification (how most web services operate) and the SRP approach that 1Password uses. Just like it's better for your security for us not to send your secrets (or any attackable version of the secrets such as a hash) to our servers, it's better for multi-factor authentication to use a scheme built on a shared secret that can be independently computed and verified than to send the actual secret code over any network.

With SMS, the actual secret code needed to complete the multi-factor authentication challenge is sent in plaintext over networks that you don't have control over. There are also a ton of other important considerations for out of band things such as making sure the number is attached to a physical device before sending that I know for a fact many are not doing because I have several services pointed to my Google Voice number for this. (I understand the risk here, but I have 2FA on my Google account and these are services that I don't want to have my real cell phone number.)

For a lot of companies, SMS is "good enough" just like sending your password to their server and then hashing it is good enough. Perhaps for some services, it is good enough. (The lingo for this is threat modeling.) Maybe you're OK with using SMS for two-factor for your purchases on Etsy. But, since we've taken on the sobering responsibility of storing our users' most important information, we won't settle for good enough.

--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas

jpgoldberg

I would like to make clear that 2FA is not an alternative to the Account Key Secret Key. The Secret Key is needed to protect you against server compromise or capture of the SRP verifier. Because 2FA would offer no such protection, we would still need our two-secret key derivation (2SKD), which is designed to keep your data undecryptable by anyone other than you (or who you share your data with).

Some of the remarks I've seen in this discussion talk about how most 2FA systems have usability advantages over the Secret Key. That may well be true, but 2FA could never offer the security properties we are using 2SKD for. So if we extend the use of 2FA for 1Password authentication, it would not replace 2SKD; it would be in addition to it.

prime

This who account key is growing on me. I like 2FA for speed and logging in quickly, but it's not like I'll do that very often. I did it once and probably never do it again.

Jacob

That's great to hear! :) I love the Account Key. 2FA is nice for certain things, indeed.

lengotengo

Signed up just to say:

+1 here for optional Duo Security (or Transakt or whatever tool you choose with login approvals) and mandatory secret key, with optional "remember browser" checkbox.

Cheers!

XIII

If 2FA does not increase 1Password.com security, why is AgileBits offering Duo Mobile to teams anyway?

Just wondering why it is available for Teams, but not for Families. Which requirements do differ between these kinds of customers?