Do you store your 2FA recovery codes in 1Password or Physically or not at all?

I saw previous discussions requesting a feature to save recovery codes (given when setting up 2FA) in special fields in 1Pwd instead of saving them into a note but why would you need those if 1Pwd already has the OTP?

It could make sense to keep a physical copy but is that even necessary? I think it's really unlikely I'll lose access to 1Pwd. Obviously if you lost your phone with the authenticator app on it then you would need the recovery codes but 1Pwd is accessible from any device...


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2FA Recovery code

Comments

  • I store all my recovery codes in 1Password. When I use to use Dropbox to sync, I also wrote that down too, but that was the only one I did that for. My handwriting is bad, so having them in 1Password is great lol.

    I think this is a great discussion for the lounge section :)

  • @prime Thanks for making me aware of lounge!

    But I don't understand why you would store your recovery codes IF you're using 1PWD for receiving ur authentication codes?

  • primeprime
    edited March 2017

    @JBallin I was ready for worst case. My wife and I use to the same Dropbox for syncing, so we both had the password and the authenticatior in each other's 1Password. I always like to be ready in case anything bad happened. Like we talked about in that other thread, a break in. Someone takes all my iPads, macs, and iPhones (that is with me when I'm out, but you never know, I have forgotten it a few times), I would be 100% screwed.

    I guess that's 1 good thing about anxiety, you prepare for worse case lol.

    And no problem about the lounge!

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I agree this is more of a Lounge topic. I've moved it there. I'll tell you about the brilliant scheme I came up with and then tell you why you shouldn't implement it yourself. :chuffed:

    I thought about the structure of my 1Password data and realized I can always locate an item by UUID. These are basically anonymous and can't easily be linked back to any of my 1Password data, especially after switching to OPVault format where the overviews are encrypted.

    So, I decided to make a directory of plain text files. The directory name was innocuous and each text file had only the recovery codes for its content. For the file name, I simply used the item's UUID. (1Password > Preferences > Advanced to enable the item for copying the UUID.)

    I'll pause now to give you a chance to see if you can pinpoint where/when this went wrong…

    When 1Password Teams and Families came on the scene, I jumped in of course. I gleefully moved all my items to their appropriate accounts, then moved some of them into new vaults for sharing. I now have a beautifully organized system of accounts and vaults. And every item I moved now has a totally new UUID. So my connection between that clever system of plain text files was now totally useless. :blush:

    If I were to suggest a scheme for storing these backup codes I would say possibly a vault you share with someone you trust at an extremely high level (a spouse, close friend or sibling, that kind of thing, maybe a lawyer?) You're storing only the backup codes here so they won't have your password. Now you'd have to have two or more people lose access to their 1Password data on all their devices in order to have these codes go poof. But keep in mind that the more people that have this information would increase your risk of exposure so balance is crucial.

    The other thing you could do is store the codes on a flash drive that you store in a very safe location such as a safe deposit box. You can encrypt this but it has to be with a password you memorize or can otherwise store somewhere but… yes, you can see where this is going. The other thing to keep in mind for something like this is the challenge of keeping it updated and validated. You'd need to periodically fetch the drive from the safe, update it with your backup codes. Verify the disk is still in good shape and all the files are readable. And then put it back in the secure location.

    This is a fun topic. Thanks for starting the thread, @JBallin!

  • JBallinJBallin
    edited March 2017

    @jxpx777 Appreciate the ideas but I actually didn't pose the question clearly enough, here's another shot (let me know if I should start separate posts for these): Why would you store 2FA recovery codes in 1PWD if you use 1PWD for OTP?

    If you lose access to 1PWD then you won't have either and as long as you have access you won't need the recovery codes.

    Another question: Is it worth storing recovery codes somewhere physical in case you lose access to 1PWD? In this case you wouldn't have access to your password but you would have recovery codes. The only reason I can see why storing recovery codes would matter is if you ALSO lost access to your phone (which would happen if you lost all your devices). Normally they recommend storing your recovery codes because if you lost your phone you would lose the authenticator app and access to SMS but in this case we'd need to both lose access AND to our phones - mind you some services even let you reset over email...

    In summary: Why do I need to bother storing recovery codes at all if I use 1PWD for OTP?

  • @JBallin Apple had the 1st version of 2SA a few years ago. It came out I think right after the iCloud celebrity photo leaks. Reading a few articles where you can be locked out forever you should always have the recovery key. We have a password manager where we can store all this info, so why not use that too?

    Apples newer 2 factor authentication doesn't have a recovery key, and you have a chance of getting your info back (the process is very long).

    So to the answer to your question:

    Why do I need to bother storing recovery codes at all if I use 1PWD for OTP?

    Why take the chance of belong locked out of an account forever and the risk of losing all of your data?

  • JBallinJBallin
    edited April 2017

    That article was interesting, I didn't realize that you could be locked out of your accounts unless you have your recovery codes!

    At the very least I SHOULD store my recovery codes in 1PWD but I think storing them physically may be even better (but that means I couldn't retrieve if abroad).

    Here's another idea, what if I opened a Dropbox account where I hid my recovery codes within some kind of innocent looking documents and had it password protected with something I'll remember and no two step verification? This way I can access them from any comp (if I lose all devices) but the risk is that somebody could break into that account easily and get those codes.

    Another similar option to be to have my 1PWD account code in that Dropbox but that would be really bad if somebody used that to get into 1PWD as opposed to having the recovery codes which wouldn't really give a hacker much help unless they cracked my uncrackable 1PWD generated passwords.

  • Latest Idea: Two hard copies of all recovery codes, 1 at home and 1 at parents. All recovery codes also in 1PWD.

    When possible I'll have a parent as a backup phone for 2 step.

    Thoughts?

  • Might be a little overkill lol. With me not needing Dropbox anymore, I don't have a need to have any written back ups. I have a total of 3 devices synced and my wife and I share the important passwords also.

  • brentybrenty

    Team Member
    edited April 2017

    @prime, @JBallin: Great discussion! I'll take a crack at giving some answers to the main questions here, but the reason this is such a difficult topic is that there are so many variables. Different accounts use "recovery codes" very differently, and we each have different constraints (for lack of a better term) depending on our situation, so there isn't a one-size-fits-all solution.

    Why would you store 2FA recovery codes in 1PWD if you use 1PWD for OTP?

    For me personally, the answer is two-fold: Why not? I don't have anywhere more secure to store it.

    Is it worth storing recovery codes somewhere physical in case you lose access to 1PWD?

    I'd say yes, provided you have somewhere suitable and have a need to do this. I don't personally because I have everything I need in 1Password.com, and I have my Emergency Kit stored physically in a secure location. But depending on your setup, you may have a reason for doing things differently.

    Why do I need to bother storing recovery codes at all if I use 1PWD for OTP?

    This is my favourite question, because it allows me to bring up something that hasn't been mentioned yet: failure. This could be with hardware, software, network, or the account you're trying to login to. There are a lot of ways TOTP can fail. They're edge cases, but that really doesn't matter when you just need to login.

    For example, periodically we'll have customers reach out to us because their TOTP codes aren't working. This most often happens because of a problem with the date/time on a particular device. If it doesn't match what the server expects (which is also time-based, of course), it will be rejected. There's some buffer there, but with enough drift on either end (or both), it simply won't work. That's one case where a recovery code can help.

    Additionally, I've personally run into a case where a site's authentication was broken for a time, so any one-time password would return an error. The recovery code worked though.

    Finally, some accounts have these for temporary offline use, when it isn't possible to authenticate directly with the server. For me the takeaway is that there's a lot that can go wrong, so if a site gives me a code or offers other means of recovery, I take it and store it in 1Password because I never know when I might need it. Better safe than sorry.

  • Thank you!!!

  • edited April 2017

    Please correct me if I'm wrong, but I think what @JBalin is pointing out is, that placing the emergency codes in 1Password is either of no use or defeats 2FA.

    The point of the emergency codes is to give access to a site when you lose the password, the authenticator app, or the phone. If you place your emergency codes (or the secret OTP seed if you stored that) in 1Password, then

    • if the emergency codes are solely on 1Password and you don't sync 1Password out of your phone, then the codes are useless. Because, when you lose your 1Password, that's when you need the emergency codes.
    • regardless of whether you sync your 1Password database out of your phone or not, if your 1Password database is compromised, then your 2FA accounts are compromised. Your 2FA needs your password and your timed OTP -- these are the two factors we need to gain access to a site. If both factors are tied together, neatly placed together so that having one entails having the other, then this begs the question why we need them both. Remember that 2FA's sole raison d'être is to make knowing a password not enough to gain access. You place them together, and it's exactly as if gaining access to your password is enough to gain access to your site. It is then simpler to cancel 2FA and rely on the password alone.

    If you place your passwords as well as your 2FA keys under one master password, you have a single factor authentication, not a two-factor authentication.

    In this regard, I wonder if storing 2FA info (OTP, emergency codes) on a separate vault might make sense.

    Except, as far as I understand, that is not possible in 1Password, since 1Password stores in its primary vault the passphrases that lock other vaults. This means that if Eve can log into your primary vault, she immediately gains access to your other vaults. That's of no use for separating keys, where you want the keys (password, OTP, emergency codes) to be entirely separated and independently locked, so that logging into a 2FA site requires the 2 factors, yet 1 factor compromised does not compromise the other.

  • JBallinJBallin
    edited April 2017

    Final Decision

    1. Won't lose access 1PWD

    • Storing Account Key physically (home & parents)
    • Confident I'll remember master pass
    • Confident nobody will breach 1PWD

    2. 2FA protection

    • Given above assumption, I'm still further protected with 2FA than without because it prevents cracking or any other forms of interception of my master pass
  • Is it me, or has my post vanished from this thread?

    Anyway, I think that the point of 2FA is not just 2 things to know in order to log in. It's 2 distinct factors, in that one is something you know, and the other is something you have. If the goal was protecting your login with two secrets, you'd be required to provide 2 passwords. But that's not what's done. The idea of 2FA is that you need to know a secret, and you need to have a device. If you turn that have into a know, you take a hit on the security 2FA provides.

    On a related note, have you heard of stateless password managers? There are quite a few of them out there now. The idea of the app here is having no database, and having no need to be online to sync, and yet solving the passwords problem. It secures its passwords, like 1Password, via a master password. It does not store this master passphrase, but of course you must remember it or else lose all your passwords. It then provides you with strong passwords that are generated out of your master password, and some salt, like a url, a name, a counter, etc.

    When you lose your stateless password manager, or your phone, simply re-installing it on a friend's machine and logging in with your master password will reveal to you all your passwords. Log out, and it's as if you never logged in.

    So what's the catch? I personally am thrilled by this. But I find that one issue might be that there is only a know with stateless password managers, and there is no have. Yes, the master password ought to be strong, but in the case of 1Password, one may argue that it is not enough to know your master password; it is also necessary to have the passwords database. But then, one may argue that the database is not a secret, since it may be passed around on the wire with the assumption that it is safe when it's encrypted. But that's now diverting to an entirely different discussion.

    I'm just trying to drive home the point of the importance of entirely separating the two factors. That when two things are close enough together, they're not very much two things anymore.

    And finally, that, I think, "but it's still of value" is not a very good argument... My password "123" is still of value, right? Because it's better than no password at all. Not really.. When I do passwords, I want to do them right. And when I do 2FA, I want to do it right.

    But I do feel the pain we all feel in the struggle between security and convenience. I am certain though there's a way to eat this cake and have it too.

  • JBallinJBallin
    edited April 2017

    But I do feel the pain we all feel in the struggle between security and convenience.

    That's the key issue for me. Agree it's not perfect but I think my security is "good enough".

    PS: Your comment did disappear, you possibly deleted it on accident?

  • brentybrenty

    Team Member

    Is it me, or has my post vanished from this thread?

    @wilhelmtell: If you're referring to this comment, I suspect it may have gotten stuck in the spam queue temporarily, as @JBallin indicated he wasn't seeing it either, but it was here when I logged in just now. Sorry for any confusion or inconvenience that might have caused!

    Please correct me if I'm wrong, but I think what @JBalin is pointing out is, that placing the emergency codes in 1Password is either of no use or defeats 2FA.

    It really depends on the case. There are many "2FA" implementations, but with regard to TOTP (which 1Password supports) the primary benefit is that it's time-based. That's the thing that makes the second factor valuable in this case, since it isn't static. I mean, I guess you could gain some benefit from segregating this from your other 1Password data, but at the same time you'd be giving up the security of having the TOTP secret encrypted in your vault. It's a tough call, so I think it's really a matter of personal choice.

    The point of the emergency codes is to give access to a site when you lose the password, the authenticator app, or the phone. If you place your emergency codes (or the secret OTP seed if you stored that) in 1Password, then

    In this regard, I wonder if storing 2FA info (OTP, emergency codes) on a separate vault might make sense. Except, as far as I understand, that is not possible in 1Password, since 1Password stores in its primary vault the passphrases that lock other vaults. This means that if Eve can log into your primary vault, she immediately gains access to your other vaults. That's of no use for separating keys, where you want the keys (password, OTP, emergency codes) to be entirely separated and independently locked, so that logging into a 2FA site requires the 2 factors, yet 1 factor compromised does not compromise the other.

    For me, the alternative would be to keep my TOTP secrets somewhere less secure, so I keep them in 1Password. And while someone with my Master Password would be able to access those along with my other login credentials, for me that's just another reason to guard my Master Password jealously. But depending on your situation and preferences, the calculation may change. You make some other great points, especially about availability, and I think that this and Jamie's earlier comments apply. Always have a contingency plan.

    Anyway, I think that the point of 2FA is not just 2 things to know in order to log in. It's 2 distinct factors, in that one is something you know, and the other is something you have. If the goal was protecting your login with two secrets, you'd be required to provide 2 passwords. But that's not what's done. The idea of 2FA is that you need to know a secret, and you need to have a device. If you turn that have into a know, you take a hit on the security 2FA provides.

    I think it bears mentioning that 1Password kind of breaks this mental model, so the normal rules don't really apply. After all, the whole point of 1Password is that you don't know your passwords, so this really changes the equation. Using 1Password is kind of cheating to begin with — but in the best way possible. ;)

    If you turn that have into a know, you take a hit on the security 2FA provides.

    I think you're right in principle, but for me and probably most people, using 1Password is more secure than remembering the "know" and keeping track of the "have". Your mileage may vary, of course. But the passwords I used to have to remember were not strong, and having a dongle for one-time passwords was something else I could lose — or break. None of that was fun, so I don't miss it, and at least for me the security benefit of using 1Password to help me manage all of this far outweighs the downside. But of course we can always choose to use a separate authenticator app (or hardware device, though those seem to be falling out of favor in most places). So I think it's important to weigh all of this in a larger context. After all, I can get "two-factor" support from my bank, but because it's tied to my cell phone number and sent insecurely via SMS, by filing it under "2FA is more secure" I'd be missing the bigger picture.

    But I do feel the pain we all feel in the struggle between security and convenience. I am certain though there's a way to eat this cake and have it too.

    Amen. :)

  • XIIIXIII
    edited April 2017

    Fraser Spiers (famous teacher/speaker/blogger/podcaster/etc. and 1Password user) has some tips on this, after his wife's iPhone was stolen on a trip to France:

    http://www.speirs.org/blog/2017/4/12/theft-and-loss-recovery-for-ios-users

  • brentybrenty

    Team Member

    Ah, I just read that earlier today. Great postmortem from a real life scenario. I think too often it's easy to get bogged down in hypotheticals. :)

    Here was my first problem: I don't know my iCloud password. It's long, it's random and it's stored in 1Password. So now I have to get into 1Password, just to send an erase command to my devices. For me, that would take too long so my first task in this security audit is to change my password to something complex and long but still memorable without support.

    This was interesting because using a strong-but-not-incomprehensible iCloud password in conjunction with two-factor authentication is a good move, and I think it was @prime who recently pointed out that you can still use Find My iPhone through the iCloud website even if all of your authorized devices are gone (and with them your access to two-factor). Fascinating.

This discussion has been closed.