Is there a list of website which support 1Password one-time password

Not all site two-factor authentications are supported by 1Password one-time password because no all site is set up using a QR code.

Is there a list of site which can be used to setup one-time password using 1Password? Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Is there a list of website which support 1Password one-time password

Comments

  • beyerbeyer

    Team Member

    @lixinyang: I don't believe we have a list of websites that are supported (it would be pretty hard to maintain), but we should be able to generate codes for any website that adheres to the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

    Although most websites that use this standard utilize QR codes for easy setup, it technically isn't required by 1Password. Instead, you can manually paste a one-time password secret into the TOTP field of your 1Password item.

    Do you have an example of one of these websites that 1Password doesn't work with? I'd love to take a look and see what they are using for two-factor authentication.

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • lixinyanglixinyang
    edited August 2017

    Can I use the one-time password for things like iCloud and Steam Game service? Because I am thinking to enable all two-factor authentication and only use 1Password as a token generator.

    @beyer

  • beyerbeyer

    Team Member

    @lixinyang: Great question and even better examples!

    Both Apple (iCloud) and Valve (Steam) use a proprietary two-factor authentication method, which means they don't use the TOTP algorithm specified in RFC 6238 or if they do use it, they don't allow 3rd-party authentication apps.

    First, it's important to understand that time-based one-time passwords, especially our implementation of generating them, doesn't typically provide true two-factor authentication. This is why you'll see many services like Google refer to them as "two-step verification" instead of two-factor authentication. Jeffery Goldberg (our Defender Against the Dark Arts) explains this quite well, in this somewhat dated but accurate from a security perspective blog post:

    If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.

    Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.

    Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.

    This and various other reaons is why some companies like Apple and Valve have opted to implement their own two-factor authentication systems. In the case of Steam, it's my understanding their goal was to be able to offer additional information while requesting a code from their generator. For example, if you were executing an item trade on Steam, when they requested a one-time code from their code generator, Steam could also display which items you were about to trade from your account. This helps, in their mind, to prevent users from being tricked into trades that they didn't execute. Apple can also provide additional information, like the physical location of the device requesting access, as part of their two-factor authentication system.

    Both of the examples you've given (iCloud and Steam) can't be added to 1Password or any other 3rd-party TOTP generating app (like Google Authenticator). This is something that we can't change on our end, and as far as I can tell, is not likely to change anytime soon.

    I hope that helps and provides some technical context, but please let me know if you have any additional questions.

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Thanks, @beyer, for your replies. My question is well answered.

  • brentybrenty

    Team Member
    edited August 2017

    @lixinyang: This isn't exactly what you're looking for since it isn't limited to TOTP (which 1Password supports), but it's a great resource:

    https://twofactorauth.org

    While I prefer TOTP because it is open (and, of course, because that allows 1Password to use it) there are some great proprietary two-factor authentication options out there too for protecting accounts — Steam's drives me nuts, but I'm personally rather fond of Apple's. And apparently Amazon supports TOTP now (though it requires SMS as backup — yuck). Hope this helps. Cheers! :)

  • @brenty Thanks for the additional information. Cheers ;)

  • brentybrenty

    Team Member

    Any time! :):+1:

This discussion has been closed.