Onscreen setup code question

nosferatuwho

Hi, all! New user to 1password here. I'm confused whats the point of the onscreen setup code besides using it for emergency purposes?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@nosferatuwho: Good question! The Setup Code is a QR code which is a graphical representation of your sign in credentials (excluding Master Password). It just makes it easier, since scanning the code on a device with a camera/reader is faster than typing this information manually. I hope this helps. Be sure to let me know if you have any other questions! :)

nosferatuwho

@brenty Thanks for clearing that up. Another question. I was reading on this post: https://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

and you guys said:

"If someone gets hold of your Master Password, do they instantly have access to all of your data? No, they need to actually get hold of your encrypted 1Password data. This can be done either through the theft of a computer on which the data is stored or through a breach at Dropbox. That is, getting your 1Password master password isn’t the only thing that is needed."

So if some keylogger got my Master password, they would also need my secret key too correct? So in this case, if I some how got key logged, they wouldn't be able to do anything unless they also have my secret key as well right?

AGAlumB

So if some keylogger got my Master password, they would also need my secret key too correct? So in this case, if I some how got key logged, they wouldn't be able to do anything unless they also have my secret key as well right?

@nosferatuwho: Correct, but I don't think we want to assume that a keylogger is the worst case scenario. If your system is compromised, all bets are off. While the Secret Key is also needed to decrypt your data, we should assume that an attacker is smart enough to simply collect your data as you access it.

nosferatuwho

@brenty thanks for the quick response! One more question. I was wondering whats the difference between OTP vs 2FA? they seem like the same thing. The cool thing about 1passwords' OTP Is that it's all in one app. Still playing around with!

Jacob

@nosferatuwho They are similar, but each has a different purpose. A TOTP adds an element of time to the authentication process, while 2FA is meant to be an actual second factor and should represent another device, like your phone or tablet.

nosferatuwho

@Jacob do you mine elaborating the time difference and the benefits of it? Also I asked another question on the other thread which is no closed: "I have a question, is it possible to get keylogged with 1password? I know that I read somewhere that you guys have the security input in place, but I just want to make sure"

john_m

@nosferatuwho Most TOTP systems re-generate a random 6-character code every 30 seconds. When signing into an account that is protected by a TOTP, you must provide the current code that is valid for that sign-in (most system allow a little leeway for typing speed, and will also accept the previous code also). This means that even if an attacker is able to get a 6-character code for a given sign-in, that code is only valid for a very short window of time, and then is no longer valid. The attacker would either need to access the device containing the TOTP secret for that sign-in in real-time (i.e., be reading the current 6-character code live from the device), or to have stolen the TOTP secret and generate the code on their own devices. I hope that clears that up!

I'm not a security expert personally, so I'll let someone more versed in keyloggers give you a fully-fledged answer to that question!

nosferatuwho

@john_m it seems to me that its basically the same as 2FA?

danco

The thing is that straightforward 2FA is valid for a much longer time period than TOTP.

john_m

@nosferatuwho Not quite! 2FA may sometimes use a similar mechanism as TOTP (as in, a randomly changing code) but it doesn't have to - there are other 2FA types such as hardware tokens, etc.. The distinguishing factor of 2FA is that a second "factor" is involved.

An example I came across once that I liked is to think about using a cash machine. When you use the machine to withdraw money, first you have to provide it with your bank card - this is the first "factor", in this case, it's a physical thing that only you have. Next, you have to provide it with your PIN - this is the second "factor", a piece of information that only you know. What makes this 2FA is that the factors here are different - having a thing and knowing a thing. That's not the purpose of TOTP.

I hope that makes sense! :chuffed:

nosferatuwho

@john_m well for example, I use Authy/Google2fa, and the 2nd factor would be using my phone. Now when I open my authentication app, there pops up several numbers, and then I would have to copy/paste that into the site I am trying to use. When I use 1password and then use it's OTP, I would also still have to use the same method. The only difference here is that I'm using one app. So thats why I understand where the difference is coming from. I still have to either use 2FA or 1password's OTP to get into my accounts.

nosferatuwho

Edit: So thats why I don't understand where the difference is coming from.*

Also I'd like to add:

Although they are similar, what makes 1password's OTP more secure than say Authy's 2FA which requires another device? but so what? What difference does that make as oppose to 1Password's OTP? I would like to know the security benefits to using 1Passwords OTP.

Thanks for anyone who can clarify!

john_m

@nosferatuwho That's because the Authy/Google Authenticator apps use TOTP as their authentication mechanism, but the "second factor" there is the device (something you have). 2FA can use any number of authentication mechanisms, of which TOTP is just one.

For example, take a hotel room door; these days, that door might unlock with an old-fashioned key, or maybe it uses a keycard, or maybe it even unlocks with your smartphone or watch. The door could use any one of these different "authentication" systems to permit someone to walk through it. That doesn't mean a key is the same thing as a door! Likewise, a 2FA app might use TOTP as an authentication mechanism, but that does not mean TOTP is the same thing as 2FA. They're different, but sometimes related things.

In terms of "what makes 1password's OTP more secure than say Authy's 2FA", I'm not sure that anyone is making that claim; personally I find using 1Password to store my TOTP secrets a lot more convenient than either Authy or Google Authenticator (both of which I tried previously). At the time I tried them, Google Authenticator didn't have support for multiple devices, and I had trouble getting Authy's multiple device support up and running. 1Password was already on all of my devices (including my non-mobile devices), and the data stored in it is protected with strong encryption using my known-only-to-me master password (better protection than the PIN Authy was using on my non-Touch ID devices!), and as I'm using an individual subscription account for my personal data, was also protected by my Secret Key - which is something only my devices "have", a bit like 2FA! So for me, 1Password combines security and convenience for my TOTP secrets in a way that neither Authy or Google Authenticator were able to do for me. That's my experience anyway! :chuffed:

nosferatuwho

"personally I find using 1Password to store my TOTP secrets a lot more convenient than either Authy or Google Authenticator"

what do you mean in terms of "secrets"?

Jacob

@nosferatuwho He means the time-based code that is generated, which is in essence the TOTP. The text-based versions of these codes is generated by something like otpauth://totp/github.com/wendyappleseed?issuer=GitHub&secret=fjakleid8slakd.