No 2FA recovery options for "Individual Plan" accounts

lammothlammoth
edited March 2018 in Memberships

I've seen that, in 1P.com v477, you added 2FA (with Google Authenticator) for "Individual Plan" accounts. Although I think the Secret Key is more than enough, I wanted to try the 2FA as well.

It works as expected, but there are no recovery options:
1. No backup codes to enter
2. No recovery via URL sent by e-mail
3. In the "Emergency Kit" the 2FA secret is not saved (as text or QR)

IMHO, options 1 and 3 should be implemented...

Thanks

Edit: Maybe this discussion should be moved here: https://discussions.agilebits.com/categories/accounts

Comments

  • XIIIXIII
    edited March 2018

    Ah, I see it's also available for Families.

    Maybe the "no recovery" is intentional? Some documentation would be nice.

    Did not try it yet, but I guess it's regular TOTP?

    (Was hoping we would get Duo, but alas)

  • brentybrenty

    Team Member

    @XIII, @lammoth: Individual 1Password.com memberships have no means of recovery, as they are not part of a family or team. This is a new feature and not officially launched yet, so I'm sure we'll have more to share in the future. :)

  • Ha, then maybe I should wait (testing this)...

  • brentybrenty

    Team Member

    @XIII: I think you'll be okay, but one concern is that people might try storing their TOTP secret in 1Password itself, which could have...undesirable consequences. Definitely use a separate app for that when you set it up. Cheers! :)

  • Hi @brenty - For "recovery" I mean the ability to enter my account when the 2FA device gets lost.

    As you say:

    If you lose access to your authenticator app, you won’t be able to sign in to 1Password on new devices until you turn off two-factor authentication. To turn off two-factor authentication:

    1. Sign in to your account on 1Password.com in an authorized browser.

    If this is not possible, a backup code (as Google, Dropbox and others do) comes in help. Authy can backup the secrets while Google and MS authenticators can't, so people not using Authy (or not manually backing up the TOTP secret) may remain locked out.

  • Thanks for the link with documentation!

    Might try it this weekend...

  • Catalin1PCatalin1P
    edited March 2018

    Hello everyone! I tried it and I opened an incognito window in Safari to see if I could log into my account with just the Master Password and my Secret Key and it seems like I am screwed if I ever lose access to that 2FA codes. Any suggestions on how could I store these 2FA security codes that regenerates itself every 30 seconds without locking myself out of my account and lose access to my digital life?

  • brentybrenty

    Team Member

    Hi @brenty - For "recovery" I mean the ability to enter my account when the 2FA device gets lost. As you say:

    If you lose access to your authenticator app, you won’t be able to sign in to 1Password on new devices until you turn off two-factor authentication. To turn off two-factor authentication:
    Sign in to your account on 1Password.com in an authorized browser.

    If this is not possible, a backup code (as Google, Dropbox and others do) comes in help. Authy can backup the secrets while Google and MS authenticators can't, so people not using Authy (or not manually backing up the TOTP secret) may remain locked out.

    @lammoth: Right, but there's a tradeoff with that with regard to security. It's something we'll continue to evaluate, but there are two important things to keep in mind: 1) these features are targeting primarily at businesses who require them, and 2) we're not recommending that anyone else use it at this time, as it is up to you to not lock yourself out, especially as an individual with no family or team admin to bail you out. That adds not only a means of recovery, but also an important social failsafe: you'd have to contact a loved one or colleague directly to ask them to help you recover your account, which adds a layer of real-world authentication. Having a bunch of different "get out of jail free cards" is convenient, but can also provide additional avenues of attack. For the target users of this feature, businesses, not having these additional threat vectors is important.

  • brentybrenty

    Team Member

    Thanks for the link with documentation! Might try it this weekend...

    @XIII: Let me know what you think — bearing in mind that this isn't anything earth-shattering, just a feature that many companies have requested due to their requirements. :)

  • brentybrenty

    Team Member

    Hello everyone! I tried it and I opened an incognito window in Safari to see if I could log into my account with just the Master Password and my Secret Key and it seems like I am screwed if I ever lose access to that 2FA codes.

    @Catalin1P: That's exactly it. This is designed to be an additional layer of security for business customers' accounts, and having ways around it would render that benefit less relevant. Please be careful.

    Any suggestions on how could I store these 2FA security codes that regenerates itself every 30 seconds without locking myself out of my account and lose access to my digital life?

    We have a few recommendations for 3rd party authenticator apps that will work with this in the guide I linked above. Just keep in mind that this feature is supposed to make it harder to get into your account.

  • Finally configured TOTP 2FA for 1 non-admin user in my Family account.

    Works as expected.

    Will you only offer TOTP or also Duo for the Family plan?

  • JacobJacob

    Team Member
    edited April 2018

    @XIII Fantastic! Duo is only for 1Password Teams and 1Password Business, since it's a business product in general. You can use two-factor authentication for your personal accounts. :)

  • edited January 11

    @Catalin1P Months later, I had the same question as the experience seemed to move some cheese vs what most 2fa users are familiar with. The team has a strong opinion that their home-rolled solution is superior to the way the majority of the industry does it. In most ways they're not wrong, the rub is it's a vertical integration with a price tag to get back to the familiar. You can interpret that how you will.

    Tl;dr, The real solutions are as follows:

    1. Use authy, rely on its continued existence and service
    2. 2x your spend for a family account
    3. save your codes to a backup phone
    4. install the android sdk, create an android vm, install GA or similar to that, save your codes, put the vm in a secure cloud drive
    5. If you're savvy, you can google for authenticator-cli to accomplish the same thing.

    @devs, a monospace font would be awesome in this comment box

  • BenBen AWS Team

    Team Member

    @AsParallel

    There are a lot of different apps that are capable of generating TOTP codes. It isn't a bad idea at all to have a couple different ones set up with the same TOTP secrets. For example I have all of mine in both 1Password as well as on a Yubikey. I'm considering also setting up Authy, Google Authenticator, or some other app that can sync these codes so that the loss of any device is not a single point of failure to my workflow.

    Ben

    P.S. you can get a monospace font by clicking on the 'paragraph' icon in the formatting toolbar above the reply area and selecting 'code':
    monospace goodness

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file