1 Password for Windows + Duo = What security???

Unlock Vault, it will prompt you to authenticate with Duo, you can just close that prompt and you still have full access to the vault? WTF. This is useless security. Why?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:DUO Not required

Comments

  • @1P_NewUser: This is actually intended behavior, but I'll provide some extra detail so hopefully it makes a bit more sense. Duo is protecting the authentication process. The only time you authenticate with 1Password is when your app is connecting to our server. This happens when setting up a new device and when syncing your data. When you're unlocking your Windows app, you're not authenticating at all. You're decrypting your local database. So, while you'll see that Duo prompt when you unlock on an already-authorized device, if you dismiss it, it will only prevent authentication with the server and thus syncing of new data, not access to local data you already have on your device. If you do the same on a new device that you've not used 1Password on before, you'll see no data at all and won't be able to sign in.

    1Password stores your encrypted data both remotely on 1Password.com and locally on your device. This setup ensures you can access your data even when you're offline, something I'm often grateful for with the brownouts we're about ready to start getting again as it heats up here in South Texas. When unlocking your local data, you're decrypting data you already have, not proving your identity to a remote server so that server can share data you don't have, like you are when you're signing into your e-mail account (or setting up a new device with 1Password). Absent that proof of identity (authentication) 2FA doesn't really have a role to play here. Duo cannot work offline either, so we didn't want to purge that local data or deny you access to it if you were unable to complete 2FA since that would mean taking away offline access entirely. We are, however, totally okay with denying access to any remote data in that case because syncing that data to your current device absolutely does require authentication with our server – something 2FA can protect.

    We imagined an endless array of possible scenarios when designing 1Password's security model, and a few simpler examples can be illustrative here. Consider someone steals your data, but not your Master Password and Secret Key. In this case, it's the encryption of your database that protects you – that data is useless without your Master Password (and Secret Key, if the data came from our server) needed to unlock that data. 2FA doesn't help you here as that data can be unlocked offline, but the strength of your Master Password and the extra protection of your Secret Key do. In combination, they make your encryption keys all but impossible to crack with current computing power. Even just your Master Password, if adequately strong, gives you a good long time to change any passwords in your vault in such a scenario. We're now over a week into our password cracking challenge with no winners yet. Where 2FA does help is if someone captures your Master Password and Secret Key, but not your data. If they attempt to sign in to your account from a new device to get that data, 2FA will stop them in their tracks.

    We definitely agree that 2FA has a very different and perhaps smaller role to play in protecting 1Password data than it does in protection your e-mail account. For that reason, we were fairly unenthused about the whole concept for quite some time, but it's still more than security theater. You can avoid typing your Secret Key entirely and it's never ever sent to us, so someone capturing your Master Password and Secret Key may be fairly unlikely, but so long as it remains possible, 2FA has a role to play. I hope this helps to explain that role so that the behavior you're seeing in your apps makes more sense. You can also learn more about the difference between authentication and encryption here, and, of course, if you have additional questions, let us know. And make sure you authenticate with Duo in your Windows app all the same to ensure your devices stay happily synced up. :chuffed:

  • cpmcgrath
    cpmcgrath
    Community Member

    Hi,
    Reading the response, this sounds more like a communication problem than a technical one. I don't use Duo so I'm not completely sure what the UI looks like, so sorry if I get the current behaviour wrong.

    I think there's a real danger if it's just, "Accept Duo request to continue" that people learn they can just hit cancel without understanding the consequences, they don't see things they should see and think the program is broken without correlating that back to cancelling the request. This could result in them losing faith in the program and stop using it.

    I think the solution is actually pretty easy - rename the Cancel button to, "Work Offline" - Clear, simple and lets people understand the consequences.

    Side note: One of things I miss about LassPass is Push 2FA is just built in. Once you experience that, manually opening an app and entering the 6 digit code across seems so tedious.

  • @cpmcgrath: Duo actually is push 2FA, so likely similar to what you used before. The risks you mention are some of why we were a bit resistant to 2FA in general. Because it doesn't make as much sense in an encryption-based system, it takes a fairly lengthy dialogue to make its role here clear. We do our best to explain the implications of turning on 2FA as part of the setup process, but there's never any guarantee every customer that does decide to use it will read everything we put in front of them. I, for one, have a nasty habit of skipping through explanatory dialogues for my own apps and I spend a portion of my time writing them for 1Password (a habit I should probably change).

    If you can't tell, I'm not personally a huge fan of 2FA with 1Password. The risks it mitigates aren't significant enough under my personal threat model that I feel compelled to turn on 2FA for my family account. I think my dad getting confused and locking himself out is much more likely than someone capturing his Master Password and Secret Key. Still, everyone's threat model is different and the best we can do is offer options and the opportunity to learn, up to and including these lengthy explanations when we have the opportunity. :chuffed:

    As for push 2FA generally, we don't have any plans to bring Duo (which is current only offered to team and business customers) to individual and family accounts at this time, nor to develop an additional 2FA solution ourselves. TOTP has the advantage of being fairly familiar since its offered by so many other services and looks similar even to SMS 2FA which is even more ubiquitous, so we felt it was the best choice to avoid exactly the type of confusion you're worried about. The risk is still there, of course, but we hope the familiarity of TOTP will help to mitigate it somewhat. :+1:

  • cpmcgrath
    cpmcgrath
    Community Member

    I don't disagree with anything said there. I've recently had to implement a 2FA solution and I immediately went to TOTP for the simplicity of it.

    That said I stand by my suggested change - change the button text from Cancel to Work Offline.

    • People read what's on buttons far more than descriptions around them
    • In 2 words it manages to clearly communicate the consequences of hitting the button, and avoids all the nitty gritty details which the average user would not read.
  • 1P_NewUser
    1P_NewUser
    Community Member

    Fair enough I guess, but I'd really prefer that if you can't authenticate the Duo the data is removed from the device attempting. As someone who has accidentally typed my master key in random login boxes a few times, I was looking to Duo to mitigate any risk stemming from that, and I guess for the most part it does (because any NEW app logins are required to be Duo-ed).

  • AGAlumB
    AGAlumB
    1Password Alumni

    I don't disagree with anything said there. I've recently had to implement a 2FA solution and I immediately went to TOTP for the simplicity of it. That said I stand by my suggested change - change the button text from Cancel to Work Offline.

    @cpmcgrath: I think that's reasonable. Perhaps we can do something similar across the apps in the future. :)

    People read what's on buttons far more than descriptions around them

    I haven't found that to be true, but nevertheless it never hurts to try. ;)

    In 2 words it manages to clearly communicate the consequences of hitting the button, and avoids all the nitty gritty details which the average user would not read.

    That's very true. Thanks for your feedback on this! :chuffed:

  • AGAlumB
    AGAlumB
    1Password Alumni

    Fair enough I guess, but I'd really prefer that if you can't authenticate the Duo the data is removed from the device attempting.

    @1P_NewUser: Thanks for letting us know. But just to clarify, you would be okay with 1Password having an "always online" requirement, and not being able to access your data offline? That's a real sticking point for most people, especially given 1Password's security model, and that it's always worked offline.

    As someone who has accidentally typed my master key in random login boxes a few times, I was looking to Duo to mitigate any risk stemming from that, and I guess for the most part it does (because any NEW app logins are required to be Duo-ed).

    I'm not sure I follow you here, so please elaborate a bit on the scenario your imagining, and the specific threat you're trying to defend against.

    To be clear, if someone has access to your device, even if we made it so that a failed authentication wiped the data, they could just make a copy of it before that and try as many times as they want to brute force your Master Password. That's a good example of the protection that many people think multifactor authentication offers which it most assuredly does not. :(

This discussion has been closed.