Duo 2FA allows easy bypass and only prompts once a day?

Murphdog
Murphdog
Community Member

Hi,

I'm a long time 1PW user. My needs now require 2FA on all logins of the app. I didn't like the TOTP only on install with the personal version. I brought this up in the membership forum, but after a lengthy forum discussion it was suggested that I need the Teams or Business product as opposed to the personal version. I set up a trial and setup the duo 2FA and installed the app. To major security fails in my opinion:

  1. Once you setup setup the PC client you get only get prompted once a day for the 2FA code. Please add a per access option for those that need that enhanced security.

  2. 2FA is easily by passed. Duo prompts you, but you can just close it without the code push and look at the passwords. Not a second factor if it can be ignored.

I somewhat get that the some of the personal version users of 1PW need a lot of hand holding and full time 2FA seems not to be in the future for that product. For a business product I can't believe this. Yes I know if someone has access to my PC they can copy the database they can try and crack it. I'm not worried about a foreign power (ok maybe a little) cracking the database. Its key loggers,rogue employees, roommates, etc. If the whole internet is down or there is a service disruption then yes I have an issue. One times codes locked in a safe may help in that rare instance.

If this is considered a duplicate post then I apologize. I wanted Teams and Business employees to see this and I wasn't clear that would happen in the membership forum.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Murphdog
    Murphdog
    Community Member

    Now that I read https://discussions.agilebits.com/discussion/89963/teams-duo-desktop-2fa-options-why-only-phone-call-and-push#latest
    in depth I think I understand. I guess the only way to avoid access to your vault once someone gets the master password is not to use the local app and only use the web or 1Password X? I didn't realize moving the vault to another PC would allow allow it to be opened if the bad guy has the master password.

    If this is correct then my request would be to force 2FA on every web or 1Password X unlock with DUO or some other 2FA. This would be great for Teams and Families.

    Thanks

  • Hi @Murphdog,

    1Password X behaves much more like the local apps than it does the web app. It has a full local cache of your data, and it can work offline. Just as I mentioned on the other thread, if I know your Master Password, and I know that you've signed in to 1Password X, and I have the device, then 2FA isn't going to stop me from getting at your data. I'll just make sure to stay offline.

    I understand the desire to bring 2FA into the fold when unlocking the app. As I've stated in other threads that'd be possible if users were willing to give up offline mode and have the app be online-only such that unlocking the app required authentication with our server. In an offline scenario there isn't anywhere for us to save secrets needed for another factor in a way that wouldn't be trivially bypassed.

    Rick

  • Murphdog
    Murphdog
    Community Member

    Thanks for taking the time to explain this to me. It sounds like the web version would be the best thing for locations where I have concerns. It would be nice if DUO prompted me all web logins instead of once a day. Even better if it was in the family product :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Murphdog: I'm sorry if I'm reading too much into this, but if by "locations where I have concerns" you mean shared or compromised machines (which I guess is also shared...), these are not places we would recommend accessing sensitive information of any kind. All bets are off then since the "owner" of said machine could get at anything as you access it. Two-factor authentication isn't a defense against that. "The only winning move is not to play."

  • Murphdog
    Murphdog
    Community Member

    Understood. It's at work on PC's I have full control over, but I still like to secure the access. If it stops a shoulder surfer at my desk it would be worth it. I don't need someone taking over the WOPR at work :0 Some of the keys and passwords are impossible to transcribe or to save to 1PW just using an iphone.

  • @Murphdog : using 1Password's Two-Factor Authentication (i.e. TOTP) in a browser that's in Incognito Mode would likely be the way to go in that case, as you'll get prompted for the OTP on every sign-in (assuming you close the window afterwards).

    Rick

This discussion has been closed.