1Password for 2FA at Uphold.com

twilsoncotwilsonco
edited June 2018 in Lounge

Uphold.com, a cryptowallet site, requires that you use the Authy app for 2FA, but I'd like to use 1P, since I use it for dozens of other 2FA sites.

They seem pretty committed to this. Authy even has a guide on their site about 2FA on Uphold. It reads:

2FA at Uphold is powered exclusively by the Authy 2FA API.

and

To access your Uphold account you must use the Authy app.

Furthermore,
1. the codes generated by Authy for Uphold are seven digits, not six, and
2. the countdown is 20s, not 30s, and
3. each time you tap the Uphold item in the Authy app, the countdown resets, such that you can keep the same code valid indefinitely by tapping it before the countdown expires

All three of these things seem to indicate a different standard, especially (3) which (I think) means that the Authy app is actually communicating with the Uphold site to align the validation date of each code.
This is quite different from normal 2FA codes, that are based on the system clock and reset every 30 seconds.

Then again, at the login screen when you're prompted to enter a code from Authy, it states:

In an effort to ensure member accounts remain secure, SMS has been suspended. Our team is working to improve the 2FA process and apologize in advance for the inconvenience.

To me, this reads that they understand the problems with this method (for one, Windows phone users are left out), so maybe I can hope for an implementation of the standard 2FA system that 1P uses....

Seems like in the meantime I'll have to use Authy just for the sites they were able to wrangle into their API, right? I'll also reach out to Uphold to allow for standard 2FA codes.

Edit:

Could Agile Bits implement the Authy API in 1Password? I guess, assuming Authy has a more secure variant of 2FA, this would be the ideal solution!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:uphold

Comments

  • I made a test account for Pinterest (I do teaching on how to better protect accounts) and I put in my cell number for Pinterest for 2step verification. It went right to Authy and I couldn’t delete it. I disabled it on Pinterest because I didn’t want it on Authy, and Authy said this was how to remove it. Like what you were saying, it was 20 seconds and 7digits.

    I got fed up with it and switched to Duo for the 2nd step for my 1Password account. I don’t like that Authy requires you to put in your cell number.

  • @wkleem I’m just using Duo as a basic authenticator app, not the whole service the offer. I also don’t have any iOS device running and old iOS operating system, all are on 11.4.

  • BenBen AWS Team

    Team Member

    Hi @twilsonco

    At present we only support the TOTP standard for 2SV/2FA. It may be possible to expand this in the future but I’m not aware of any definite plans at this point. For this case specifically I would imagine implementing Authy’s API would require cooperation from their end, and it seems they are in a position where they are marketing themselves as the “exclusive” provider for these services, so I’m not sure we’d get that.

    Ben

  • You're probably right @Ben, I imagine their API is only for clients, not for hosting it yourself. I'll just hold out and hope that Uphold addresses the "inconvenience" and adds normal 2FA, or I could just get a different crypto wallet.

  • And now I know that the Authy site has (conveniently) guides for many of the services fro which they can be used, so my initial comment about that was uninformed.

  • BenBen AWS Team

    Team Member

    Thanks for the update @twilsonco. :)

    Ben

  • Oh, @Ben, I forgot to mention. Uphold shows as working with a software token in twofactorauth.org, which makes it show in 1P as "Two factor authentication available" and isn't relevant since you can't use 1P for it. I've commented on the relevant issue on the twofactorauth.org github page that they should differentiate between generic and proprietary 2Fa, but maybe AgileBits could do something in the meantime?

  • BenBen AWS Team

    Team Member

    I agree with many of the comments on that GitHub issue. What would you propose we do on our end?

    Ben

  • twilsoncotwilsonco
    edited August 2018

    Sorry for the delay. I just stumbled on Cem Paya's blog post regarding this, showing how the author extracted the OTP generation scheme used by Authy and was able to successfully generate the "proprietary" Authy codes using a generic OTP app (FreeOTP). The whole process looks pretty easy, especially since the author already did everything! With this, 1P should be able to be used to generate Authy codes, right?

    Otherwise, in my last post I guess I was suggesting that 1P e.g. maintain a list of sites for which the twofactorauth.org site is incorrect/misleading and remove the "Two factor authentication available" notice for items that are not actually supported by 1P's 2FA. Alternatively, you could add an option for the user to specify that they have actually enabled 2FA for the site.

    edit:
    In Alex Foster's comment on the Wordpress blog linked above, he states:

    you can use 1Password’s One Time Password field type to get the 7-digit version–

    otpauth://totp/Authy:[USERNAME]?secret=[BASE32]&digits=7&issuer=Authy&period=10

    Just fill in [USERNAME] and [BASE32] and paste it into the 1Password field.

    Guess I'll give that a shot! Seems like this should be even easier to implement

    edit 2:
    Authy also has some documentation for their API. Maybe 1P could implement something using that.

    edit 3:
    So I added the Authy url to 1P using the instructions linked above
    1. install Chrome Authy app
    2. use debugger mode to break while code is being generated
    3. use python to encode secret key into base32
    4. insert code and Authy username into opt url (here I tried both my registered Authy phone number and my numeric Authy ID)
    5. paste the code into 1P

    I get codes generated this way, but they don't work.

    I also notice that I can have Authy open in three instances (iPhone, Chrome App, and macOS app) and they all have different codes for the same website at the same time, and all the codes work. Furthermore, in the e.g. iPhone app, I can keep tapping on the token for the current website and the countdown resets for the same OTP, so I can keep the same OTP valid indefinitely and it works on the website even if it’s actually a OTP that’s now several minutes old.

    This must be because of the site’s use of the Authy API that has the website actually send the code to Authy to validate (see https://www.twilio.com/docs/authy/api/one-time-passwords#verify-a-one-time-password)

    Is this a different thing altogether then? Will the method here not work for getting these Authy API/SDK based OTPs generated in another app like FreeOTP or 1Password?

  • brentybrenty

    Team Member

    With this, 1P should be able to be used to generate Authy codes, right?

    @twilsonco: If it gives you a string that conforms to TOTP spec, sure. :)

    Alternatively, you could add an option for the user to specify that they have actually enabled 2FA for the site.

    You can do that by adding a "2FA" tag to the item. That will tell 1Password that you already have it setup elsewhere. Cheers! :)

  • Thanks @brenty ! I updated my last post since you posted. Did you see the edits?

  • brentybrenty

    Team Member
    edited August 2018

    Thanks! I don't have any special insight into Authy though. You'd need to get in touch with them to get any clarification on their product/service.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file