2FA Authenticator revoking devices (vs Authy)

baikun

Hi !

Both Authy and 1Password offers me a way to use multiple devices for 2FA. I'll gladly opt for 1Password as my 2nd factor authenticator but I have a slight concern regarding stolen/lost device.

I know that in 1Password there is a way to revoke access to a device. I also read that this feature requires 1Password servers to be able to send the instruction to wipe data to that device, which might not be the case. So all locally stored data might be compromised if the person who have the device knows my master password.

But what about the 2FA ? If the device access is revoked would it still be able to generate valid TOTP ?

Because, with Authy, it seems it would not be case. I can read here (https://authy.com/blog/multi-multi-factor-authentication/) under "De-authorization" that If I revoke access for a device It won't be able to generate valid TOTP anymore.
Thus even If my device ends up in the hands of someone knowing my 1Password master password (so all my passwords), since I revoked that device on Auhty he won't be able to log into any 2FA protected apps since he won't be able to generate a valid TOTP anyway.

Does 1Password offer this kind of protection ? If so I'll gladly use 1Password authenticator over Authy for convenience.

Thanks !

AGAlumB

@baikun: First thing's first. I think it's important to touch on this:

If my device ends up in the hands of someone knowing my 1Password master password (so all my passwords)

That's sort of game over. You don't have two-factor authentication for all your accounts, and even many that support it don't require it all the time.

I think what you're confusing is that 1Password is not a two-factor authentication provider. Authy is with some services. That's why they can offer revocation: they control authentication. When you use 1Password to generate TOTP codes for a site, 1Password is not in any way affiliated with or in control of that site's authentication; it's simply generating a one-time-use code based on the shared secret. It's definitely a bit confusing because Authy started out that way and still works that way in most cases, but they've also got integrations with some services.

I hope that helps make the difference clearer, but be sure to let me know if you have any other questions. It's an interesting topic. :)

baikun

Hi !

Thanks for your reply. I am not very familiar with Authy since I just discovered it. I did know that they had some kind of integration for specific services/applications. But I thought most of the time Authy was just used as a basic TOTP generator like Google Authenticator or the one included in 1Password.

In the article I linked above, it's not very clear if the de-authorization concerns only compatible services. I understood that it's just how Authy works as a basic TOTP generator.

It states:

The ideal 2FA service would quickly, and painlessly, revoke a device as soon as it is lost. Authy achieves this is by using an intelligent multi-key system. Whenever a new device is authorized, a new set of keys (specific only to that device) is generated and provisioned.

And later on:

At any point, if the user or administrator chooses, devices can be removed instantly.

I understood it, as: If I ever lose my device, I can instantly revoke the permission of this device to generate new valid TOTP. Since every devices has their own unique keys, blacklisting one of them from generating a valid TOTP could be doable right ? Sure it might implies that there should be some kind of middleware to store the 2FA keys and not have them locally stored.
But since you now provide this kind of middleware through 1Password "cloud" I thought this could be what you used ?

Or maybe I'm just all wrong about how I read it, I have no idea actually !

That's sort of game over. You don't have two-factor authentication for all your accounts, and even many that support it don't require it all the time.

I got that, sure. All passwords would be out in the clear. But I notice a difference between Authy and 1Password regarding 2FA.
If I store my 2FA keys on 1Password, I can't prevent that device from generating new valid TOTP. While with Authy, if I revoke the device, the lost device would not be able to generate valid TOTP.

At least that's again what I understood from reading the blog post linked above, but I might be wrong !

I just wanted to get some clarification here. In the meantime, I'm just using 1Password to store my 2FA keys since it's really convenient, at least on mac, not so much on android :p

EDIT: I found an interesting topic on stackoverflow regarding this subject.

Ben

Thanks @baikun. I’m not super familiar with Authy either, but after reading some of the comments on that post it appears they are doing more than “just” TOTP. They are storing the TOTP secrets and then generating unique keys for each device you authorize to your Authy account. If you revoke a key that device no longer has access to the account and thus no longer has access to the TOTP secret. It is a neat idea, for sure. If you’re using 1Password.com you could accomplish a similar thing by changing your 1Password Master Password in the event of a lost/stolen device.

Another way to address the issue at hand though might be to erase a lost/stolen device using iCloud’s capabilities:

iCloud: Erase your device with Find My iPhone

I hope that helps!

Ben

baikun

Hi @Ben.

Thanks for your reply this is exactly what I thought ! It is indeed a clever approach, the only thing that's puzzling me, is that the app is supposed to work offline too. Maybe that's not possible with the multi-device enabled ? I don't know I might make some tests !

Anyway, regarding your workaround for 1password.com, I'm not sure this is exactly the same thing. As far as I understand it, if the device is offline, the 1Password servers won't be able to send any command the the device (erasing/changing master-password...) So basically all local data will be readable, which is also the case for TOTP.
(I might be wrong, as I'm not aware of how exactly changing the master password impact other devices).
However, if I'm revoking the device on Authy TOTP won't be generated anymore, or at least, not valid ones !

Once again I will have to do some tests to be sure that's how everything works ;-)

Ben

That is sort of the trade-off between offline access and revoking access. I’m not sure how Authy would be able to offer offline access and be able to do revocation if the device hasn’t checked in online since the revocation. I think you’ll have the same trouble with either 1Password or Authy in that case.

Ben

baikun

Well I made some tests, used 3 devices linked to the same authy account, enabled backup to share the keys.
I then removed a device from the list, but the deleted device kept generating correct TOTP... It might be that it needs some time to be disabled, I don't know, but anyway 1P is still way more convenient to use since it copy the TOTP automatically. (Still waiting for that feature on my android :p).

Compromise between security/usability has been made. Since I'm not even sure of the true revocation of Authy anyway, I'll keep using 1P which at least gives me an easier access to my TOTPs !

Ben

Great. :+1:

Ben

prime

1Password is way safer than Authy IMO. Unless you tell someone your master password, you’re safe. I’ve been playing around with Authy for a while since 1Password launched 2 step authentication for 1Password accounts, but they kind of turned me off.

baikun

Hi @prime thanks for your reply ;-)

I just received an email from Authy regarding the revocation. Part of the answer is :

removing/deleting a device will not disable locally saved authenticator tokens (QR code scan required)

So, nope, not going to work as I expected ! I'm sticking to 1Password then ;-)

Thanks !
Think we can close the thread now ;-)

AGAlumB

I'd say that's what I expected, but I agree it's not what we hope for. It's the same limitation we have though. Occasionally we get asked that 1Password not work without two-factor, but that would mean no offline access, and for most people that's going to be a dealbreaker. So I guess we're all in good company at least. :)

baikun

Yup unfortunately you were right ;-) But I guess that's just because of the offline access. I have no use for it, since all the apps/websites I'm logging in with 2FA are usually on wan anyway... But it might be useful for those who log into lan services 2FA protected, I don't know.
Maybe an option to disable offline access in the future ? ;-)

Ben

@baikun,

Disabling offline access would require re-architecting how 1Password works, so unless there were a pretty significant demand for it I don’t see us going that direction. Remember that offline access is incredibly helpful not only if you are offline, but also if we are offline. Downtime at 1Password doesn’t have much effect on most people right now because the apps continue to operate without being able to connect to our service.

Ben

AGAlumB

Also traveling, bad internet, no internet — we're not quite living in a world with ubiquitous connectivity. If I couldn't access 1Password on the subway or in a plane without paying a bunch of money for Wi-Fi that probably wouldn't work anyway, I'd be in trouble. :)