Duo 2 Factor Authentication Security

We have enabled Duo 2FA for 1Password, and would like to provide some feedback. It does work, but I'm curious if there have been any discussion internally about making the setup more secure.

For example, right now with Duo 2FA, a mobile or desktop 1Password users can ignore the Duo 2FA prompt and still see all the vaults they have access to that have previously synced on the device. They might not get updates, but it still feels a bit insecure.

Some security model where the data is only shown on successful Duo prompt is probably what most customers want. There's also the situation where someone can have their Vault access removed, but as long as they don't reconnect to the internet with the various devices with cached information for that vault, they can export out the data.

Have there been any discussions about addressing security topics like this?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Security

Comments

  • BenBen AWS Team

    Team Member

    Hi @zago

    There is definitely a tradeoff here, yes. 1Password caches your data locally. This enables things like:

    • Offline access
    • Continued use in the event of downtime with the 1Password service
    • Quicker access and less bandwidth usage (only changes have to be synced when you unlock instead of the full data set)

    And I’m sure some others that I’m not coming up with off-hand. It is really a core part of how 1Password works, and I don’t foresee us changing that. We could likely make it such that the apps won’t allow you access to your cached data unless you authenticate with 2FA but this eliminates many of the benefits of having a local cache without providing much if any real benefit. The difficulty is that doing this could arguably be considered “security through obsecurity” or “security theater.” Even if the 1Password client refuses to read the data there is nothing stopping a 3rd party client from doing so. There is also nothing stopping someone from copying that cache off to another device where they can work on it later. The only real option would be to not have a local cache, so that any time someone wanted to access data it had to be downloaded from the server. Again this likely isn’t a realistic option for the reasons mentioned above.

    Some other points to consider:

    There's also the situation where someone can have their Vault access removed, but as long as they don't reconnect to the internet with the various devices with cached information for that vault, they can export out the data.

    What is to say they haven’t already exported or otherwise maintained a copy of this data, before their access was revoked? Really to “revoke” access to data you have to change the data. Once you’ve given someone information there really isn’t a way to take it away (other than by lobotomy, which I wouldn’t suggest).

    Some security model where the data is only shown on successful Duo prompt is probably what most customers want.

    I’m sure on the surface that is probably true, but I’m not sure that would be the case after careful consideration of why we’ve made the design decisions that we have.

    Definitely an interesting topic. Will be interested to hear more of your thoughts.

    Ben

  • @Ben Thank you for the response. The local cache model does make sense for almost all use cases.

    I'm not entirely sure what the right answer would be for organizations that want more assurances that data in 1Password with 2FA, but off the top of my head making it so vaults in 1Password for Teams/Business with Duo 2FA expire their local cache without a successful 2FA request might suffice. It could be tied to the numbers of days configured for remembering devices for Duo.

    So something along the lines of the data model for vaults having awareness of 2FA being on, and date stamps for when a 2FA prompt is required. If the date stamp plus number of days configured is exceeded and a 2FA prompt is not acknowledged in some amount of time, the local cache goes away.

    Agreed on use cases where the data could of already been exported before, etc.

    Orthogonal to this, some settings for businesses to whitelist IP blocks for access to vaults, disable mobile access, etc. would probably help with more concerns about security.

  • brentybrenty

    Team Member

    @zago: Those are good ideas, but that would be easily thwarted. Someone just has to make a local copy of the data, and/or change the system data/time. So while I can see the appeal, it doesn't seem like we get much out of it, and making those changes would negatively impact honest people most heavily. :(

This discussion has been closed.