2fa on 1p account
Hi
I did not realise this was an option now, I have 2fa setup for various websites but not my 1p account.
Im just a bit unsure why its needed, surely the secret key as well as master password should be enough surely.
If I was to enable it and use something like google authenticator app on my phone to produce the one time codes, what happens if I lost my phone, how do I go about getting back into my 1p account in this situation?
Could someone please answer these two points.
Thank you
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @telUK,
Im just a bit unsure why its needed, surely the secret key as well as master password should be enough surely.
I'd say in 99% of cases, it is. But there was very high demand for 2FA despite that fact, and the fact that the attack vectors that 2FA protects against are very narrow. 2FA does prevent against replay attacks though, so if you're in a public space and typing your Master Password and Secret Key... 2FA can help.
If I was to enable it and use something like google authenticator app on my phone to produce the one time codes, what happens if I lost my phone, how do I go about getting back into my 1p account in this situation?
I'd highly recommend storing your TOTP secret on a secondary device (perhaps a tablet) and/or on your Emergency Kit.
I hope that helps. Should you have any other questions or concerns, please feel free to ask.
Ben
0 -
You can think of it that way, yes. When you turn on 2FA for your 1Password account you'll see some text like this next to the QR code:
Trouble scanning?
You can enter this secret instead:With a code. Save that code. It can be used to set up an authentication app. Alternatively you can print/save the QR code itself. Whichever is easier -- they do the same thing.
Ben
0 -
I’ve just realised 2fa is only needed when setting up 1p on a new device so I was over thinking things.
Also if I lost 2fa device I can just turn 2fa off via a trusted device.
Also is it ok to have the 2fa Authenticator for the code on a device with 1p installed such as an iPhone?
Thanks
0 -
ignore the above, the only thing I want to know is having 2fa enabled on my 1p account and having the authenticator app on the same device as my 1p app, is that ok or a security concern?
I would think its fine as the device in my case a phone would already be trusted anyway.
0 -
Ok run into a problem.
I have turned on 2fa for my 1p account, seems like I need to enter 2fa code for first time sign in on my apps even though they are already authorised.
PROBLEM:
1P app on iPhone, enter master password, then requires 2fa code, authenticator app is on same phone, close 1p app to get to authenticator app to get code, return to 1p app but its locked itself again!!
How can I have enough time to enter my long master password and remember the 6 digit code before it expires again.
My phone is where I want my authenticator app.
0 -
I’ve just realised 2fa is only needed when setting up 1p on a new device so I was over thinking things.
@telUK: Indeed, two-factor authentication only factors into the authentication process. When you're just decrypting data locally it does not apply.
Also if I lost 2fa device I can just turn 2fa off via a trusted device.
Maybe, but only through the web interface. So you'd need to have a device where you'd already signed into your 1Password.com account there.
Also is it ok to have the 2fa Authenticator for the code on a device with 1p installed such as an iPhone?
That's entirely up to you. If that isn't a risk for your particular use, then it's fine. :)
I would think its fine as the device in my case a phone would already be trusted anyway.
It's worth noting that it would not be protected by 1Password if it's setup in an authenticator app, only your device password. But taking that into account, it's your call if that works for you. Sometimes "fail safe" is better than "fail secure", especially with other security measures (encryption) in place).
I have turned on 2fa for my 1p account, seems like I need to enter 2fa code for first time sign in on my apps even though they are already authorised.
Correct.
1P app on iPhone, enter master password, then requires 2fa code, authenticator app is on same phone, close 1p app to get to authenticator app to get code, return to 1p app but its locked itself again!! How can I have enough time to enter my long master password and remember the 6 digit code before it expires again. My phone is where I want my authenticator app.
Personally that's a convenience reason to use a different device, but a six digit code isn't too hard to remember for a few seconds — especially if you're aware that you will need to.
0 -
Thanks, I will have to try and type my master password a bit quicker then while remembering the code, only need to do it once luckily!
As for the authenticator app with 1p one time codes being on a device that has a 1p app installed also, the issue is all my devices have 1p app installed so its impossible for me to put the authenticator on a separate device that has no 1p account on it. Im sure I can't be the only one that has to do it this way.
Oh and just to clarify, due to no backup codes with 1p 2fa, what if I change phones, how do I transfer my authentication app to new phone.
Is it easier to just turn off 2fa within a trusted browser and setup again?
0 -
Thanks, I will have to try and type my master password a bit quicker then while remembering the code, only need to do it once luckily!
@telUK: It's also worth mentioning that since this is a one-time password, there wouldn't be any harm in writing it down in a pinch either. These generally expire within 60 seconds or so or when used, whichever comes first.
As for the authenticator app with 1p one time codes being on a device that has a 1p app installed also, the issue is all my devices have 1p app installed so its impossible for me to put the authenticator on a separate device that has no 1p account on it. Im sure I can't be the only one that has to do it this way.
Surely you're right, but I don't think there's much we can do about that. It's your choice. You could certainly use an old phone solely for that purpose and keep it in a safe or something if you wish.
Oh and just to clarify, due to no backup codes with 1p 2fa, what if I change phones, how do I transfer my authentication app to new phone.
That depends on the authenticator app you're using. You'd need to consult their documentation or support to find out what the options are. You should also seriously consider saving the TOTP secret itself somewhere safe, like a safe deposit box, as with your Emergency Kit, since you will need that in addition to your other account credentials to get into your account if all of your devices are lost, stolen, or destroyed.
Is it easier to just turn off 2fa within a trusted browser and setup again?
Possibly, but I still think it's a good idea not to count on that. Better to have a backup, just like your Emergency Kit. :)
0 -
You're right: there isn't really explicit wording indicating that the TOTP secret should be added on multiple devices or backed up. I'll speak with our design team and see if there is a way we can incorporate that.
Thanks.
Ben
0 -
So my options are make sure I have a few trusted browsers so that I can turn 2fa off or reach out to admin support in worst case scenario.
Or disable 2FA now and reactivate but remembering to copy the TOTP secret.
I gather I can't backup the actual barcode, only jot down the secret key next to the barcode.
Thanks
0 -
:) :+1:
0
