Using Two-factor Authentication With Your 1Password Account
I recently set up two-factor authentication with my 1Password account, and I used 1Password to store/generate the MFA token. It seemed like the obvious thing to do at the time.
Later, I left my house and needed to open up the 1Password app on my phone, only to find it asking for my two-factor authentication token. That's totally understandable and expected, but I couldn't provide it because I didn't have my laptop nearby. Once back at my laptop, I was able to get a token and enter it to unlock the app on my device.
My question is this:
What scenarios will cause the app on the device to prompt me for the MFA token again? What if I'm traveling and do not have access to my laptop? Is there a chance I'll get locked out of 1Password? Is the solution to use a different MFA token provider than 1Password for the MFA token I need in order to unlock 1Password (i.e. YubiKey, Authy, Google Authenticator, etc.)?
How do others handle this scenario? Should I disable two-factor authentication for my 1Password account?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@ramsey: Good question! 1Password.com two-factor authentication works as part of the authentication process for your account, so it will only be required in the following scenarios:
- You're signing into your account with a new device/browser for the first time
- You just setup two-factor authentication for your account, and your existing authorized devices will need to also provide the TOTP code now as well
It's important to note that because 1Password's security is based on encryption, and can be used entirely offline, in the case of scenario #2, if you cancel the prompt, you'll still have access to your existing data already on the device. It just will not be able to send or receive further changes without authenticating.
In order to disable two-factor authentication on your account, you'll either need to have all of your account credentials to sign in (including TOTP code) or if you have a browser you've already authorized you'll be able to sign in just by entering your Master Password, and then you could turn it off.
I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Oh. That’s good to know. So, if I somehow get logged out of my device, all the data is still there, and I can access it with my master password, even if I can’t get an MFA token for my 1Password account?
0 -
So, if I somehow get logged out of my device, all the data is still there, and I can access it with my master password, even if I can’t get an MFA token for my 1Password account?
@ramsey: If by "logged out" you mean you signed out of your 1Password.com account, then no, that would also remove your data. The device would no longer be authorized in that case, since you would not be signed in. Does that help clarify?
0 -
Can you explain this in more detail, please? This almost seems to contradict what you just said:
1Password's security is based on encryption, and can be used entirely offline, in the case of scenario #2, if you cancel the prompt, you'll still have access to your existing data already on the device
Thanks!
0 -
What seems contradictory?
When you sign in on a device you’ll need your TOTP code in order to authorize the device (this is authentication, not encryption). Once you’ve authorized a device your encrypted data will be stored on that device. You can decrypt the data that is already stored on the device using your Master Password and Secret Key. If you’re prompted for your TOTP code and don’t enter it you’ll still be able to decrypt the data that is already on the device, but you won’t be able to get any updated data from the server. If you sign out of your account the local cache of data is removed from the device, so in order to get that encrypted data back you have to enter the TOTP code.
Ben
0
