2 Factor Auth for 1Password Account

So I've been using 1Password heavily and I'm loving it. What I've been debating about is turning off 2 factor because of the secret key that's needed for every new login. I have a physical copy of my secret key handy 90% of the time. Would I be less secure with having it off?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @Locate_The_Any_Key

    While that may seem like a fairly straight forward question it is really rather difficult to answer. :) Two-factor authentication does protect against some attack vectors that the Master Password and Secret Key alone do not protect against. That said, some have hyped two-factor authentication as the be-all-end-all solution to all security challenges and it certainly is not that. It protects against certain situations, but you'd need to evaluate the security benefit of enabling it vs the convenience of not. For what it's worth, I do not use two-factor authentication for most of my 1Password accounts, and probably wouldn't use it on any except for the need to be familiar with it enough to help customers with it. :)

    Ben

  • Hi Ben,

    Thanks for the response! Is there documentation anywhere regarding attack vectors and having and not having 2 factor turned on? Also what 2 factor application would you guy's recommend outside of SMS?

  • BenBen AWS Team

    Team Member
    edited December 2018

    We'd generally recommend against SMS as means of authentication. Authy and Google Authenticator are two of the popular apps (outside of 1Password itself, of course, but 1Password should not be the only TOTP generator for itself). The primary thing that TOTP protects against is "replay attacks." This is where an attacker is somehow able to capture your credentials and by entering the same credentails they are they are able to impersonate you to the system. TOTP helps prevent this with the idea that hopefully the timer (30 sec max) has expired on the 6-digit code by the time the attacker attempts to replay the credentials, meaning they won't be able to log in.

    Since we don't have your credentials (they are never transmitted to us) they can't be stolen from us. They've have to be stolen from you. So you'd need to evaluate how much of a concern that is for you.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file