Account Key and Two-Factor Authentication

24

Comments

  • mmm1mmm1
    edited January 2017

    It's getting circular, and your missing the points, so this is the last comment. I don't expect or want a reply. I hope these points are reflected within the company at the c-level, since as a current paying customer I am not happy with the overall direction or issues/bugs and you want me to continue being a customer.

    No one pays for a feature that is expected from a security company...it's par for the course.

  • rickfillionrickfillion Junior Member

    Team Member

    Hi @mmm1,

    I assure you we've not tied our ship too tightly to Duo. It was implemented first because it was what most companies we heard from already used. Our team is incredibly small, and this means we have to choose what to work on very carefully.

    Duo isn't a great fit for non-Teams accounts though. It would be nice for us to allow the option of 2FA system that were more appropriate for Families and Individual accounts. We're still working on figuring out how 2FA systems like Duo integrate with the whole of 1Password (i.e. apps). The last thing we want is for it to be some sort of security theatre.

    This thread seems to be focused on a very general "you should have 2FA." Instead I'd like to hear what you think should be protected behind the 2FA. What actions would you like to not be able to do unless you provide a second factor? These distinctions matter from a security perspective.

    Are you using the Duo integration with Teams? How are you finding it?

    Rick

  • As a long time 1Password user on the desktop. I moved to Lastpass a could years ago but still maintain 1Password on the desktop incase I decided to move to a cloud offering should it have arrived from AgileBits. Its great to see it has, but disappointed in the lack of 2FA which for me is another important feature.

    I have multiple levels of security now, first touch ID on my iPhone, Lastpass requires TouchID or the passsword, it requires me to authenticate the device every 30 days with 2FA and of course my 2FA app Authy uses passcode or TouchID to secure it and its encrypted as well since its cloud based.

    I personally would like to move to a single offering like 1Password for Families given my happiness with AgileBits as a long time user. The lack of 2FA is a big issue and given the risks today an important one.

    Finally while I agree about be careful what you download is a valid point, its also a a weak one as well given that many users may access the same computer in a Family and no device is fully and truly secure, we can only strive to make it as secure as possible.

    So yes 2FA is a +1 for me, my wife and my family members so that would be +5 overall.

  • rickfillionrickfillion Junior Member

    Team Member

    Hi @Raptor007,

    Can you elaborate on what you'd like to see protected by the 2FA in this case? Is it unlocking 1Password entirely? What happens if it's been a month and so 2FA is required, but you're offline? You mentioned using Authy for the 2FA... does that mean that in this case the 2FA is actually TOTP, or is it the server-based authy?

    Thanks

    Rick

  • I would like the LastPass approach: require 2FA unless a browser/device is marked as trusted.

    I would then mark all my devices that run a 1Password App as trusted, but no browser, even on those devices with the App installed.

    (As far as I know LastPass's 2FA protects web access, but if a hacker was able to hack their system and get the binary blobs on their servers then only your password protects your data)

  • rickfillionrickfillion Junior Member

    Team Member

    @XIII,

    Thanks for the feedback. :)

    Rick

  • I'd like to add another vote for Duo 2FA in your Families edition. I am a LastPass user, and I use Duo 2FA for my LastPass account. Some people at work said they preferred 1password to LastPass so I was looking it over. Your product looks very polished and I like it in many respects but I'm not going to give up 2FA to move from LastPass.

  • RomanRoman 1Password Alumni

    Hi @replicnt6 - Thanks for adding your vote and your feedback. I appreciate it! :)

  • I'd love to have the option of using 2FA (Using Authy, Google Authenticator, etc) instead of using an account key.

    Like others have mentioned, if I happen to have a key logger on my computer or if I use a public computer to access my account, my entire account key could be copied by someone. Not to mention that if someone signed into their email account on that computer, they'd also have my email login info, meaning that they could confirm any emails sent by 1Password. I have 2FA set up on my email account, so I have to authenticate using 2FA any time I'm not at home, but I'm sure most people don't.

    Using real 2FA would create a new code every time, fixing this issue.

  • brentybrenty

    Team Member

    I'd love to have the option of using 2FA (Using Authy, Google Authenticator, etc) instead of using an account key.

    @edgrsanchez: This is almost certainly not going to happen. The Account Key has beneficial properties that authentication cannot offer, since

    Like others have mentioned, if I happen to have a key logger on my computer or if I use a public computer to access my account, my entire account key could be copied by someone.

    Indeed, if someone is able to install a keylogger on your machine, you should assume that they can access anything you can. Authentication, which does not strengthen the encryption in any way, cannot protect you from that. It would only protect you from them being able to access your account on a new device, since they wouldn't have the code to authorize it. But then again the same is true of the Account Key so long as you do not give them that.

    Not to mention that if someone signed into their email account on that computer, they'd also have my email login info, meaning that they could confirm any emails sent by 1Password. I have 2FA set up on my email account, so I have to authenticate using 2FA any time I'm not at home, but I'm sure most people don't.

    I don't see how someone logging into their email account on your computer would give them access to yours, but the more important consideration is giving them access to your machine in the first place, since they could install something malicious -- either accidentally or on purpose.

    Using real 2FA would create a new code every time, fixing this issue.

    Not by a long shot, but it does offer other benefits, especially when it comes to authorizing new devices. Definitely on our radar. Cheers! :)

  • I don't see how someone logging into their email account on your computer would give them access to yours, but the more important consideration is giving them access to your machine in the first place, since they could install something malicious -- either accidentally or on purpose.

    Oops I was rambling. I meant to say that if I, for example, signed into my email account at my school's computer lab, they would likely be able to access my email after I leave. I say this because I've worked at school districts and other businesses as an IT admin and we were forced to install key logger software that logged every keystroke as well as allowed an administrator to view a user's screen at any time.

    Of course, the user agreed to this by signing into the computer, and there was a notice displayed saying that nothing done on these computers is private.

    But it's just something that's always been on the back of my mind and why I detest using public computers.

  • brentybrenty

    Team Member

    @edgrsanchez: Ah, thanks for clarifying! I think that's an excellent reason not to access anything sensitive from someone else's machine. Ostensibly they intend to use the keylogger to monitor access to make sure students aren't using them inappropriately, but someone unscrupulous could access any information you enter or access there. Fortunately we have these great portable computers we can carry in our pockets, which we do control, for those times when we need to access something important. :)

  • Hi, I appreciate the explanations here, and kudos to brenty for standing up for SMS as insecure theater. Also +1 for the 2FA direction.

    Longtime desktop app user, new 1password.com team user.

    My question is this:

    In my browser when I login to 1password.com, I regularly (more than once per day?) am asked for the Account Key when logging in. I thought this would be remembered on the device. I guessed at first that because my browser settings clear the cache of cookies, that I'd lose the account key when I quit my browser. But my experience is the account key is asked for even when I haven't quit my browser. I'm trying to understand how it is different from simply a second password (that I have to keep handy but cannot remember). Help.

  • brentybrenty

    Team Member

    @cmbb_we1: I'm glad if I can help in any way. We really want to focus on empowering users with security they can use, rather than making things more complicated for no real benefit. :blush:

    You bring up an interesting situation. Are you perhaps using "private browsing" or other extensions/settings that would prevent 1Password.com from using the browser's local storage? It isn't using cookies, only that, so certainly clearing it after every session would have that effect...but having that happen with the browser still running leads me to believe there's something else involved. Let me know!

  • @brenty: About being asked to re-enter my Account Key multiple times per day:

    I'm not using private browsing (at least not normally) so that's not the issue. I'm running Ghostery, but it shows 0 blocks for the 1password.com domain. When I go to login to my subdomain.1password.com now, from a browser bookmark, I'm prompted to enter account key again. And I haven't closed my browser since yesterday when I logged in before.

    Firefox preferences are not clearing offline website data upon closing. ( tried to attach a screenshot of preferences but can't seem to do so here. )

  • FrankFrank

    Team Member

    Hi @cmbb_we1 - Thank you for getting back to us. That is rather odd. I know you mentioned Ghostery, even though it didn't show any blocks to 1Password.com, have you tried to disable it to see if that helps? Just to rule it out. Keep us posted and let us know. Have a fantastic day!

  • +1 for 2FA. I've always been a proponent for 2FA and while I understand the strengths of the master password and the fact 1Password uses encryption as the mechanism to access our cache of passwords, I see it as the weakest link in the whole ecosystem.

    I'm currently using Yubikey but would be ok to switch 2FA solutions as long as 1Password security champions/SMEs independently deems them stringent enough to meet their own security demands.

  • brentybrenty

    Team Member

    @laugher: Thanks for the feedback! I think it says a lot that you'd actually be willing to change your second factor to use it with 1Password. Hopefully we'll be able to grant your wish in the future, and perhaps we'll find a way to make it less onerous than that too. Cheers! :)

  • @brenty I have read a lot of AgileBits white papers and blogs. Your security experts know what they're talking about. The only thing we seem to disagree on in the past is that there is a line drawn in the sand to stand ground when it comes to 1Password's policy on the strengths of the master password/account password and the encryption to protect the passwords store.

    I have tried to pose use cases that are very real today. With the speed zero day malware are created these days and with the tools and the many advanced techniques they have available, the frontier is fast shifting where users are at risk almost on a daily basis. This and the numerous corporate intrusions in the news and I suspect, many many more that aren't in the news given a lot of organizations still practice a non-disclosure policy on breaches, I am not even sure I can trust that my own computer is truly secure despite the fact that it is behind an IDP/Firewall device and client internet security software installed on all client Windows PCs. Afterall, large corporations with million dollar fundings can't even stop the bad guys these days.

    This is why I watch this space, waiting for the security professionals to get up to speed. Waiting for people to mature their thinking. Am I paranoid? Perhaps but I see this as a game where we must stop playing catchup and we should try to get ahead in the game for a change.

    There was once a time when a reasonably complex master password would make me feel safe all my passwords are protected. Nowadays, I am no longer certain. I am not even certain if the master password I recently changed has already been captured and the would be culprits are just farming information right now instead of exposing themselves and acting on it, allowing me to react.

    For me, I am still trying to learn and understand whether the mechanisms employed to protect the 2FA physical tokens would hinder the bad guys from taking a copy of my digital fingerprint imprinted and stored on the token, thereby doing away with the need for my physical token. But all my readings at the moment would suggest it is next to impossible to do that. Perhaps I've been reading too many marketing material from the Duo, YubiCo, etc.?

    Once I am pretty confident with the security of a token to serve as an additional factor, I can rest easy knowing AgileBits will hopefully one day move in this direction and in a timely fashion I hope. Looking forward to that day when we are one step ahead of the bad guys for a change.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited March 2017

    Hi @mmm1 and everyone!

    I must confess that I have not read every single message in this discussion, and so my comments may be a bit general. But I'm not going to sugar coat things either so what gets lost to vagueness in some regards will be made up for in explicitness in others.

    I believe that 2FA is vastly overrated by a large number of people. This is for two basic reasons. The first is that 2FA solves a very narrow security problem, which is rarely the most relevant one. The other is that 2FA as applied today is not under the same security model for which it was originally designed. Let me deal with the second one first.

    Compromising factors

    The theory being MFA is that authentication remains uncompromised as long as at least one of the factors is not compromised. If you have a room that has one door to it and that door is protected by all three of

    • A lock with a physical key (something you have)
    • A combination lock (something you know)
    • A lock controlled by a fingerprint scanner (something you are)

    Then as long as one of those locking systems work, the contents of the room remain secure. A total compromise of any two of the factors does not lead to a compromise of the system as long as at least one factor remains uncompromised. This is a cool idea, and there are real world systems that work this way. But ...

    ... but, this model does not translate to cases where a compromise of one of the factors implies a compromise of the room itself. Suppose that the easiest (and most plausible way) of breaking the fingerprint scanner is from inside the room. An attacker who is able to break the fingerprint scanner in that way doesn't need to worry about authentication factors at all. An attacker who can break the fingerprint scanner already has access to everything in the room, and the other factors make no difference at all. There could be a zillion other factors, but such an attacker wouldn't be bothered by them at all.

    With a password manager, if the computer you are running it on is compromised, then it doesn't matter how many authentication factors there are. Once you authenticate and your computer can use or show you your secrets, then those secrets are exposed to the attacker no matter how secure the other factors are.

    Anyone who suggests that MFA protects you against compromises of the system you actually use the password manager on is misleading you. The attacker may not capture the other authentication secrets, but so what. The attacker will have all of the target data. Do not use a password manager on any computer or device you don't trust, no matter how many other authentication factors were involved.

    So the nice theory that a MFA system remains secure as long as one factor remains secure is only true if the compromised factors are used only for authentication. But once a compromised factor is given data access or decryption keys, the other factors offer no protection at all.

    So a second factor may protect you if your master password is compromised, but it will not protect you if your master password is compromised due to using your password manager on a compromised computer.

    The wrong problem

    Sometimes putting effort into the actual problems that MFA is supposed to solve is working on the wrong problem.

    Adding locks to a useless gate

    That is a slide from the talk I gave at PasswordsCon 2015 in Cambridge, UK where I outlined both the rationale and the mechanism of the Account Key. Among other things, I was trying to make it clear that the Account Key was not a form of 2FA. But the point of that section of the talk was that 2FA addresses a very narrow problem, while failing to address far more important threats.

    So let's start with what MFA actually does contribute:

    What do we want from an authentication system?

    MFA genuinely improves the proof of client authenticity. That is one thing it does. And it is pretty much the only thing it does. Let's consider the security properties that we would like of an authentication process.

    1. Prove client ID
      Proves to the server that the user holds the user’s secret.
    2. Prove server ID
      Proves to the user that the server holds the server’s secret.
    3. No eavesdrop
      Does not reveal any information about either secret to anyone listening in
      on the process.
    4. No replay
      Cannot be replayed by someone who has recorded the process and wishes to repeat the exchange to fake a sign-in at some later time.
    5. No secrets received
      Does not reveal any information about the user’s password to the server.1
    6. Session key
      Establishes a new secret that can be used as an encryption key for the session.
    7. No cracking
      Server never acquires enough information to facilitate a password cracking attack.

    MFA improves the server's confidence that the client is authentic (Prove client ID). When you (or your system) authenticate, you prove who you are (typically by proving that you have access to a secret.) So an SMS message sends you a secret to some device and when you enter that secret into some web form you are proving that you have access to that secret. When you authenticate with a password, you are proving that you have access to that password. And if one of the authentication mechanisms involves some sort of one time secret, then it can help with number 4 (No replay).

    So now let's see how different schemes add up.

    Authentication schemes compared

    In that table, a "traditional" system is the traditional sort of website log in. "MFA" is traditional system with some MFA thrown in, perhaps with a one time password/code involved in one of the factors. A "PAKE" is a Password-based Authenticated Key Exchange. The "+2SKD" is a PAKE that uses Two Secret Key Derivation (in our case a Master Password and the Account Key).

    2FA isn't terrible

    MFA is not terrible. It can offer some real security benefits in some situations. There are situations where I advocate its use. But it is enormously over-rated (and thus can be dangerous.) I understand that a lot of people use its presence as a litmus test for "good security". It is on an enormous number of security checklists. We may, indeed, expand our offerings of it as there is such high demand for it. But I hope that you appreciate that we built and designed 1Password around a considered evaluation of security threats and defenses instead of applying a checklist.

    Cheers,
    -j [Chief Defender Against the Dark Arts @ AgileBits]


    1. There really is a difference between "no eavesdrop" and "no secrets received", but I don't want to get into that here. ↩︎

  • Good points. I am glad you take security seriously.

    For MFA, I like how Amazon's AWS does it as an added layer. Simple, easy, and effective.
    https://aws.amazon.com/iam/details/mfa/
    http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html

  • So 2FA won't protect against keyloggers on your system, but does it help for MITM network attacks (obtaining your password using a sniffer)?

    (or is that no problem because communication with 1password.com is always encrypted?)

  • RomanRoman 1Password Alumni

    @XIII - Communication to 1Password.com is of course encrypted. But even if an attacker were to crack open transport-layer encryption, all they'd find is an unusable blob of data, as the payload is encrypted using your Master Password and Account Key, which are never transmitted. @jpgoldberg explains why that's safe both in his post above and in the Security Design white paper - much better than I could ever dream of explaining it. :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thank you @Roman, but I think that @XIII was talking about during initial authentication, so we aren't even talking about transmitting any data other than going through the prove who you are portion.

    So let me take XIII's question piece by piece

    So 2FA won't protect against keyloggers on your system

    Mostly yes. The only exception is if the the compromise of your system is only a superficial keylogger.

    but [2FA] does it help for MITM network attacks (obtaining your password using a sniffer)?

    That is true in the case of a traditional login system in which your password gets sent to the server.

    or is that no problem because communication with 1password.com is always encrypted?

    Communication with 1Password.com is always encrypted, but that isn't the reason why a network sniffer is not an issue for our authentication process. When you authenticate to 1password.com our server and your client prove to each other who they are without transmitting any secrets. It doesn't mater if an eavesdropper can read and record the entire exchange.

    Safe from network sniffers

    Your client knows a secret called the "SRP-x" which is derived from your Master Password and your Account Key. The server knows a mathematically related secret v (SRP verifier). Through some mathematical magic, the client can prove the the server that it knows x without revealing x. Likewise, the server can prove to your client that it knows v, again without transmitting anything that might reveal v. It is because we use SRP (a Password-based Authenticated Key Exchange protocol) that we don't have to worry about network sniffers during authentication.

    So this is what I meant by the "no eavesdrop" criterion. We want an authentication system in which the attacker gains no value by eavesdropping on the authentication process. Our use of SRP already solves that (and many other problems)

  • Thank you for explaining this!

  • FrankFrank

    Team Member

    Hi @XIII - On behalf of @jpgoldberg you're very welcome :+1: I'm happy to hear that helped. Let us know if you have any additional questions and I hope you enjoy the rest of your day!

  • Hi @jpgoldberg - great points. However in the real world, I have to deal with a potential compromise of the computer itself as a risk. At the moment, having a master password with access to the computer itself allows a potential attack vector to replay itself over and over again at the attacker's convenience. If I have a physical token that the attacker must also rely on, that attacker is thwarted unless I am in the 1password system, authenticated and token authorised to get access to my password database.

    This might not sound like much mitigation but it at least gives me an opportunity to detect an anamoly. Having just the master password with the account password and the mechanisms implemented by 1Password today on the same PC will just mean that attacker can simply logon to my PC whenever she/he wishes and replay to access my data.

    The points you made though has raised the ROI of implementing MFA though. I am now asking myself, is it worthwhile to implement MFA when the attacker has a smaller window of opportunity to steal my password data?

    The other thing I would like clarification on - if you were a hacker, can you develop a listening process waiting for me to trigger the 1Password process and then piggy back off the 1Password ecosystem to steal my password data. Is this possible given current Windows, Mac and mobile device vulnerabilities/weaknesses?

    Wonderful conversation. Thank you for your input.

  • primeprime
    edited February 2017

    I would love to see 2FA also. For me, as a customer, it's piece of mind. Good or bad, customer see 2FA as a selling point for a lot things they use. If you had 2FA, you would had me sold a lot faster. A passcode that changes every 30 seconds is just great.

    I said this in another thread "perception is everything". You give the perception to a customer that their data is that much more safer, great. You can have all the protraction there is, all the data there is to back it, but if a person doesn't believe it and thinks 2FA is the way to go, you lost them.

    All the nerdy stuff you guys write, I love reading. I love helping people be safer on line also. I even have a help group on Facebook :)

    Edit: I actually can see how 2FA can be useless. If anyone knows anything about 2FA, you get a recovery key when you set it up with accounts thay support it. Well I guess this way, we just use the recovery key all the time.

    Now I did type the account key... not easy at all. It would be nice if there was a way to copy it from 1Password on the iPad and paiste it in the browser. I know I can from 1Password from my Mac, but I didn't want to turn it on.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @laugher, I'm glad I could help.

    I'm not entirely sure that I understand the scenario you are describing, so I'm going to give you a more abstract response and suggesting of how to approach these things.

    When building defenses, it is useful to think in terms of a "threat model", and part of the threat modeling is to consider the capabilities of the attacker. So when an opponent – let's call him Oscar – has the ability to compromise your computer in such a way that he can learn your Master Password when you unlock 1Password, what else is he capable of. Or what does that one capability imply about his other capabilities.

    To answer that in this specific case we need to look at what capacities are needed to be able to acquire your Master Password when you enter it. Now one way to do that without having the capability to read 1Password's memory once it is unlocked would be to have a keyboard logger that lives in, say, a cable between the keyboard and the computer. Such a system would have no access to the computer system other than the traffic from the keyboard to the computer. But as it happens, such a system would not have access to the the Account Key (unless you manually type that in through the keyboard.)

    But once we consider a process running on the computer itself, it is very hard to construct a plausible attacker who can get at your Master Password when you enter it and would not be capable of getting the all of the secrets needed to decrypt your data. Keep in mind that 1Password fetches whole vaults at a time from the server. It may only decrypt items as needed (the details differ from client to client), but once 1Password is unlocked the encrypted vault data and the keys to decrypt those vaults are available to the 1Password process.

    I'm not saying that there are no plausible threats for which 2FA wouldn't be useful. I am just saying that those are far far more limited than many people imagine and effort should go into beefing up defenses against more serious threats. Your secret Account Key is a defense in case our server gets compromised. Now we don't think that it is more likely for our systems to be compromised than for your to be, but because a compromise of our systems could matter for an enormous number of people, and so we devised our two-secret key derivation to protect everyone against that sort of threat instead of working on 2FA which would be more security theater than actual security given realistic threat models against an end-to-end encryption system.

  • brentybrenty

    Team Member

    I said this in another thread "perception is everything". You give the perception to a customer that their data is that much more safer, great. You can have all the protraction there is, all the data there is to back it, but if a person doesn't believe it and thinks 2FA is the way to go, you lost them.

    @prime: I'm not sure that this is a good reason apart from marketing, but you raise an excellent point about perception in general. After all, not many people are going to read all of the 1Password knowledgebase (or this discussion), so communicating the benefits of 1Password (and security in general) is a challenge we always have to face. I don't know that 2FA helps in many of those cases, since caring about it presupposes that one knows what it is, and that rules out many casual users. But it highlights that no matter what we have a lot of work to do to make a case for the importance of digital security in the first place.

    All the nerdy stuff you guys write, I love reading. I love helping people be safer on line also. I even have a help group on Facebook :)

    I love it too, and it's so awesome to hear that you're doing that! Sometimes I feel like nothing good comes from Facebook, but clearly that's not the case. :lol:

    Edit: I actually can see how 2FA can be useless. If anyone knows anything about 2FA, you get a recovery key when you set it up with accounts thay support it. Well I guess this way, we just use the recovery key all the time.

    You just blew my mind. I never thought about it that way. To be fair, I don't think that 2FA is useless, but often the recovery options pose a significant weakness. Fortunately the 128-bit Account Key has so much more entropy than typical recovery codes, which are sometimes far too similar to one-time passwords, only they don't expire.

    Now I did type the account key... not easy at all. It would be nice if there was a way to copy it from 1Password on the iPad and paiste it in the browser. I know I can from 1Password from my Mac, but I didn't want to turn it on.

    Great question! In most cases, you shouldn't have to type it. If you have the 1Password browser extension installed, it will offer to save your 1Password.com Account credentials for you, which you can then copy and paste easily. And the mobile apps can scan the QR code to make the authorization process easier:

    Sign into your account on a new device

    Cheers! :)

This discussion has been closed.