Restrict 2 factor auth to one device

I think two factor authentication should optionally be restricted to one device, preferably mobile.

Being able to use two factor from any of my devices with 1p installed is convenient, but removes one of the tenants of the feature: 'authentication by something I have'. Currently, two factor with 1p is barely more secure than a strong, generated password since they're stored and accessed together on any device.

Dream feature would be for the browser extension to send a prompt / notification to my mobile allowing me to get to the correct key quickly.


1Password Version: iPhone 6.7.1 / OS X 6.7 (670008)
Extension Version: 4.6.6.90
OS Version: OS X 10.12.5
Sync Type: Account
Referrer: forum-search:restrict 2 factor

Comments

  • beyerbeyer

    Team Member
    edited June 2017

    Hello @linssen,

    Thanks for your post! This brings up a very interesting conversation on the difference between second-factor security and the use of Time-based One-time Passwords (TOTP). One-time passwords are commonly used as part of second-factor security systems but don't automatically give you second-factor security.

    Thankfully (for me at least) our Chief Defender Against the Dark Arts, the one and only Jeffrey Goldberg, wrote an awesome Blog post that goes into detail about this: https://blog.agilebits.com/2015/01/26/totp-for-1password-users/

    I suggest you give it a read, but the crucial part is at the end:

    If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.

    Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.

    Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.

    Since we don't selectively sync specific items or in this case a part of an item, we can't control which device would store your TOTP in 1Password. Adding an ability to store your TOTP on only one device is something we might consider adding in the future, but it still wouldn't give you true second-factor security since your password and TOTP would still be stored on at least one device. Selective Sync would also add additional complexity for the user which is one of the main reasons we don't do it today.

    I hope this helps explain our current reasoning for how we handle TOTP, but we are always looking at ways to make this system better.

    Cheers,
    Andrew

  • I'm surprised that 1Password's position on 2 factor is "I don’t think that following that practice would be worthwhile".

    Apple for example have a really nice flow for 2 factor whereby you pre select your second factor devices, then at the point of authentication you're prompted to pick one, the code then appears on that device. That's not complex for a user.

    Are 1p, as an organisation, of the opinion that TOTP is sufficient, and that 2 factor proper is not worthwhile? Or is it more to do with the engineering challenge, road map, and priority?

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I think that what's important here is to clarify what role is being played by different parties in the two-factor authentication process. Your example of Apple is a particular role, i.e. they have the secret on their servers to generate a code to challenge you with. They deliver that code to your devices.1 I just tested this and when I tried signing in to iCloud in a Private Browsing window, I got a two-factor authentication prompt on my iPhone, my iMac (where I was signing in, which is pretty much definitely not two-factor!) and my iPad Pro. All at once. Maybe I have a different configuration from you but this doesn't seem to match the workflow you described… So, Apple is filling one particular role in a two-factor authentication relationship.2

    1Password could play a similar role, but right now we don't. If in the future we have in-house two-factor authentication, we definitely would be in a position to implement a system similar to Apple's because we know your registered devices. But this would only be for signing in to your 1Password account, not for any other sites that you have two-factor authentication enabled on.

    The role that 1Password plays with respect to other sites is different. When you store the two-factor secret in 1Password for a site like Github, Dropbox, or Xero, 1Password is playing the role of generating codes that match the code that the server is expecting in the same way that Google Authenticator, Authy, or any of the other apps that do the same thing do. The prompting from the site is different because they don't know anything about your devices the way that Apple does or 1Password would, so they just give you a text field to enter a six digit code. Some two-factor authentication services like Duo do support a push based model, but in the simplest implementation of two-factor authentication, the server asks you for the code that the device you're storing your secret on generated and then comparing it to the same code they generate from their stored copy of the secret. How you generate that code is up to you.

    Thinking about it now, though, it would be an interesting feature to have 1Password support push notifications for these other sites when you are using 1Password to sign in. (To be clear, this is just an idea that I just had so it's probably incomplete at best and would require a ton of work to support and… [insert other disclaimers here]. :smile:) But, just for fun, let's think through what this flow would look like for, say, Github. (I'm a developer… what can I say? :chuffed:)

    1. Visit https://github.com/login
    2. Fill your Login with the 1Password extension. (Command-\ FTW!)
    3. The extension notices you're prompted for the two-factor code and tells 1Password this. (This part doesn't exist right now and is totally hypothetical!)
    4. At this point, 1Password knows which Login you filled and that a two-factor challenge has been issued and notifies the 1Password server. But with what information exactly? The vault and item's UUID of the item that you filled. Nothing more should be required!
    5. The server receives this notice and blasts a push notification to all your devices except the one that sent the filling notice. (Perhaps you could configure this to only go to your iPhone or something?)
    6. You open the push notification, which 1Password knows how to handle in a special way, namely that it takes you directly to the vault and item to make it easy to retrieve the TOTP value

    That workflow actually sounds really cool and it sounds like it would be a ton of fun to build from a technical point of view, but I'm not sure it's more useful than copy and paste from the 1Password item on the device where I am filling the item. And since this workflow would require that the item contain the TOTP secret and be synced to all your devices, it doesn't put us into proper second factor territory like @beyer mentioned before.

    If you want true second factor, I would recommend getting a new iPod touch and using that for your TOTP code generation and nothing more. And be sure that your TOTP secrets aren't being synced anywhere. And then don't lose that device! Personally, the risk of losing the TOTP secret in that scenario is far greater than someone getting hold of one of my devices and unlocking it and unlocking 1Password.

    I hope this makes some sense about where we're coming from with this right now. Let us know if you have other thoughts, questions, or concerns.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas


    1. Presumably encrypted with a device key? I don't know for sure, but it seems like it would function similar to something like iMessage where when you register a device it generates a key pair and sends the public key to Apple so they can encrypt future deliveries. I could be totally wrong about this, though, so grain of salt and all that… ↩︎

    2. By Goldberg's definition, though, none of this is true two-factor because the password for my iCloud account is actually present on every device where Apple delivers my one-time code. ↩︎

  • brentybrenty

    Team Member

    @linssen: And keep in mind that the implementation really matters when it comes to two-factor authentication. Jamie kind of alluded to this, but most services that offer this have some pretty significant "escape hatches" that offer opportunities for the user (or an attacker) to get around the second factor: recovery codes, security questions, and temporary bypass, just to name a few. And again, while many services used to offer dongles so that there was truly a second factor, hardly anyone is doing this anymore. So unless you're setting up another device with just for purposes of authentication, probably in Airplane Mode, you're cheating a little. Most services aren't willing to take that last step and say "You can only login using a true second factor" and offer users a way to bail out if they lose the secret/token/dongle/whatever. And frankly that's because most users wouldn't tolerate that.

This discussion has been closed.