Any plans to allow 2FA/MFA on 1Password 6?

dREyhqwnp4
dREyhqwnp4
Community Member

Be great if we can have 2FA/MFA options on local password vaults and not just one password. Thank you.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @dREyhqwnp4

    Thanks for the feedback. Unfortunately authentication (including multi-step/two factor authentication) doesn't add any additional security when dealing with local data. Someone could simply read the data using a tool that doesn't perform the authentication. Encryption is what protects local data. The best way to ensure your local data is protected is to use a strong Master Password that you do not use for anything else.

    Ben

  • dREyhqwnp4
    dREyhqwnp4
    Community Member

    @ben thank you for the feedback. Can you please explain how 2FA/MFA does not provide any additional security? That is opposite of the current research and industry opinion. 2FA/MFA is not only for "online accounts" 2FA/MFA is used many times in local environments especially highly secured environments.

  • @dREyhqwnp4

    I explained here:

    Someone could simply read the data using a tool that doesn't perform the authentication.

    How would MFA prevent that?

    Ben

  • dREyhqwnp4
    dREyhqwnp4
    Community Member

    Correct that is one attack vector which is mitigated with encryption at rest. The attack vector is which is generally mitigating by 2FA/MFA is account takeover through brute force attack with huge passwords lists from breaches this is common threat. the b

    This is just beginning https://discussions.agilebits.com/discussion/80980/response-to-elcomsoft be great to have 2FA/MFA to easily mitigate those attacks.

  • If someone has access to your local data such that they can attempt to brute force access to it they'll also simply go around any authentication, instead of trying to break through it. MFA doesn't offer any protection against a threat where they have access to your data.

    When designing a system like 1Password you have to ask what the threats are going to be. With an entirely local vault (only stored on your hard drive) the threat is that someone is able to access your hard drive and retrieve the encrypted 1Password data from it. In cases like that MFA wouldn't add any protection. The attacker isn't going to use the 1Password app to attack your data. They are going to attack the data directly, which is where the encryption (and thus a strong Master Password) comes in.

    Ben

  • My colleague Rick has a more in-depth explanation on this subject available here:

    https://discussions.agilebits.com/discussion/comment/364163/#Comment_364163

    All of this said, we're continuously exploring what threats 1Password users may face, and if additional protections would offer value and can be implemented we'll certainly carefully evaluate those possibilities.

    Ben

This discussion has been closed.