Feature Request: Confirm new device from trusted devices (instead add. 2FA)

I actually hate the Apple set up, and love the authentication app so much better. The main reason, I need Internet. With the authentication app, no cell or internet is needed. There has been times I waited a while for the pop up to come. At least Apple has a back up and you can go into the settings to get a code, but it’s a few clicks and screens to go though. It shouldn’t be that hard.

@binaranomaly

@prime I never had the slightest problem so far - but everybody as she or he prefers.

I’m just saying the Apple version will not work without internet (or 4 difference screens to get it from the device). It relies on it. If you do a search on this, I’m not the only one too. Another issue is the pop up doesn’t always clear (known issue, and I’ll try to look for it when I get home). For a while I thought someone was trying to hack my stuff, to just later learn the pop up sticks at times. I WISH I could use an authentication app for Apple.

The selling point of the authentication app, no signal needed at all.

@binaranomaly I only posted it here because @rickfillion wanted to see, and he can actually move it if needed. I do apologize, I didn’t want you to seem it was a hijack. It also showed how the trusted device set up isn’t perfect either. With my set up, if I lose all 3 of my devices, I can still get into my 1Password account because I shared my info in a shared vault that my wife has accesss too. With your idea, if I lose all 3 of my “trusted” devices, I am done. I know my idea won’t work with signal accounts, and maybe there is room for improvement foe the signal accounts. Heck, I can add the authenticatior on an old iPod Touch (or anything other device) than I can hide at home as a back up with this current set up if I wanted too.

Another great thing with my set up is now I have my TOTP in my login for my 1Password account on my login (starter kit) in 1Password itself. I log in (auto fill the info) then the TOTP is saved to my clipboard, I’m able to fill that in, and I am in my account. I didn’t even have to use the 3rd party app for this, my hands didn’t have to leave my keyboard, and I didn’t have to wait for the TOTP to pop up on my trusted device. It was a all a nice work flow.

Using a cell phone number is a horrible idea, so bad T-Mobile is telling it’s customers to put a PIN on their accounts. This is why having a cell phone number as a recovery is bad IMHO. Apple, Facebook, google, and I bet your bank too have cell numbers for their set up as a back up, and I do not like it for this reason. I posted here a while back how a YouTuber got hacked due the the flaw of a cell phone. Cell phones have no place for this, again in my option. I don’t remember what thread it was, I’ll see if I can find it, but it was probably over a year ago.

It’s sad when Snapchat had better than my bank. My daughter uses Snapchat and she set up 2 factor authentication, and you don’t have to have a cell number or recovery codes. It’s harder to get into Snapchat than my bank :(

If AgileBits does add this stuff, I hope people can opt out. I really love this set up now.

@binaranomaly

There's no flaw

I just posted how it could with the link from T-Mobile, so yes I disagree with you, there is a flaw in SMS (assuming your talking about a cell number being connected). I was going to attempt to look for that one post, but I have 788 posts... it will take a long time to look. SMS can also be intercepted and read by anyone, a cell phone SIM card can cloned as well. This is why it’s a flawed system.

More here:
Why SMS is bad for 2 step verification

The scenario I have in mind to protect from is much simpler:
Let's assume I have an unhappy day and someone gets hold of my 1PW Login credentials (Email - not really secret, key, password), rogue browser plugin, evil maid, malware, whatever...
As of today this person can login and compromise my account fully and immediately from anywhere with any client/device.
If I'd had to confirm from an independent device (better two) before the credentials can be used to access 1PW this would add a lot of difficulty to exploit this scenario.

How if you have 2FA turned on? Even with all 3, they still need the TOTP. Now an idea I would like is an email saying someone attempted to log into my account, so I can charge my master password and my secret key. Like a heads up that a failed attempt happened. So I guess this email idea is almost like what you’re requesting?

EDIT: Malware, someone has control over your computer, game over. Very little can help you at this point. They have access to everything and they don't need to set up anything at that point. Your idea actually won't work, because they have everything at that point.

An idea I do for the email. I actually use an email just I use just for 1Password. This way there is less of a chance of this email being out in the wild. I don’t ever use this email address for anything else at all. And it’s an alias on top of it, I can’t even use this email address to log into the email account itself. If I try I get “invalid email”.

@binaranomaly

@Prime I was never mentioning SMS. I talk of the 1PW Apps as 2FA. You may check how Google does it if that concept is new to you. https://support.google.com/accounts/answer/7026266?co=GENIE.Platform=iOS&hl=en&oco=1 Facebook, Apple, same same if you set it up.

I am very well aware of this, as I said before, it also requires you to put in a cell number as a back up. Facebook, google, and Apple require you to have a cell number as a back up, as it shows in step 3 of your link above: