Turning on 2FA TOTP in my 1Password account, triggers a warning in my 1Pass apps on my devices

Mr_ZaggyMr_Zaggy
edited April 2018 in Memberships

As per subject: turning on 2FA TOTP in my 1Password account using the instructions listed on https://support.1password.com/two-factor-authentication/, triggers a warning in my 1Pass applications on my devices. Turning off 2FA TOTP in my 1Password account stopes the behaviors described below:

Mobile App:

1Password version

6.9.1

OS

iOS 10.3.3

Vault type

Not local. I am logged in into my account from my mobile app

Behavior:

The warning which is listed under "Mobile Warning" below pops up on my screen when I log into my mobile app. As per warning pop up, when I navigate to the App Store, there is nothing to update since I am on the current latest version (6.9.1) and the App store just offers to open the app. When I come back to 1Password app from the App Store by pressing "open", the pop up is gone.

When I close the 1Password mobile app and reopen it, the popup appears again. If I dismiss the popup instead of trying to update it, it does not prevent me from using 1Password app.

Mobile Warning:

Laptop App:

1Password version

6.8.8 (688002)

OS

mac OS High Sierra 10.13.2

Browser

Chrome 65.0.3325.181 (Official Build) (64-bit)

1Password Browser extension version

4.7.0.90

Vault type

Not local. I am logged in into my account from my laptop app

Behavior:

The warning which is listed under "Laptop Warning" below pops up on my screen when I open 1Password app on my laptop or my 1Password mini in Chrome. If I dismiss it by pressing on red (x), it will pop up once more and after dismissing it for the 2nd time it won't appear again.

If I enter the requested TOTP, it disappears.

If I dismissed it the two times, I can continue using the desktop app or browser extension without any issues. If I left the warning pop up on the screen out of focus, I can continue using the desktop app or browser extension without any issues because the warning popup is not a modal dialog

Laptop Warning:


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited April 2018

    @Mr_Zaggy: Thanks for reaching out! Can you tell me where you're getting "Mobile Warning:" and "Laptop Warning:". I'm not seeing that in your screenshots or description (other than a brief reference to each). To be clear, you have a rather old version of 1Password for iOS though. The current release is 7.0.6, but the App Store isn't going to offer you that since you're running an outdated OS. You should still be able to use 1Password in the mean time, but if you continue to not update at some point in the future the old app will no longer be able to connect to the service. I agree that there's room for improvement with the workflow of the new two-factor authentication feature though. Thank you for your feedback on this! :)

  • brentybrenty

    Team Member

    I understand that I am not using the latest version of 1 Password (v7) since I am not on iOS 11.

    @Mr_Zaggy: :):+1:

    I am still not sure why enabling TOTP in my web account starts generating annoying popups on my device apps. But, let's leave the mobile app aside for a moment, how about my desktop app? Why do I get that popup there? Is it a feature or a bug?

    The answers are the same: it's a feature: two-factor authentication. When you enable that, you'll need to authenticate your account in the apps. In one, you're being asked to enter the TOTP code because that version supports it. In the other, you're being asked to update because it does not.

    Just to make sure we're on the same page here, it sounds like you're able to authenticate successfully in 1Password for Mac. Is that correct?

    You asked me where do I see the popups:
    "Mobile Warning": when I open and unlock my mobile app.
    "Laptop Warning": when I open and unlock my desktop app on my mac laptop.
    Please let me know if you require more information/clarification

    I guess what confuses me is you attached screenshots but I'm not seeing it there. Maybe this is due to some of your notification settings in the OS. Probably not important. It just struck me as odd.

  • brentybrenty

    Team Member

    Yes, after entering the TOTP, I could authenticate successfully. But, the 2FA authentication in 1Password for Mac is not enforced, as per my earlier description of the 2FA behavior: I could dismiss the popup without entering the TOTP and still continue using the 1Password for Mac afterwards.

    @Mr_Zaggy: Thanks for clarifying. If I understand you correctly though, you'd already setup the app with your account, so it already had your data. Isn't that the case?

    Sorry, you are not seeing what where? You tested on your own 1Password for Mac and you are not seeing the same behavior as me?

    Right. I'm not seeing anything that says "something Warning:".

  • brentybrenty

    Team Member

    @Mr_Zaggy: I wanted to follow up to say that I appreciate you bringing up this subject, as I think we do have some work to do here. It sounds like everything is working as designed, but I wanted to clarify why it works this way.

    1Password is designed to be functional offline, without an internet connection. That's really important to many users — far more than those who give it any thought — as it would be unthinkable for most of us to suddenly not have access to our most important data because the train goes through a tunnel or something (true story).

    So I think that is the answer to the question you're sort of getting at: "Why does 1Password continue working even when I don't authenticate?" While it apparently functions as you'd expect it to even when you cancel out of the authentication prompt, you'll find that the account can no longer communicate with the server until you do authenticate. So the problem, in my view, is that we're not doing a good job of communicating that to users.

    Long term, maybe we can offer a business feature which requires authentication for the app to even function and retain the data it already has. This would pretty much be an "online-only" mode. I know it's something we've had some requests for, but for most users that's a total dealbreaker. I'd be interested to hear if that's something you'd like though.

    ref: apple-555

  • brentybrenty

    Team Member

    Yes, my apps have been setup with my account for a long time now. I discovered about the 2FA feature yesterday and wanted to try it out.

    @Mr_Zaggy: Great! Just wanted to make sure I was understanding correctly. :)

    So, a couple of points here:
    1. Yes, I agree with you - communication/clarification can be better :)

    :):+1:

    1. It is really weird to me that the 2FA dialog is dismissible on the end device and does not enforce me to authenticate when 2FA is enabled in my account. Sure, based, on what you told me the "account can no longer communicate with the server", but ... so what? I can still access all the login/passwords locally in the app after dismissing the authentication prompt! You see where I am coming from? What is the point of such 2FA if authentication becomes optional on the end device?

    I get what you're saying, and it's certainly an understandable perception based on the lack of feedback in the app...but it isn't "optional" at all. Go ahead, try to make changes; you'll find that they don't make their way in or out. But if you're suggesting that 1Password nuke itself any time you can't authenticate — including when you don't have an internet connection — that's going to be a tough sell for greater than 90% of users.

    As much as the non-communicative nature of the user experience here is not good, that would be much, much worse. What if you accidentally dismiss the dialog, or mistype one character? Should you then have to sign in again from scratch to be able to access your data, when you've already authorized the app? They're features we can consider adding, but I'd like to get a real sense of if those are behaviours you'd actually want.

  • brentybrenty

    Team Member

    Respectfully, I also understand when you say that you have to think about majority of the users. Somehow you need to strike a balance between usability and security.

    @Mr_Zaggy: Thank you! That's exactly what we're trying to to, and it ain't easy. :lol:

    That said, when you give me the ability to dismiss the authentication prompt with an explanation that "all is good, the app cannot communicate with the server in/out", is still does not fully make sense to me, since I can still read passwords/logins which are local to the desktop app. This what makes the 2FA "optional" for me, which I would not expect to encounter when I am using a 2FA protected app. It is rather confusing

    That said, I don't mean to suggest that this is the right way and/or only way, so we're definitely open to feedback. But could you respond to my previous comments?

    I get what you're saying, and it's certainly an understandable perception based on the lack of feedback in the app...but it isn't "optional" at all. Go ahead, try to make changes; you'll find that they don't make their way in or out. But if you're suggesting that 1Password nuke itself any time you can't authenticate — including when you don't have an internet connection — that's going to be a tough sell for greater than 90% of users.

    What I'm trying to get at is how you would prefer it to work. Right now, 1Password does not require internet access to function. But that would be the net result of requiring that you authenticate again on each device in order to use the data which you already have there. Keep in mind that you will need to be online and authenticate using the second factor to authorize a new device.

    As much as the non-communicative nature of the user experience here is not good, that would be much, much worse. What if you accidentally dismiss the dialog, or mistype one character? Should you then have to sign in again from scratch to be able to access your data, when you've already authorized the app? They're features we can consider adding, but I'd like to get a real sense of if those are behaviours you'd actually want.

    I'd really like to get a sense for if these are things you want. I don't see us making 1Password work that way for everyone, but it may be that we can make that optional down the road. Looking forward to hearing back from you. :)

  • brentybrenty

    Team Member
    edited April 2018

    @Mr_Zaggy: I apologize in advance for the length, but there’s a lot of ground to be covered thoroughly. I'll do the best I can in both regards.

    You do not need an active internet connection when you are authenticating using 2FA TOTP

    How so? Without a connection to the server, there is no authentication that can happen. That may sound scary, but keep in mind that 1Password's security is built on encryption to ensure that your data is safe even in the case of a direct offline attack against it.

    You asked me to provide some information about how I would expect this to work (my answer applies to a use-case if I am using a desktop app):
    I would like to see that when 2FA is enabled it became an integral part of authentication process, not avoidable nor dismissible. For example: if user fails to authenticate N times (let's say the code is invalid, typo, etc), then the app should enforce a full authentication process.

    To be clear, the account always authenticates fully with the server. The TOTP code is required only for the initial device authorization though (when an authentication token can be saved locally), which will be either 1) setting up the account in the app/browser for the first time, or 2) authenticating again once two-factor is enabled on the account.

    Same applies if user tries to dismiss the authentication dialog N times - the app should enforce a full authentication process at some stage. In case of 1Password, the "full authentication process" can be the requirement to enter the master password again, which does not require internet connection.

    That's also how it works already, except there is no "n times"; authentication, including TOTP, is required for the app to be able to communicate with the server when two-factor is enabled. What I'm trying to understand is how you want this to be enforced differently. Should you simply not have access to your data while you're offline, or should 1Password also actively erase any local data for that account when authentication is not performed?

    What should NOT happen is what is happening with 2FA TOTP in my desktop app right now: I should NOT be allowed to access & read local logins/password after dismissing the authentication dialog twice. Therefore, I consider it to be either:
    (a) a serious security-related defect or
    (b) a feature that has not been fully thought through

    I understand what you're saying, but we need to follow it through to its logical conclusion. The question is, how would you specifically like this to be enforced, and what would be the repercussions for you and other users? Here are a few considerations, corresponding to increasingly aggressive security measures surrounding an inability authenticate:

    Level 1. Data lockout: Data is still cached locally, but user cannot access it until they authenticate.
    Level 2. Data (un)availability: Data is removed because device is offline and therefore cannot be authenticated at all, though account remains in the app (and therefore pending local changes).
    Level 3. Data loss: User makes local changes but fails authentication for whatever reason, so the account (which failed authentication) is removed locally, taking with it anything associated with it which had not yet gone to the server.

    Ultimately that brings us back to the fundamental tension here: the expectation of users is that 1Password works offline when there's no internet access, since that's how pretty much every app out there works. People still need access to their data sometimes, despite not having internet access — garage door code, PIN for the bank, safe combination, etc.

    Another thing to keep in mind here is that someone may be online, but with a spotty connection. If their next authentication attempt fails through no fault of their own and we trash their data as a result, that's simply not acceptable to anyone actually involved in that situation: the user, who's lost their data, and us, as the ones who made that possible. I hope that we can both agree this would be unacceptable.

    With that out of the way, there are four ways we envision this working:

    1. Build a true "online only mode" for working with 1Password.

    2. Have some logic in the clients that simulated "online only mode", so MFA would appear to behave the way you expect.

    3. Bind MFA to the actual authentication (what we do currently).

    4. Not offer MFA at all.

    Customer demand means that #4 is a not an option for us now. #3, which is what we do, allows you to unlock the data that is stored on your own device, but you will not be able to communicate to our server for new data or making changes without the second factor. #2 would get 1Password to superficially behave as you expect, but it would be security theater. It would be easy for an attacker to evade. #1 would mean that the client wouldn’t store your encrypted personal keyset, but would have to fetch it from our server after you authenticate. With this, you would not be able to operate 1Password without a network connection. Furthermore, it would give us the capacity to lock you out of your own data on your own devices. That's really not a position we want to be in, but if that's something you and a large number of others truly want, perhaps we can offer that as an opt-in in the future. It's just hard for any user who signs up for something like that to anticipate how it might screw them royally in the future, even if it seems like it's a good idea at the time.

    I also think it's worth noting that many other security products go with #2. They are willing to make MFA have a veneer of security that only fools customers but not attackers. We are unwilling to do that, despite customer demand for it. That's a bridge to far.

    I do agree with you that there's perhaps room for a hybrid approach, but it's something that has to be approached with care, both in terms of security and the risks to customers. As you yourself point out in another thread,

    From what I have seen when configuring 2FA on my 1password.com account, there is no recovery option, i.e.: to generate backup codes

    So I hope you can appreciate the delicate balance which must be struck. On the one hand, you want MFA to be even more strict and actually lock you out of your data locally on your device. But on the other, you're rightly concerned about getting locked out of your own data.

    Anyway, maybe we can add a feature where a specific vault can be set only available while online, and other vaults can be available even when offline. This is something we'd like to explore in the future, and I'd be interested to hear if that would help satisfy your concerns. But we don't have any promises to make that these would ever see the light of day and we haven't done any work to even see how feasible they are or how they actually work in day-to-day use. It's important to have these kinds of discussions so that we can get a sense for how people would like 1Password to work. We're always grateful for that, but we do need to proceed cautiously before just giving people digital nuke to obliterate their data with. ;)

    I am sorry that our solution has not yet met your expectations, but I'm interested to hear your thoughts on all of this to see if there are ways we can better accommodate your use case in the future. What are the specific threats you're trying to defend against? It's definitely an interesting, complex, and important topic. :)

  • Hi @brenty

    would love to hear more about this

    I also think it's worth noting that many other security products go with #2. They are willing to make MFA have a veneer of security that only fools customers but not attackers. We are unwilling to do that, despite customer demand for it. That's a bridge to far.

  • brentybrenty

    Team Member

    @jaywang: That's really beyond the scope of this support forum, but there's a lot of stuff that's easy to find by searching Google for something like "two-factor vulnerability".

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file