Question about 2FA and 1P
I am looking to enable 2FA on my 1password.com account, but have a few questions:
When will I be prompted with my 2FA security code? Only when I log into 1Password.com? Or even using the apps?
How exactly do you guys handle the situation in which you delete Google Authenticator (e.g. if you transition to a new phone)? How do you retrieve the backup codes if 1P is locked behind a code?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
How will we be able to get in if we lose or change our phone then?
0 -
From what I have seen when configuring 2FA on my 1password.com account, there is no recovery option, i.e.: to generate backup codes
@Mr_Zaggy: That's correct, and by design. Two-factor authentication is geared toward businesses, since they can have a recovery plan in place with admins who can help users who get locked out recover their accounts. :)
0 -
I am looking to enable 2FA on my 1password.com account, but have a few questions:
When will I be prompted with my 2FA security code? Only when I log into 1Password.com? Or even using the apps?@jadchaar: It will be required to authorize each device/browser the first time.
How exactly do you guys handle the situation in which you delete Google Authenticator (e.g. if you transition to a new phone)? How do you retrieve the backup codes if 1P is locked behind a code?
There are no backup codes. Those are not time-based and could provide an opportunity for an attacker to use them long after they are stolen. Account recovery is more secure, since it has to be requested from an admin by the user, preferably face to face or over the phone, so that there's less opportunity for exploitation.
I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
I understand and what you described makes sense. But, I do not mean to sound too blunt - what about the non-business users :)? You just released a 2FA feature to a whole lot of consumers with no option of setting up a recovery option. Going back to what we discussed in my TOTP thread - this needs to be clarified
@Mr_Zaggy: Not at all. It's a good question. The thing is, there is a recovery option: use 1Password within a family or business. That gives you a recovery option that doesn't weaken security for everyone. Two-factor authentication is critical to many businesses due to external or self-imposed requirements, so that's where our focus is. That simply isn't the case for individual users. Certainly some people want to use it anyway though, so it's available, but it is an advanced feature that can only offer limited security benefits, and that's often misunderstood and difficult to communicate. We're hesitant to weaken the security properties it does have by adding — essentially — an "escape hatch". Recovery within a family or business setting can be done without adding "recovery codes" that never expire. I hope this helps . Be sure to let me know if you have any other questions! :)
0 -
Hmm that is a shame. I am a single user without a family plan or business plan, and wanted to use 2FA as an extra measure of security. Hopefully you guys can figure something out so everyone can enjoy 2FA with ease.
I completely forgot about my 2FA app when I switched phones and if I didn't have backup codes, I would have lost critical accounts. Losing our passwords is game over.
0 -
Hi @jadchaar,
If you're concerned about losing your code generator, you could backup your TOTP Secret somewhere else (such as writing it on your printed Emergency Kit or somewhere else safe).
When you enable 2FA, you'll see the secret here:
And then if you ever lose your code generator, you could enter the secret into a new generator app.
Does that work for you?
0 -
I agree Zaggy. It should be part of a usual 2FA workflow like every other 2FA implementer does it (think Google, Twitter, Facebook, Robinhood).
I am just worried because my digital life is behind 1P and I need full assurance that enabling 2FA can’t brick my account.
0 -
If that would work - great. But this needs to be clearer in terms of communication
@Mr_Zaggy: How so? It's just another thing you need to be able to access your account, like your Master Password and Secret Key.
Yeah... As brenty said, 2FA geared toward businesses. Which (to my opinion) has to do with businesses being a profitable market segment than single users without a family plan or business plan.
Not at all. Otherwise the feature would only be available to businesses. It's available to everyone, but, as always, it's up to you to ensure that you have an emergency plan in place. We simply don't have anyone's account credentials and therefore cannot help anyone regain access.
0 -
Hmm that is a shame. I am a single user without a family plan or business plan, and wanted to use 2FA as an extra measure of security. Hopefully you guys can figure something out so everyone can enjoy 2FA with ease.
@jadchaar: You totally can use it...
I completely forgot about my 2FA app when I switched phones and if I didn't have backup codes, I would have lost critical accounts. Losing our passwords is game over.
Just be sure to take the necessary precautions — like saving a copy of your TOTP secret somewhere safe for an emergency.
Anyway, this is why we don't recommend it to everyone, and why we didn't add it until recently. Making it harder for an attacker to get into your account means the same is true for you if you don't plan accordingly. That's the case even with families and businesses. If there are not sufficient admins, people getting locked out will be locked out completely. For example, I'm currently the only Organizer for my family account. So it's incumbent on me to not get locked out, both for myself, and in case any family members need recovery. It's all about choices.
I agree Zaggy. It should be part of a usual 2FA workflow like every other 2FA implementer does it (think Google, Twitter, Facebook, Robinhood).
What did you have in mind?
I am just worried because my digital life is behind 1P and I need full assurance that enabling 2FA can’t brick my account.
You don't have to worry. Just backup all of the credentials you need to access your account in an emergency — as you presumably already do with your Master Password and Secret Key. :)
0 -
What I had in mind was maybe including the 2FA TOTP secret in the Emergency Kit PDF you provide to users in the dashboard.
I can't really show a screenshot as I already have 2FA configured, but whenever you sign up for a service with 2FA, they explicitly tell you to scan the QR code, enter the 6 digit seed, then in the next step, they provide you with the backup codes and tell you to explicitly store them as backup in case you lose access to your authenticator. The way it is currently set up, you guys just state this:
It is unclear that this can be used as a backup in the event of a 2FA app loss. Instead, it just tells the user that they can use this instead for configuration if the scanning doesn't work.
0 -
Glad I clarified it! :)
0 -
No problem! I am just super cautious with 2FA ever since I got locked out of my Discord after forgetting to save my backup codes and ever since I switched phones (wiped the old one) and completely forgot about my Google Authenticator app. Luckily I had backup codes for all of the services but yeah that happened haha.
0 -
If you're concerned about losing your code generator, you could backup your TOTP Secret somewhere else (such as writing it on your printed Emergency Kit or somewhere else safe).
When you enable 2FA, you'll see the secret here:
And then if you ever lose your code generator, you could enter the secret into a new generator app.
Does that work for you?@jadchaar: Excellent point. Thank you for clarifying. I think it's definitely worth updating the text there to make it clearer that the TOTP is something you can save as part of your emergency planning to ensure you don't get locked out. :)
I LOVE this idea. Right now I am using Authy and have it backed up. I am using a long typable password for the back up, but I don't like it. I talked about this idea also for a back up. I like Authy for an authentication app, just not fond of the back up.... it's a weak point IMO.
I've been playing and testing out ideas, good thing I have my wife as an organizer. I can see myself locking myself out from all test and messing around I'm doing :lol:
0 -
We’d always recommend a second organizer/administrator whenever possible. :)
Ben
0 -
We’d always recommend a second organizer/administrator whenever possible.
I'd rather still have only 1 admin but multiple people who can allow account recovery.
This has been discussed before and is even more relevant with 2FA without back-up codes.
Any updates on this?
0 -
It’s an interesting idea but I’m not aware of any plans at this point.
Ben
0 -
Please add the TOTP secret to the Emergency Kit that's generated. With 2FA on, the Emergency Kit is useless and there is no indication of this for single user accounts!
0 -
I agree. This is a potentially dangerous oversight, but with an easy fix.
0 -
Please add the TOTP secret to the Emergency Kit that's generated. With 2FA on, the Emergency Kit is useless and there is no indication of this for single user accounts!
@raster: TOTP Two-factor authentication is not enabled when you setup your account, so it cannot be included in the Emergency Kit in general. And since most people are going to be using two-factor authentication because they want a second factor, I think it would be ill-advised to do anything like that be default. There's nothing stopping you from adding it yourself though if you want to keep all of that together. And we'll see if we can make it clearer by giving people who try to enable this more warnings or something, so they hopefully take the time to understand that adding this extra layer can also prevent them from getting into their own accounts if they do not plan appropriately.
0 -
Sorry, I meant to clarify: an oversight from an educational standpoint.
What I envision for the emergency kit is a field reminiscent to what you guys do for the Master Password. Put a blank area that says "2FA Backup" and let the user fill it out. Make the section clear that it is only for users that have 2 factor authentication enabled. Or prompt a user to redownload their emergency kit when 2FA is enabled.
I just really worry for regular users who are less knowledgeable who enable 2FA and do not write down the backup, but want the extra layer of security that comes with 2FA. Many people don't think about transitioning their 2FA codes (E.g. Google Authenticator or Duo) when changing phones or devices. It is sadly not as easy as syncing contacts with the cloud and just having it magically reappear.
My two cents: I think you guys should REALLY make it clear that they need the secret code in case they get locked out. I think the best way to do this is by adding a blank field to the emergency kit. I think this is definitely doable and makes sense. Else, you guys should disable it for users without a teams, family, or business account and go back to the drawing board.
Apologies for sounding like a broken record, but I have had some unrecoverable issues with 2FA that I do not want others to have, especially with something as critical as 1P.
0 -
What I envision for the emergency kit is a field reminiscent to what you guys do for the Master Password. Put a blank area that says "2FA Backup" and let the user fill it out. Make the section clear that it is only for users that have 2 factor authentication enabled. Or prompt a user to redownload their emergency kit when 2FA is enabled.
I like this idea. Maybe make the starter kit have a set up “anything you have here will be including when printing your emergency kit”
I just really worry for regular users who are less knowledgeable who enable 2FA and do not write down the backup, but want the extra layer of security that comes with 2FA. Many people don't think about transitioning their 2FA codes (E.g. Google Authenticator or Duo) when changing phones or devices. It is sadly not as easy as syncing contacts with the cloud and just having it magically reappear.
IMO most people who are using 1Password probably have an idea what 2FA, but still make something to warn people.
My two cents: I think you guys should REALLY make it clear that they need the secret code in case they get locked out. I think the best way to do this is by adding a blank field to the emergency kit. I think this is definitely doable and makes sense. Else, you guys should disable it for users without a teams, family, or business account and go back to the drawing board.
Another idea, a warning in red when you turn it on, and even a check box acknowledging it. It has to be simple, because we all “read” the iTunes terms of services :lol:
Apologies for sounding like a broken record, but I have had some unrecoverable issues with 2FA that I do not want others to have, especially with something as critical as 1P.
Agreed. I will say this about AgileBits, they do listen to their customers. I’ve seen it many times 1st hand, and why I am srill a customer.
0 -
@jadchaar I agree about 2FA, and why I went great lengths to make sure I don’t have an oops
0
