Duo Two Factor Issue

mmoud
mmoud
Community Member
edited April 2018 in Business and Teams

Hi

My account is setup to use multi-factor authentication with Duo and "Remember Device Authentications"is set to 1 day. But even after two or more days , windows app takes few second after initial master password authentication to trigger dual authentication prompt and during that time , app is wide open and I can use quick shortcut to find login and copy paste password or even open login directly.

This delay should not be there as this bypasses two factor.


1Password Version: 6.8.534
Extension Version: Not Provided
OS Version: Windows
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mmoud: Thanks for reaching out. I’m sorry for the confusion! Two-factor authentication is not meant to lock you out locally when you already have it installed and setup on a trusted device. Rather, it prevents an attacker from signing into your account when they have your login credentials but not the second factor. We may be able to add an option to have 1Password work the way you seem to expect it to in the future, but that would mean you could not access your data at all unless you're online. Otherwise it would not be possible for you to authenticate with the server. 1Password would also have to nuke your data locally to prevent it from being accessed with the Master Password. You would then need to connect to the internet and sign in again in order to be able to download and access anything. Would that be acceptable to you?

  • mmoud
    mmoud
    Community Member

    If that's the case then it would be helpful to assign trusted/untrusted tags to PCs. Trusted can work the way its working right now to avoid lockout. But untrusted should be locked immediately and should not allow access to data without full dual authentication.

    To be clear , I didn't mean that untrusted is a public PC. I want to tag untrusted to laptop and trusted to my desktop as laptops can be stolen and what not while travelling.

  • Lars
    Lars
    1Password Alumni

    @mmoud - thanks for the clarification. We'll pass along your feedback, but I can't say I have any idea when - or even IF - you might see such a thing. Since the beginning, 1Password has relied upon encryption rather than authentication for its security. We're happy to have been able to recently roll out MFA as an additional measure for those who desire it (or have organization requirements for it). But switching to an online-only mode - even one that's off by default and must be explicitly opted-into - would be a departure from what our users have come to expect from us over the years and would have a dizzying number of potential issues that would need to be considered. Thanks for letting us know you'd like to see it, however!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mmoud: I hear you. We're always evaluating things based on feedback like yours, so it definitely helps. Just keep in mind that neither two-factor authentication nor the Secret Key can protect you if data is stolen from your own device. Only the Master Password protects you in that case.

    You may be thinking, "Well, why not, if 1Password instead enforced this at all times?" The problem is that even if we change 1Password to always require you to authenticate, that's not only going to prevent people from accessing their own data in many cases where they'd expect to (offline, traveling, etc.), but it's not going to stop an attacker who steals your device from stealing the encrypted database from it in order to perform brute force attacks. 1Password is designed to withstand this, of course (hence the security being based on encryption, as Lars mentioned), but I think it's important to note that authentication of any kind just doesn't offer any protection in these scenarios...which of course is no different from you accessing your data locally without having to authenticate.

    Similarly, "untrusted device" for something you travel with is an interesting idea. But again, there's nothing stopping an attacker from copying the database or simply keeping the device offline after they steal it — no way for 1Password to even try to authenticate. I still think that could be a useful feature, but if we added that we'd have to be very careful to make it clear to users that this probably doesn't protect them the way they think it does. Only an incompetent attacker would be foiled by that feature. But again, fortunately 1Password's security doesn't rely on something like that.

    It's also akin to another request we get: "Have 1Password nuke my data after X number of failed attempts." An attacker will simply make copies of the database and use their own tools to try to decrypt it through brute force guessing of the Master Password, rather than sitting there physically typing many passwords in an attempt at guessing (which is how 1Password could have an opportunity to nuke the data due to failure).

    So these features do not mean that people can use weaker Master Passwords. But we'll continue to listen to feedback and see if there are things we can reasonably do that help 1Password users be more secure, without giving people a false sense of security. Thank you for your input! :)

  • Alfonsozubi
    Alfonsozubi
    Community Member

    From this link:
    https://blog.1password.com/multi-factor-authentication-in-1password/
    "
    Duo Security
    Duo Security is a slightly different approach to protecting accounts and has been available as a beta feature in 1Password for a number of months. The feedback we’ve gotten from it has been unanimously positive, and Duo is now available for anyone using 1Password Teams or 1Password Business. The best part of Duo is that once configured by an administrator it will automatically apply to all members of the team.

    When you sign in to 1Password, you’ll be prompted to send a push notification to your mobile device where you can either allow or deny the request to sign in.

    Duo + 1Password for Mac
    Duo is a great option if you’re looking to enforce the use of an additional factor across a whole team.
    ......
    "
    IS THE PHRASE IN THE SECOND PARAGRAPH MEANT TO SAY: When you sign in to 1Password (FROM A NEW DEVICE).,

    Just to verify Duo is or is not requiring multiple authentication every time you login ?

    I have used 1Password for several years and believe you have a great product, but I am considering changing to Dashlane, because they now provide the option of encrypting the local database so that it requires any of the many market 2FA authnticators...

    I would like to know if you have a roadmap to provide this added layer of security. By the way if the user is running an 2Fa app i.e. on their phone, they could still get into the database on their computer.

  • AGAlumB
    AGAlumB
    1Password Alumni

    [...] When you sign in to 1Password, you’ll be prompted to send a push notification to your mobile device where you can either allow or deny the request to sign in.

    IS THE PHRASE IN THE SECOND PARAGRAPH MEANT TO SAY: When you sign in to 1Password (FROM A NEW DEVICE).,

    @Alfonsozubi: No. It certainly could say that, because it's true, but it's inherent: the only time you have to sign into the account is on a new device.

    That's the authentication: signing in. So that's also the only time when two-factor authentication would be at all relevant: when authentication happens.

    As I mentioned above,

    there's nothing stopping an attacker from copying the database or simply keeping the device offline after they steal it — no way for 1Password to even try to authenticate.

    When you've already signed into 1Password on a device, your encrypted data is already there. At that point, the data is protected by virtue of it being encrypted using your Master Passwords; authentication is irrelevant, as it already happened. We have no plans for security theater to pretend otherwise, both because that would be dishonest, and because it isn't necessary: as long as you're using a long, strong, unique Master Password, your data is safe. Only you have the means to decrypt it.

This discussion has been closed.