Accessing 1password.com when 2FA enabled but without access to 2FA codes

sphardy
sphardy
Community Member
edited May 2018 in Lounge

Hello

I am a 1Password for Families user and I recently discovered that 1Password now offers 2FA across all services - to add a new device or to access the web service. I am pleased to see that and I have enabled it and of course stored the 2FA configuration in my 1Password app.

But what if I lost access to all my devices? How would I regain access to my data or enable a new device without access to a 2FA code generator?

For all my other logins, I of course have the relevant information in 1Password and can use the web service via another computer and the hardcopy of my emergency kit, but if I need a code generator to also access the 1Password web service in addition to my emergency kit... What then?

FYI: I have 1Password on multiple devices plus another family member with admin access to our Familes account, so it is an unlikely scenario in practice, but it does feel like there's a potential hole here unless I'm missing something


1Password Version: 7.0 (Beta 19)
Extension Version: 4.7.1.90
OS Version: MacOS 10.13.4
Sync Type: 1password.com

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    But what if I lost access to all my devices? How would I regain access to my data or enable a new device without access to a 2FA code generator?

    @sphardy: You can't. On a new device, you will need all of your account credentials — including the TOTP code for two-factor authentication — to sign in. Please be sure to backup your TOTP secret or TOTP QR code with the rest of your stuff!

    FYI: I have 1Password on multiple devices plus another family member with admin access to our Familes account, so it is an unlikely scenario in practice, but it does feel like there's a potential hole here unless I'm missing something

    If your family member is an admin on the account, they will be able to initiate account recovery for you, so that helps a lot. :)

  • sphardy
    sphardy
    Community Member

    Hi (again) @brenty :)

    Forgive me but where to I find my TOTP secret? I cannot see it on the 1password web site. I just regenerated my emergency kit and it is not there - wouldn't that be an appropriate place to find it?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sphardy: Both the text TOTP secret and QR code version of it are displayed when setting up two-factor authentication:

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • sphardy
    sphardy
    Community Member

    @brenty - Is this only showed at configuration time? There is no other way to have it displayed?

    Prior to 2FA, my account could be completely recovered using the Emergency Kit - a great feature that is prominently displayed on the site to help make sure I don't forget to store it. But it appears that if I forget to store this specific secret I could lose access to my account - and there is no message in that screen shot to warn me of this. Surely it should also be included in the Emergency Kit?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Is this only showed at configuration time? There is no other way to have it displayed?

    @sphardy: Correct. But you can set it up again and save it next time.

    Prior to 2FA, my account could be completely recovered using the Emergency Kit - a great feature that is prominently displayed on the site to help make sure I don't forget to store it. But it appears that if I forget to store this specific secret I could lose access to my account - and there is no message in that screen shot to warn me of this. Surely it should also be included in the Emergency Kit?

    I'm not so sure. You sign up for your account, save the Emergency Kit...and then setup two-factor — your Emergency Kit still doesn't have that info, as it did not exist originally. That won't help most users at all. The best thing to do is to save anything you need to access your account. If you put your Emergency Kit in a safe with a combination, you won't get a reminder to save the combination either, but it is needed.

This discussion has been closed.