Using 1Password for TOTP two-factor: pros and cons

DaveFLDaveFL
edited July 16 in Lounge

Hey folks,

I'd like to know what everyone's thoughts are on using 1Password as your Primary 2FA device - specifically do you use 1Password for 2FA or do you keep your tokens separate in another application e.g. Authy or Google Auth. I keep my 1Password 2FA token both on paper and in Authy, but this question is more related to 2FA with other applications.

I can think of pros and cons to both but would like hear your thoughts.

Thanks!


1Password Version: 7
Extension Version: Not Provided
OS Version: Windows
Sync Type: 1Password.com

Comments

  • brentybrenty

    Team Member

    @DaveFL: I think ultimately it comes down to your personal threat model and preferences, but generally we recommend using 1Password for TOTP for three reasons:

    • Security — 1Password encrypts all of the data you store in it using your Master Password. That's not always the case with other "authenticator" apps, and it is even unclear in some cases how the data is being secured, stored, and/or transmitted.
    • Availability — If you're syncing your encrypted 1Password data to multiple devices, you've got a failsafe if one is lost, stolen, or destroyed. And in the case of a 1Password.com membership, automatic offsite backup and item history, as well as access through the web interface even if all of your devices are gone.
    • Convenience — Along the same lines as availability, it's just easier to be able to access it across multiple devices seamlessly. For example, my phone isn't always handy, but I can also use my tablet.

    And again, this is something each of us need to evaluate for ourselves, so it's good that you're thinking about it to decide what works best for you. Cheers! :)

  • I'll start off by stating my bias up front: TOTP is ridiculously overrated as a security mechanism.

    The biggest threat to unauthorized account access is phishing[0], for which TOTP doesn't offer reasonable protection. If you're already at a point where you're plugging your username and password into a phishing site (or fake app), you're just as likely to punch in your TOTP code when asked. Considering the codes are good for 30-600 seconds, that gives a phishing entity plenty of time to launch a scripted login to the service they are spoofing and establish a valid session token (which can be kept alive through scripting as well, until the session is manually revoked). The most effective approach I've seen for this was a phishing site that displayed a "Validating... temporarily unavailable, please login again" page after getting the user/pass + OTP code, and then redirected the client back to the real service login page to try and prevent them from noticing what just happened.

    1Password by default takes care of 2 major security factors before you even start to consider TOTP:

    1. It allows you have long random passwords for every site, which already improves your odds of a bad actor not even making it to the 2FA prompt at all.
    2. The autofill browser extensions protect you from phishing by strict matching of the site URL.

    I use TOTP in 1Password only because it's minimally invasive to a login workflow as the current code is copied to the clipboard after the user/pass are presented. For me, I don't see a point of using another app just for the sake of generating TOTP codes - the extra work involved with manually reading and entering numbers is more tedium than extra security.

    [0] https://ai.google/research/pubs/pub46437

  • brentybrenty

    Team Member

    @SpaethCo: I don't disagree with you. You make a lot of great points. I think that it's more a matter of perception though: a lot of people believe that TOTP (in particular, and two-factor authentication in general) has security properties that it does not. For example, one of the most common responses we got when asking folks requesting two-factor why they wanted it was that it would allow them to safely use 1Password on public computers, etc. That isn't the case, and you sort of alluded to that with your example. Anyway, I'm not sure that's really what this discussion is about, but two-factor does have its place. :)

  • I'm wondering how to best use 1Password for both passwords and TOTP one-time passwords - as opposed to using a separate software token app such as Google Authenticator on the same device as 1Password - ideally without compromising the "one thing you know and one thing you own" principle behind 2FA.

    From a high-level perspective I think there are 3 general potential attack vectors for accounts protected with 2FA:

    1. The device gets stolen. In this case there's no difference between using 1Password for both passwords and one-time passwords and 1Password for passwords and a separate app for one-time passwords. If an attacker gains access to the device that attacker in both cases has access to both passwords and one-time passwords.
    2. The service provider's password database is compromised. Again, there's no difference in this case between using 1Password for both factors and using a separate app for one-time passwords.
    3. The 1Password vault is compromised. In my opinion, that's the only case where a separate app used for generating one-time passwords provides a significant advantage over using just 1Password because even if the 1Password vault is compromised there's an additional, independent security layer.

    So, I was wondering how the risk of attack vector #3 could be mitigated. Would it make sense to generally store TOTP secrets in a different vault than normal passwords or in some kind of secure enclave that requires an additional password? Would this mean additional security at all or would this just be papering over an inherent security risk with that kind of process that can't really be mitigated?

    Is something like that possible already with 1Password? If not it might be a useful feature. I'd like to hear your thoughts on this.


    1Password Version: 7.0.7
    Extension Version: Not Provided
    OS Version: 10.13.6
    Sync Type: Not Provided
    Referrer: forum-search:totp

  • brentybrenty

    Team Member

    @BjoernKW: I hope you don't mind, but I've merged your post with an existing discussion on this topic. You may be interested in my earlier comments regarding why we recommend using 1Password for TOTP to most people*, but you also raise some interesting points that I wanted to address:

    1) The device gets stolen. In this case there's no difference between using 1Password for both passwords and one-time passwords and 1Password for passwords and a separate app for one-time passwords. If an attacker gains access to the device that attacker in both cases has access to both passwords and one-time passwords.

    That isn't quite true, since (presumably) you've chosen a long, strong, unique Master Password...and not told them what it is. I get your more general point, and you'd be right in that instance, but given the context (and audience) I think it's worth pointing out that it's fairly unlikely to be an actual issue.

    2) The service provider's password database is compromised. Again, there's no difference in this case between using 1Password for both factors and using a separate app for one-time passwords.

    I'm not sure I follow what this has to do with 1Password, or any other TOTP app. If the website in question has both the login credentials and TOTP secret stolen from them, the rest doesn't matter. "Game over, man!" But so long as we're all using unique passwords for our other logins, the damage is localized.

    3) The 1Password vault is compromised. In my opinion, that's the only case where a separate app used for generating one-time passwords provides a significant advantage over using just 1Password because even if the 1Password vault is compromised there's an additional, independent security layer.

    I agree, that's a situation where not having the TOTP in 1Password could help. That sort of goes back to #1 as well, but I think that TOTP is less of a factor (pun sort of not intended) in this scenario since most sites offer an escape hatch for resetting two-factor. Also, all of your logins in 1Password are compromised in that case.

    So, I was wondering how the risk of attack vector #3 could be mitigated. Would it make sense to generally store TOTP secrets in a different vault than normal passwords or in some kind of secure enclave that requires an additional password? Would this mean additional security at all or would this just be papering over an inherent security risk with that kind of process that can't really be mitigated? Is something like that possible already with 1Password? If not it might be a useful feature. I'd like to hear your thoughts on this.

    1Password, in general is designed to have your data encrypted with a single Master Password, and unlock everything in the app with that as well, regardless of how many vaults you have. And that's what we recommend as well, since having to memorize and type more than one password encourages us to use weaker ones — or forget them. And after all, this is why we're probably using 1Password in the first place!

    But, you could also setup 1Password on a specific device for only TOTP stuff in a vault used only for that purpose. It's not something we design around or want to recommend, but I thought I should mention it since you asked. Travel Mode is also a feature that can be used to restrict what vaults are available on your devices, though its intended purpose is a bit different from this too.

    At the end of the day, it's an interesting idea, but it places a lot of additional burden on the user and would add complexity to 1Password as well. So our focus is on making 1Password secure enough that it's not only reasonable to save such important stuff there, but that it's the best option for most people*. :)

    *If you're a public figure, it may be worthwhile to use an elaborate setup to keep TOTP stuff separate from everything else, and perhaps compartmentalize other things as well. It's all about your personal threat model.

  • SpaethCoSpaethCo
    edited July 16

    If you’re a public figure relying on TOTP, you’re bound to lose the game. About the only 2FA solution to survive spear phishing attacks is something like a U2F hardware token, where the challenge response is only valid for the AppID that made the request.

    One of the security engineers from Stripe gave a talk at Blackhat on this topic last year:

    Fastmail had a really nice write-up about how U2F works a couple years ago: https://fastmail.blog/2016/07/23/how-u2f-security-keys-work/

  • Would be nice to have Yubikey support now that iOS is supported. It supports U2F.

  • BenBen AWS Team

    Team Member

    Yubikey / U2F is something we're taking a close look at, though I couldn't really say that we're beyond the brainstorming phase at this point.

    Ben

  • brentybrenty

    Team Member
    edited July 17

    @DaveFL: This discussion is about using 1Password to generate TOTP codes. ;)

    @SpaethCo: Indeed. Thank you for sharing that! That was a great talk, and I hadn't seen it before. :chuffed:

  • @BjoernKW Just to add to the great post that @brenty put together, a couple additional considerations:

    1) Your device itself should have some level of protection if stolen, including but not limited to: device encryption, passcode / biometric lock, remote disablement. This covers a huge swath of cases where a device leaves your control -- for more sensitive cases: say someone snatches an unlocked device out of your hand, you're still protected by the master password for the vault itself.

    In point #3, @brenty hit your biggest account risk factor, and to make sure it doesn't get lost I want to make sure it gets called out again: Account recovery processes are a huge attack surface. Do you have a recovery phone associated with your Gmail account? If you do, you've completely circumvented any protection you feel you've gained with 2FA. With account recovery you don't have to know the password for an account or have access to the 2FA method, you just have to know the username and have access to the account recovery method (insecure, infrequently checked secondary email account, or worse: SMS to a mobile phone).

    In December, people discovered it was ridiculously easy to port T-Mobile numbers. Using that attack vector, people used leaked account information to match usernames to phone numbers, and then used commonly available LRN lookups to find which of those numbers were registered to T-mobile. They then went to town doing password resets on WellsFargo bank accounts (among others) to issue Zelle transfers to get money out of the accounts. A good comprehensive Reddit thread detailing the news reporting of this is here: https://www.reddit.com/r/tmobile/comments/7lplk5/tmobile_wells_fargo_protect_yourself_now/

    The attack really didn't take a lot of technical sophistication to pull off:

    1. Find your users who have T-mobile cell phone numbers.
    2. Start at the WellsFargo "I forgot my password prompt" -- see which usernames work and seem to offer a text with the last 4 numbers matching
    3. Get poorly trained T-mobile phone reps to port those numbers to devices you control
    4. Go to WF, and complete the password reset process by getting the code that is sent via SMS to your newly ported number
    5. Profit!

    What that Reddit thread gets wrong is it makes the assertion that 2FA would have prevented this. It can't. At its core, TOTP is a second password. The primary goal of TOTP is to take people who won't give up using "hello123" as their password everywhere, and give them an additional code that is generated from a TOTP seed that is both unique per site and has acceptable minimum entropy. If you're already using high entropy unique passwords per site, adding TOTP is just like adding a 2nd deadbolt to your front door. If you have enabled account recovery with SMS for that same account, you have a back door which isn't even a door -- it's a sheet of plastic covering an opening to the house, with a "Keep Out" sign that looks just official enough to keep "honest" people out.

  • I realize I forgot to summarize up my point in the last post once I got sidetracked talking about services that enable password recovery using SMS when enabling 2FA using SMS (even if you later switch to TOTP, which has sadly been the case with Google and others).

    This is a good discussion, but it sort of becomes a question of "What's the best knife to bring to a gun fight?"

    If you already use different complex passwords for every site, does "type in the code" or "approve this login (yes/no)?" style 2FA add any value?

    • In most cases, you never even see the 2FA prompt unless you already enter a valid user/pass first
    • If you have no password re-use between sites, then a breach at one site wouldn't produce a password that could get someone to a 2FA prompt at another site
    • Phishing and malware are the most likely ways your password/session would be compromised, and TOTP/SMS/App-push 2FA offers no additional protection against that

    So, unless you're using U2F, or client certificates, or another mutually authenticated 2nd factor ... why bother with 2FA at all for online services? For users of password managers it doesn't seem to add any additional security, and worse yet it lures people into taking greater risks because of a false perception of elevated protection. (like @breny's comment about people using public computers)

  • brentybrenty

    Team Member

    @SpaethCo: I think you hit the nail on the head:

    If you already use different complex passwords for every site, does "type in the code" or "approve this login (yes/no)?" style 2FA add any value?

    Some, but not nearly as much as it often seems to get credit. That was a big part of what we wrestled with before adding support for it ourselves. Unfortunately a lot of conversations ended with "I require two-factor authentication to even consider your product." It isn't exactly security theater, but many people ascribe to it benefits that it does not offer. The best we can do is continue to offer real security that everyone can use (or at least as many as possible) and strive to educate people about real threats and how to defend themselves against them.

    The rest, while terrifying, is also simultaneously encouraging: social engineering can be used to great effect, but it's a solvable problem. Customer service representatives can be trained, and companies will be motivated to do so due to the backlash. But yeah, if SMS can be avoided, that's still best. Phones are just not designed with security in mind, so using them for this purpose creates a weak link in the chain even where one didn't already exist.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file