Multi-Factor Authentication?? Please???

SirHC_
SirHC_
Community Member

Hi there,

I regularly attend hacker conferences and I've seen it where a hacker owned a persons computer and after they capture the victims master password it's game over because that's all you need to access an entire 1Password vault.

I see that 1Password implemented TOTP but there isn't an option for Multi-Factor Authentication. What would be most effective is each time when I need to access the vault is for it to prompt me to enter a google authentication code after I enter my master password (LastPass offers this as an extra security option). Are there any plans to implement this security feature? That way if a hacker gets my master password they still can't access my vault...

I've played with DUO for Teams and noticed that DUO Two-Factor only works in the web browser. Using the Mac App, it doesn't prompt me for Two-Factor after having entered the master password. This is a really bad security flaw as I can still access all of the Team's vault contents without entering a DUO code.

Anyways, I think 1Password is the most slickest password manager on the market, however at the end of the day if it's security isn't robust I can't justify using it to store my most sensitive and valuable information. I strongly think there should at least be an option to offer Multi-Factor Authentication that works with the desktop clients (i.e. Mac App, Windows App, etc.).

So the question is: Has the development team at 1Password considered Two-Factor Authentication and do they have any plans to implement it like I have described above?

Thanks!
Chris


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @SirHC_: I'm sorry for the confusion. "Two-factor authentication" and "multifactor authentication" are two terms for essentially the same thing: using additional means to authenticate a user, separate from static username and password. 1Password accounts support both our own two-factor authentication, which uses one-time passwords, as well as Duo authentication, which has a number of options, such as push notifications to confirm the login. I hope this helps. Be sure to let me know if you have any other questions! :)

  • SirHC_
    SirHC_
    Community Member
    edited August 2018

    Ok so 1Password claims to have 2FA.

    I have Duo configured with my 1Password account and using the Mac App, I'm able to bypass the 2FA and access all of the stored credentials. I can even export all of the user credentials. The 2FA isn't effective and this seems bad. I thought you guys might like to know. I can post a video if it helps.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @SirHC_: It's two-factor authentication. Authentication happens when you sign into your account on a new device. After that, your encrypted data is stored locally and decrypted on the device when you access it. Were that not the case, you would not be able to access your important data without an active internet connection. If you'd like an "online-only" mode, perhaps we can offer that in the future. But there's been little interest, and frankly most people would be horrified at the prospect of not having access to their data while traveling, etc.

  • Hi @SirHC_

    We’re aware of the fact that you can bypass 2FA and access locally cached data. What you can’t do is bypass 2FA and access data that has not been synced to the device yet. I’d suggest giving this post a read:

    https://discussions.agilebits.com/discussion/comment/445466/#Comment_445466

    Ben

  • SirHC_
    SirHC_
    Community Member

    Hey guys, I just want to say thank you for the great responses. I really appreciate you taking the time to get back to me.

    Brenty, I understand what you're saying about the types of two-factor authentication and how it's used on a new device but, if your computer gets compromised and its single factor auth. it's game over man. According to Ben's post Duo doesn't solve this problem with their implementation of 2FA when using the Mac App. I do think that many people would like an "online-only" mode (as a security professional I would choose this). I think the typical person opens up 1Password when they are trying to login to a site therefore, they already have access to internet so "online-only" wouldn't be a problem. I understand this isn't ALWAYS the case and it would be a trade off but none the less it would be an option that I think many security professionals would appreciate. Maybe consider a poll and see if there is interest around the matter.

    Ben, I didn't see that post before but it certainly answers my questions/concerns. Thank you for directing me to it. I do have to disagree though. Given the trade-offs I as a security professional would choose online only mode. If a hacker did a smash and grab with limited time and 2FA is between them and my treasure trove of information I would choose to trade off offline access as inconvenience (another idea is not require 2FA for the phone app, then they still have some offline access on their phone but not on their laptop). Also, to be honest I don't think bandwidth size is really going to have a meaning full impact on the user in a world with unlimited data.

    Thanks,
    Chris

  • pervel
    pervel
    Community Member

    I do wonder what online-only mode would really protect against in practice. In order for the bad guys to steal your offline data, they would have to have already compromised your computer somehow. If that's the case, what's to stop them from stealing your online-only data once you have successfully authenticated? Your computer will always be the weak link because that is where your data get encrypted/decrypted. So I'm not sure what 2FA can really do about that.

  • @SirHC_

    I understand your concerns, but please consider:

    1. This is something we need to decide for all 1Password users... it isn’t really practical to have such a core concept be a “toggle.”
    2. Many people are concerned with offline access not only for when they are offline but also for when WE are offline, or there is an AWS outage. I think if you read through this forum there are a lot of customers who have had concerns with membeship based on data availability (also a critical concept in information security) and so there is indeed a balance that needs to be struck.
    3. As pervel alluded the threat / attack vector here seems fairly “thin” if you will, especially considering and compared to the likelyhood of connectivity issues (for whatever reason) between any given customer and us.

    As such I think for right now we’ve chosen the right path here. I understand it may not be ideal in every circumstance, but we do have to consider the broader audience.

    Ben

  • SirHC_
    SirHC_
    Community Member

    Pervel, slowing an attacker down makes all the difference with identity theft and damages they can incur. Put the right protections in place and you certainly can slow down and deter a hacker who has compromised your computer. I'd rather make the hacker wait 2 months to gather random logon data vs. giving them every bit of sensitive info at once in one export file they can steal in 3 minutes. This also gives you the time to notice something isn't right and take action before your identity is completely stolen.

    Ben, I totally understand there is a business model here and implementing changes needs to be practical for most users. I love 1Password for various reasons. I think it might be the best on the market right now and I've come around to accept a lot of the reasoning you've stated. However, last thing I would request your consideration on is the feasibility of a rule where if a user is signed up with Duo, that anytime the Mac App has an internet connection it enforces the 2FA (so there can be no bypass). If a remote hacker does have access to your system, they'll require an active internet connection to your box. Therefore, if the Duo 2FA is enforced while 1Password is internet connected this would thwart the attack. When 1Password doesn't have an internet connection, the user wouldn't be prompted for 2FA at all. This way theres added security and users can still access their content offline.

    Anyways, I want to sincerely thank you for having this creative discussion. I'm really impressed that I got as much feed back as I did! Thank you!

  • pervel
    pervel
    Community Member

    @SirHC_: But would it actually slow them down at all? If they can capture your credentials live (including 2FA), then can siphon all of your data just as fast. It wouldn't have to take months. If your computer is compromised, the hackers can do exactly what you can do on that computer.

  • Likewise, these are important conversations, and so I thank you for bringing the subject up. It keeps us honest and makes sure we’re at least on the same page with outselves. Thanks also for the kind words.

    However, last thing I would request your consideration on is the feasibility of a rule where if a user is signed up with Duo, that anytime the Mac App has an internet connection it enforces the 2FA (so there can be no bypass). If a remote hacker does have access to your system, they'll require an active internet connection to your box. Therefore, if the Duo 2FA is enforced while 1Password is internet connected this would thwart the attack. When 1Password doesn't have an internet connection, the user wouldn't be prompted for 2FA at all. This way theres added security and users can still access their content offline.

    This sounds like Security Theater. Could an attacker not simply disconnect your computer from the internet? All this seems to do is add one small step to any attack, with no real barrier. It doesn’t stop an attack vector as far as I can see.

    Ben

  • SirHC_
    SirHC_
    Community Member

    @pervel, It sounds like you're inferring that the 2FA program is also installed on your computer (which is a really really bad idea because of what you just described). Most security professionals know to have an authenticator installed on a separate device, so in the event of a compromise, they can prevent exactly that from happening. If you have Google Authenticator setup on a separate device (i.e. your phone) the hacker will not intercept the 2FA code to use whenever they want it, those codes are good 1 time only.

    On the other hand, a hacker could wait around all day long for the precise moment you unlock your password vault (it's possible just not realistic). Most hackers just gather information when they're logged on, or leave programs running to gather your input, but rarely do they sit watch and wait lol. This can't be thwarted so much but, again that's also extremely unlikely to happen.

  • SirHC_
    SirHC_
    Community Member

    @Ben, Sure an attacker could disconnect the computer from the internet but if they did that the attacker would also get disconnected from the victims machine, at which point the attacker couldn't steal the data anymore because they are no longer connected to the victims system.

  • SirHC_
    SirHC_
    Community Member

    @Ben, If that's the outlook I'm not sure why Duo 2FA was implemented as part of 1Password at all. Simply put, Duo 2FA works perfectly in the web browser and was likely implemented because the community felt it was needed. The way I see things the existing 2FA with Duo isn't properly implemented in the 1Password Mac App because you don't get the same level of security you do in the web browser.

  • Sure an attacker could disconnect the computer from the internet but if they did that the attacker would also get disconnected from the victims machine, at which point the attacker couldn't steal the data anymore because they are no longer connected to the victims system.

    Surely if they are determined enough and capable enough they’d just block access to 1Password.com without causing themselves to lose connection to the machine? Or they’d write and run a script that would disconnect entirely, run the exploit, and then reconnect?

    If that's the outlook I'm not sure why Duo 2FA was implemented as part of 1Password at all. Simply put, Duo 2FA works perfectly in the web browser and was likely implemented because the community felt it was needed. The way I see things the existing 2FA with Duo isn't properly implemented in the 1Password Mac App because you don't get the same level of security you do in the web browser.

    I believe we’ve already had this discussion above. :)

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    Also, not everyone has unlimited data, bandwidth, and reliable, always-on internet. It's important that 1Password doesn't become useless to those people, or folks who just happen to be in that situation while traveling, in an outage, etc. It's possible that there's a good niche for "online-only", probably companies, and we'll continue to listen to feedback from all of our users in this area. :)

This discussion has been closed.