Feature Request: 2FA Backup Codes

johnnywoz
johnnywoz
Community Member

I'd like to request a special section/field for saving 2FA backup codes within the Login item that would be hidden normally but viewable when needed (click button) or in edit mode.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @johnnywoz: We don't currently have plans to offer static, non-expiring "backup codes" for 1Password.com two-factor authentication. That kind of subverts the security benefits of Time-based One Time Passwords which customers asked us to offer as an option in the first place. You can (and should), however, backup your QR code and/or TOTP secret, just like you do the rest of the information you'd need to get into your account in an emergency, as with the Emergency Kit, in a similarly secure place, like a safe deposit box. You could, of course, also store it in 1Password itself, as you describe above, but keep in mind it will do you no good unless you still have access to 1Password on an authorized device and know your Master Password to unlock it.

  • XIII
    XIII
    Community Member

    Maybe @johnnywoz was not asking for 1Password but for other logins stored in 1Password?

    If so, that can already be achieved by adding a custom password field (that's how I store 2FA backup codes).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Ah, perhaps you're right. Good call! Indeed, custom password fields are handy for this...but I'm pretty lazy, so I usually just dump the lot in the Notes field. Your way is better though. Cheers! :lol:

  • johnnywoz
    johnnywoz
    Community Member
    edited October 2018

    @brenty, Sorry for the confusion.

    As @XIII Pointed out, I was asking about saving those 10 codes that websites (not 1P site) give you as a a back up to 2FA.

    Yes I know I can just dump them in the Notes field or a custom field, but then they are always visible when viewing the login item and if someone peers over my shoulder they would be able to see them, pretty much the same reason why 1P has that nice feature to Conceal our passwords.

    So my feature request is for a specific “Backup Code” field/note to store those 10 codes that could then be Concealed from view.

  • johnnywoz
    johnnywoz
    Community Member
    edited October 2018

    Correction, I should be saying “Section” not field.

    As an after thought, maybe the feature request should be to allow each section be individually set for concealment.

    I tend to store a lot of data in all my logins items that relates to that specific website, being able to hide the a section would help to reduce clutter when viewing the login items.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @johnnywoz: Ha! I stand corrected. Sorry for misunderstanding. :)

    Keep in mind that you can change any custom field to "password" type on the right, and that will conceal it. It sounds like that's what you're looking for. Cheers!

  • XIII
    XIII
    Community Member

    Yes I know I can just dump them in the Notes field or a custom field, but then they are always visible when viewing the login item and if someone peers over my shoulder they would be able to see them, pretty much the same reason why 1P has that nice feature to Conceal our passwords.

    I solved that by setting the custom field(s) to type "Password". They will be concealed then.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • johnnywoz
    johnnywoz
    Community Member

    @brenty I just played with your suggestion, and yes I already knew I could do that, but that creates lot of work to copy each code into a separate “password” field and leaves me with a long list of “passwords” that takes up a lot of room. Plus also has some confusion when editing a login item as 1P then gives you the option to “generate new password”, not something one should do with these backup codes.

    So no, I would rather see something like a Notes Section that you can just dump the list of 10 codes into and then hide the whole list and just show the title of the Note.

    Please consider adding this to the feature request list as I belive it would help make the process of setting up 2FA easier for users that are not tech savvy. Making 2FA easy would help promote/prompt people to use 2FA, which is what we want people to do to help secure their logins, right?

  • AGAlumB
    AGAlumB
    1Password Alumni

    I just played with your suggestion, and yes I already knew I could do that, but that creates lot of work to copy each code into a separate “password” field and leaves me with a long list of “passwords” that takes up a lot of room.

    @johnnywoz: Yeah that's why I use Notes. ;)

    Plus also has some confusion when editing a login item as 1P then gives you the option to “generate new password”, not something one should do with these backup codes.

    Yeah don't do that!

    So no, I would rather see something like a Notes Section that you can just dump the list of 10 codes into and then hide the whole list and just show the title of the Note. Please consider adding this to the feature request list as I belive it would help make the process of setting up 2FA easier for users that are not tech savvy. Making 2FA easy would help promote/prompt people to use 2FA, which is what we want people to do to help secure their logins, right?

    It's something we can consider for a future version. It's just not something there's been a lot of interest in, since everything in 1Password is encrypted and nothing is displayed unless you select it. Thanks for bringing it up! :)

  • XIII
    XIII
    Community Member

    Please add a +1 for me.

    I even made some Keyboard Maestro macros because of the hassle it is to add 10 custom fields of type password...

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Will do. But does this come up a lot for you? Even creating accounts for testing, I'm only doing this (well, my lazy version) once a week or so.

  • johnnywoz
    johnnywoz
    Community Member

    @brenty Where can I send in a formal feature request as I would like this to be seen/understood/reviewed and strongly considered by AgileBits.

    UI/UX is a big deal for end user adoption of a feature, as soon as a process makes a user to have to stop and think about it, you lose 80% of the people who will then not use that feature. As we all agree, 2FA is something users should be using to protect their web services, and therefore AgileBits should consider making ALL steps of using 2FA as easy as possible, which would also give 1P a step up over other password apps. 1P makes the setting up of 2FA simple, but then fails to help users save those backup codes when the website presents them to the end user. Saving 2FA backup codes in 1P is far better than writing them on a sticky note or in a digital note or worse not at all when the user doesn’t know where to put them within 1P. The Note section is not a good place as you are then lumping in all that data with all your other notes, what a mess.

    As a project manager for application development, I’ll even go a step further for your consideration and layout the functionality for this feature.

  • johnnywoz
    johnnywoz
    Community Member

    @XIII just exemplified the issue, he had to come up with work-arounds and custom processes in order to save that data.

  • johnnywoz
    johnnywoz
    Community Member
    edited October 2018

    Note that I am a huge AgileBits fan and have been since version 1. The biggest reason is AgileBit’s dedication to ensuring the app/data is as unhackable as possible, something other apps have not been able to do. BUT, up until recently, 1P was not necessary the most easy to use app and it is with that I want to help to make 1P easy to use in all aspects so 1P can further dominate the password manager market. And yes I do understand you can’t just throw a kitchen sink of features into an app, things get messy and too confusing.

  • johnnywoz
    johnnywoz
    Community Member
    edited October 2018

    @brenty : “But does this come up a lot for you? Even creating accounts for testing, I'm only doing this (well, my lazy version) once a week or so.”

    How often does creating a new secure note, credit card, social security card, etc., come up for you? That is not a good test for the need of a feature.

  • johnnywoz
    johnnywoz
    Community Member

    Sorry @XIII , I miss quoted in the above post. I’m using an iPad and for the life of me I’m not able figureout how to reply to a post

  • AGAlumB
    AGAlumB
    1Password Alumni

    just exemplified the issue, he had to come up with work-arounds and custom processes in order to save that data.

    That's sort of the point of custom fields. It's even in the name. ;)

    How often does creating a new secure note, credit card, social security card, etc., come up for you? That is not a good test for the need of a feature.

    You don't want to know how many items I create on a weekly basis. It's a lot more than two-factor backup codes, and man do I need to do some cleanup. Also, those features already exist, so we don't have to develop and test them from scratch. Apples and oranges. :tongue:

    Where can I send in a formal feature request as I would like this to be seen/understood/reviewed and strongly considered by AgileBits.

    This is the place. :) :+1:

    The Note section is not a good place as you are then lumping in all that data with all your other notes, what a mess.

    Perhaps not, but I think that's my prerogative when it's my data. :lol:

  • XIII
    XIII
    Community Member
    edited October 2018

    But does this come up a lot for you?

    In general: no.

    But I "had" to add 2FA to a lot of (secondary) Slack (and Twitter) accounts when 1Password introduced Watchtower 2.0... :wink:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Ahaaa! That makes perfect sense. I knew there had to be some reason. Thanks for counting those dots for me there. :)

  • jimthing
    jimthing
    Community Member
    edited February 2019

    I echo the OG's sentiment here.

    For most sites, when you setup 2FA they then say "Make a copy of these backup codes:" and show you a list of normally 10 codes.

    When a user gets these, they then have to ask 'where do I store these in 1Password's "system" ', with no clear place for a load of codes to be put. Sure most people currently chuck them in the Notes field, but 1Password doesn't advise on where these codes should be put, so users are effectively guessing what they should do with them (thus run out of easy ideas, and paste them in the notes!).

    That's doesn't make sense. If you're offering to setup & store OTP's, and know that most websites then spit out a set of 10 backup codes, then you should be advising users on where to store these** as the Notes is really not the a good place, given these are part of (backup) login options, and not simply 'notes' about the account.

    ** (preferably, they should be in their own "Backup codes" section, available as a simple single copy/paste action, rather than saving each one individually as a "password" which they're clearly not, and causes confusion to login procedure.

  • johnnywoz
    johnnywoz
    Community Member

    @jimthing Thumbs Up !!!

  • I'm not sure I understand the purpose of storing those codes, particularly on the same record you're storing the TOTP secret. In what circumstance would these codes be used?

    I echo the OG's sentiment here.

    I think perhaps you mean the OP ("original poster"). :)

    Ben

  • jimthing
    jimthing
    Community Member
    edited February 2019

    I'm not sure I understand the purpose of storing those codes, particularly on the same record you're storing the TOTP secret. In what circumstance would these codes be used?

    Example: If you deleted the OTP field from 1P by accident. To login back into the website/service, you'd be asked for one of these backup codes in order to do so.

    But TBH, that's not really the question. The question is how to, not why to. ;)

    (yep, OP: oops, typo!) :|

  • Ben
    Ben
    edited February 2019

    Example: If you deleted the OTP field from 1P by accident. To login back into the website/service, you'd be asked for one of these backup codes in order to do so.

    Fortunately 1Password has automatic backups, so if that were to happen you could restore and recover the TOTP info:

    1Password backups

    But TBH, that's not really the question. The question is how to, not why to. ;)

    Fair enough. Such things could currently either be stored in the notes field, a custom section, or even a separate Secure Note item. I understand the desire is for there to be a built-in field for them, specifically, but we have to consider that this could be just as annoying to folks who wouldn't use it as it would be helpful to folks who would. Perhaps as more sites continue implementing 2FA this is something we can look more closely at.

    (yep, OP: oops, typo!) :|

    No worries. Maybe johnnywoz is an OG too. ;) :)

    Thanks.

    Ben

  • jimthing
    jimthing
    Community Member
    edited February 2019

    but we have to consider that this could be just as annoying to folks who wouldn't use it as it would be helpful to folks who would.

    Eh? How would it be annoying for those that wouldn't use it?
    If you want to use a function you do, if you don't you don't.

    Outside of the 1P Backups facility, is there therefore no reason to store these codes? If so, perhaps this should be added somewhere in 1P, with an explanation as to why, so that users don't bother saving them.

  • Outside of the 1P Backups facility, is there therefore no reason to store these codes? If so, perhaps this should be added somewhere in 1P, with an explanation as to why, so that users don't bother saving them.

    I don't save them, and I'm struggling to find a good reason to do so, but I'm also not going to go out of my way to tell people not to.

    Eh? How would it be annoying for those that wouldn't use it?

    Have you read about the things people complain about in this forum? :)

    Ben

  • Fleshgrinder
    Fleshgrinder
    Community Member

    I store them, just in case. I believe that my feature request for concealable multiline text would cover this request as well without a dedicated feature and without giving a statement whether it is good to store these recovery codes or not. This should suite everyone.

  • tetardbleu
    tetardbleu
    Community Member

    Personally I store them in a document, attached / linked to the login item. To avoid confusion with multiple password fields and make them invisible anyway unless the document is open. But I like this feature request better and would like to add my voter it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, there are a number of things to consider. Thanks for chiming in! :)

This discussion has been closed.