1Password.com Account Security

Penelope Pitstop
Penelope Pitstop
Community Member
edited October 2018 in Families

I'm new to 1Password Families and using 1Password.com to store my vaults, so please accept my apologies if my questions are stupid or already answered elsewhere. I just want to verify that I understand what I’m doing and taking the right steps to secure my data, and I was struggling to find the answers with searching.

As I understand it, when anyone attempts to sign into my account on 1Password.com from an unknown browser or device:

  • They are required to supply the secret key as well as the master password.
  • If I have enabled two-factor authentication, they will be asked to supply a six-digit code.
  • If the login is successful, I get sent an email to advise me of a successful login from a new place.

Did I get that right?

If so:

  1. What extra value does the two-factor authentication add?
  2. If I lost the phone I was using to run my authentication app and could not get access to the backup because I forgot the encryption key for it, would I still be able to access my data? If so, how?
  3. What happens with failed login attempts to my account?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Penelope Pitstop: Oh, no way! You ask the best questions. :)

    As I understand it, when anyone attempts to sign into my account on 1Password.com from an unknown browser or device:
    1) They are required to supply the secret key as well as the master password.
    2) If I have enabled two-factor authentication, they will be asked to supply a six-digit code.
    3) If the login is successful, I get sent an email to advise me of a successful login from a new place.
    Did I get that right?

    You're right on. And I think that's a great way to break it down. :)

    If so:
    1) What extra value does the two-factor authentication add?

    It gives you a shared secret which is used to generate a Time-based One-Time Password (which I'm sure you know), and that means an attacker who was able to steal your other (static) account credentials will not be able to use them to login. Also, even if they also steal a valid TOTP code, they would have only a short window of opportunity to use it, both due to the time factor, and because the code will no longer be valid if you use it first within that window. They would have to obtain your actual TOTP secret in order to be able to generate the correct code needed to login at any given time. So it protects against some classes of attacks, such as replay.

    2) If I lost the phone I was using to run my authentication app and could not get access to the backup because I forgot the encryption key for it, would I still be able to access my data? If so, how?

    You would be able to access your data on a device you've already authorized, as it is cached locally. And you could even disable two-factor authentication in your account settings using a browser which you'd previously authorized, since only your Master Password would be required in that case. But you would not be able to sign into a new device/browser without all of your account credentials, including a valid code generated using the TOTP secret for your account.

    3) What happens with failed login attempts to my account?

    Much like if you mistype your account credentials, nothing. But repeated attempts will be throttled by the server, not only for security but for stability of the service.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    edited October 2018

    Thank you so much @brenty.

    Regarding #2, what happens when I accidentally fall into the sea with all my devices on me, and they are all totalled? No way to get that TOTP.

    My questions probably reflect my lack of understanding on TOTP. I’m wondering if I can still generate them on another device if I lost the original. Common sense tells me I should be able to, but there is no such thing as common sense.

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    Also, regarding #1, does this mitigate against key loggers to some extent?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Regarding #2, what happens when I accidentally fall into the sea with all my devices on me, and they are all totalled? No way to get that TOTP.

    @Penelope Pitstop: Correct. Just like the rest of your account credentials, you'll want to have a backup plan. That way you can sign into your account on a new device to access your data, even if all others were lost, stolen, or destroyed. Better safe than sorry.

    My questions probably reflect my lack of understanding on TOTP. I’m wondering if I can still generate them on another device if I lost the original. Common sense tells me I should be able to, but there is no such thing as common sense.

    Oh, you can absolutely generate the code on multiple devices. But if you just save a backup of the TOTP secret for emergencies, you can always use it to setup a new one to generate the code too. There is nothing tying it to a specific device. It's just a string used to calculate codes based on the current time. Does that help?

    Also, regarding #1, does this mitigate against key loggers to some extent?

    Only the stupid ones. :unamused: Someone who is able to install a key logger on your machine should be assumed to be competent enough to know what they're after and what to do with it, even though that will not always be the case. It would be trivial for them to also hijack your browser to prevent you from signing in successfully while using the credentials you enter to sign in themselves. That's why we want to be clear that two-factor authentication only protects against certain classes of attacks.

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    Thanks @brenty.

    I think I've got it now. I've just been reading authy's recovery FAQs.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2018

    Sounds good! You're very welcome. :chuffed:

    In case it helps anyone else, here's that info on Authy:

    https://support.authy.com/hc/articles/115012672088-Restoring-Authy-Access-on-a-New-Lost-or-Inaccessible-Phone

    Cheers! :)

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    I was wrong, I still have more questions.

    I was surprised to be prompted for my TOTP again on two devices today. What circumstances trigger that?

    I thought that once a device was trusted, it was trusted. It seems there is more to it than that.

  • Ben
    Ben
    edited October 2018

    @Penelope Pitstop

    Was this in a web browser or one of our apps? You are correct on the general principal, but with web browsers especially it gets a little tricky.

    Ben

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    Hi @Ben

    iPad after an upgrade to the latest 12.1 beta and simultaneously the iPhone which has been on it for a day or two.

  • Okay, interesting. I don't believe an iOS update is intended to require re-authorizing the device. I'll have to do some testing and see what the situation is.

    Ben

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    Thank you @Ben. I’m puzzled by the simultaneous request on iPhone.

  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    edited October 2018

    It happened again on my iPhone today, and I have made no changes to the configuration. Does a device restart trigger TOTP? I know it triggers the requirement to enter your master password again.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Penelope Pitstop: I haven't had to re-authenticate after an iOS update either. It's certainly possible that could happen if the app data is delete/damaged, but it isn't something handled at the OS level at all (unlike Touch ID/Face ID, which often will be reset after an update). Did you perhaps deauthorize the device from your profile in the 1Password.com web interface, or reset the browser?

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    No @brenty. I can't link it with anything. I'll watch out for it and see if I can make a link with the circumstances.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Penelope Pitstop: Thanks! Even if you're not able to pin it down, I'd appreciate you letting me know if it happens again. I'm not convinced it's the same thing, but there's another user I've been talking to who is getting promoted for the TOTP code repeatedly.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Penelope Pitstop: Actually, just out of curiosity, does it happen after waking the device from sleep?

  • mac_techie
    mac_techie
    Community Member

    Today I experienced a similar issue. When opening 1Password on a trusted device I was unexpectedly prompted for TOTP. I had used 1Password on this device earlier in the day without issue.

  • Thanks @mac_techie. What platform was this on, and what version of 1Password?

    Ben

  • mac_techie
    mac_techie
    Community Member

    Thanks, @Ben. I was using the lastest version of 1Password for iOS. I was using a VPN at the time; perhaps that could be related. I thought the TOTP request was odd because I had already entered a code when I set up the two factor option.

  • If you see it happen again please generate a diagnostic report just after seeing it and send that to us at support+forum@1password.com. Then please post the support ID you get here.

    How to send a 1Password diagnostics report

    Ben

This discussion has been closed.