@ Factor Authentification

I am encountering the seemingly random requirement for auth when on X using Chrome. It is happening on a laptop well known to X. For ex., and this is one of many such events, I was logged in to X, left the laptop, for a couple of hours and it likely went to sleep. On awakening the laptop, I found I had to log into X and when I did, it required 2 factor auth from me. Note that my settings are for no lock on sleep and time-out at the max., 999 minutes.

So, I guess there are two issues:
1. Why the requirement for auth?
2.Why the requirement for log-in after laptop sleep, despite the setting not to require? Do I have to turn off Automatic Lock entirely?

Many thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Maury: Honestly, it sounds like you may be running into some issues due to browser limitations. Can you tell me the specific OS, 1Password, and browser versions you're using there? I'm not sure there's anything we can do about it since 1Password X runs fully sandboxed within the browser, but it's certainly something we can look into. If you'd like more control over locking and other security behaviour, you may want to use the desktop app. However, we don't ever recommend setting 1Password in such a way as to have it never lock; otherwise we might as well just put our passwords in a spreadsheet. ;) Anyway, let me know the details and we'll go from there. :)

  • Maury
    Maury
    Community Member

    Brenty, thanks. I'm not sure how the desktop app is/would be different from the iPassword icon on which I click on my Toolbar. If you really think it would make a difference, please apprise as to how to acquire the app for use on my Windows/Chrome/laptop [Apple store?] and I'll do it.

    To your question: 1Password X version is 1.12.2. Chrome version is 70.0.3538.102. I just now updated from what had been xxxx.77.

    If I could , I'd like to ask you another question, raised by a circumstance last night:

    When you are trying to autofill (as I tried on my iPad last night) and 1Password offers to fill with its stored data, is there a way (I couldn't find it) to ask 1Password to offer me a different choice or, alternatively, transition to my vault so I can choose an alternative?

    Here is the genesis of my question: I communicate with both Merrill Lynch and Bank of America and have usernames/passwords, which are different, for both. Bof A has merged with ML--they are the same organization but have different log-ins. When I was sent a secure message from ML yesterday and tried to respond securely, 1Password understandably read the B of A URL that generated the message to me and offered only the B of A log-in info for autofill. I need to get to the ML log-in data but couldn't find a way to "tell" 1Password that I needed to change what it was offering.

    Appreciate your help.

    Maury.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Maury: The 1Password desktop extension integrates with the native app running at the OS level, which can detect sleep, system idle, etc.; whereas a self-contained extension like 1Password X runs within the browser's sandbox.

    Regarding the new iOS 12 Password Autofill feature, this is handled completely by the OS; but you can tap the "key" icon and "1Password..." at the bottom to open the 1Password app view. As far as "change what it was offering", both iOS and 1Password will only give Logins that match the current URL as options for filling. Otherwise it would be easy to fall prey to phishing scams. You can, however, add multiple URLs to a Login in 1Password in order to allow it to be filled on different sites -- like your example, or apple.com and icloud.com.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Maury
    Maury
    Community Member

    Confused by the process for downloading the app. Seems to be duplicative of what I have already. Don't know how I would have my laptop scan the code. Potential for the app to be in conflict with the browser based 1Password installation? If I were to successfully install the app, would I just then use that for signing in? Delete the browser-based 1Password icon/sign-in?

    On the second point, I'll try adding the ML password in my vault to the B of A username and password in my vault and hopefully will see the option to use that ML password when I sign into B of A. Thanks for the suggestion.

    Maury.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Maury: I definitely recommend using either 1Password X or the 1Password desktop app/extension. It is possible to use both -- I do -- but it can be confusing. What's your preference? Either way, keep in mind that it isn't necessary to be able to scan a QR code. Certainly not everyone has that capability on their device. In that case just enter your account credentials manually to sign in.

    If both accounts use the same username and password, you just need to add multiple URLs to the existing Login item for it to be used at those sites.

  • Maury
    Maury
    Community Member

    Brenty, appreciated.

    Since the ML and B of A sites can be positioned to have the same username and password, I did that and all seems to be well. So simple. Wish I had thought of that to begin with.

    As to the app: I'm using X with Chrome. I thought your suggestion re: the app was a route to getting better control of security settings. That's the only reason I contemplated going with that. The main issue is inexplicable requests by X to 2-factor auth in the absence of change in device.

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're very welcome! Glad that helped. :)

    As far as security settings, it may not be what you were thinking of. I refer to it that way primarily because it's listed under "security" in the settings, but you may think of them more as "convenience settings" since they primarily let you determine how often you need to enter your Master Password.

    Regarding two-factor authentication, can you be more specific about what you're doing and what you're seeing? If it's simpler, take a screenshot of this. To include it in your reply, simply click the document button in the top of the comment field, and select the file you wish to share:

    Just be sure not to post anything sensitive, as this is a public forum. To be clear, you should need to authenticate every time if your browser isn't saving the account, or if you're clearing it afterward. Thanks in advance!

  • Maury
    Maury
    Community Member

    Brenty,

    Again, thanks. It just happened again. Using Chrome and X. I signed into X for the first time today and was asked for my 2-factor auth. Same laptop, no new device. No change in OS or settings. Access to X was by clicking on 1Password icon on my toolbar. Request for auth is seemingly random but maybe I'm missing some pattern.

    Let me also ask this: My 2-factor auth is via Google Authenticator. on my iPhone. Now, I understand that 1Password had an "internal" (?) authenticator that does not require an external app. Is that so and, if it is, am I right in assuming that maintaining the external auth is a more secure process? Seems to me, correct me if I am wrong, that internalizing the auth within 1Password is a little like letting the fox watch the chicken coop. But, of course, I stand to be corrected.

    As always, thanks for your insights.

    Maury.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Again, thanks. It just happened again. Using Chrome and X. I signed into X for the first time today and was asked for my 2-factor auth. Same laptop, no new device. No change in OS or settings. Access to X was by clicking on 1Password icon on my toolbar. Request for auth is seemingly random but maybe I'm missing some pattern.

    @Maury: Unless I'm misunderstanding, it sounds like you absolutely should need to authenticate, when, as you said, you "signed into X for the first time". A new sign in will always require authentication, and also the second factor if you have that setup on your account.

    Let me also ask this: My 2-factor auth is via Google Authenticator. on my iPhone. Now, I understand that 1Password had an "internal" (?) authenticator that does not require an external app. Is that so and, if it is, am I right in assuming that maintaining the external auth is a more secure process? Seems to me, correct me if I am wrong, that internalizing the auth within 1Password is a little like letting the fox watch the chicken coop. But, of course, I stand to be corrected.

    We definitely recommend not using 1Password to generate a one-time password for 1Password, not because of security (though you're correct that using a separate device for the second factor has a small security benefit), but because you'd be locked out of your account forever if you didn't have any authorized devices (for example, if they were lost, stolen, or destroyed). We state this right upfront, and I can't really put it more articulately:

  • Maury
    Maury
    Community Member

    Brenty,

    I think you may have misconstrued my first point. I wasn't referencing signing into 1Password X for the first time ever on the device (laptop, Windows, Chrome), I was referencing signing into it for the first time that day. If the system does require 2-factor auth on a daily basis, that's fine. It's just that I understood it to be necessary only when signing in for the first time ever on a new device. The requirement for me to auth has been variable. Sometimes on signing in for the first time on any given day, sometimes after I have been logged out and come back in.

    I don't know what you meant by: "and also the second factor if you have that setup on your account." You had just referenced auth in that sentence. What's the second factor after that?

    I'm a little vague on the meaning of one-time password. As I recall, I had to allow that on my iOS devices in order to achieve autofill. I haven't been thinking of it in terms of 2-factor auth. But if the bottom line of your message is that I am better off maintaining Google authenticator for my auth, that's fine. Just needed that confirmation from you.

    Maury.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2018

    I think you may have misconstrued my first point. I wasn't referencing signing into 1Password X for the first time ever on the device (laptop, Windows, Chrome), I was referencing signing into it for the first time that day. If the system does require 2-factor auth on a daily basis, that's fine. It's just that I understood it to be necessary only when signing in for the first time ever on a new device. The requirement for me to auth has been variable. Sometimes on signing in for the first time on any given day, sometimes after I have been logged out and come back in.

    @Maury: Thanks for the clarification! You'd be right, unless you (or something else) is clearing the session or otherwise resetting things in the browser. Then you'd have to sign in. Also, I think it's helpful to not call unlocking 1Password "sign in". They're very different. There is no authentication involved in unlocking 1Password. But if there's a connection issue when you unlock, and 1Password tries to contact the server to get updated data, you could end up being prompted for the code if 1Password could not determine the reason for the failure.

    But first let's establish whether or not it's something on your system and not a communication problem. Do you "reset" your browser or otherwise have its data cleared periodically?

    I don't know what you meant by: "and also the second factor if you have that setup on your account." You had just referenced auth in that sentence. What's the second factor after that?

    In order for there to be a second factor, there must be a first: you've got the standard sign in with the first factor -- your static account credentials -- and then the second factor, with the one-time password. More on that below.

    I'm a little vague on the meaning of one-time password. As I recall, I had to allow that on my iOS devices in order to achieve autofill. I haven't been thinking of it in terms of 2-factor auth. But if the bottom line of your message is that I am better off maintaining Google authenticator for my auth, that's fine. Just needed that confirmation from you.

    A one-time password is, as the name implies, a password which can only be used once, and usually expires within a specific time frame. In the case of the TOTP standard, which 1Password uses, generates a new code every 30 seconds, and they expire within a window of 90 seconds so there's a grace period on either end (though some sites use different time frames).

    But yeah, definitely use a separate app to generate your authentication code to sign into 1Password; and keep in mind that you can setup multiple apps/devices to generate the code, and also save your text TOTP secret and/or QR code just in case you ever need it. :)

  • Maury
    Maury
    Community Member

    Brenty,

    I do not reset my browser, at least not to my knowledge. I do not have my data cleared periodically. I did clear my browsing history and cookies recently on suggestion from a website that wasn't recognizing my username and password. However, the random 1Password requests for 2-factor auth began before that clearing.

    Please verify that when you are reference a one-time password, you are referencing the code that I consult on my Google Authenticator. Per your advice, I will maintain Authenticator for 2-factor auth. I remain a little confused about the term one-time password because, as I recall, that was a mandatory opt-in in order to achieve autofill on my iOS devices. Seems like different uses of the term.

    I don't know what you mean by this: "..save your text TOTP secret and/or QR code just in case you ever need it". I have my Secret Key and Master Password saved, along with a QR code in my 1Password Emergency Kit. Are you referencing something in addition to that?

    Unlock vs. sign-in: I tend to think of sign-in on first use of 1Password on any given day. Unlock occurs to me when I think of the requirement for me to use my Master after I am locked out--seems that I am locked out if I close my browser at some point in the day. That said, I note your use of the term sign-in: for ex., "...in order for there to be a second factor, there must be a first: you've got the standard sign in" and "...use a separate app to generate your authentication code to sign into 1Password." I'm not sure that working through the semantics is all that necessary but I defer to your judgment.

  • Maury
    Maury
    Community Member

    Please clarify:

    Under what circumstance should a user be asked to sign in during routine use? Once unlocking 1Password to autofill a log in for a particular website, should the user be expected to have to unlock 1Password again after leaving that website and logging in/autofilling to another? That seems to be the case in my experience. Just want to be sure I understand how the program is supposed to work.

    I still am randomly asked for 2-factor auth (not a new device) when I unlock 1Password. Can't understand why. (Chrome, 1Password X).

    I tried to gift a year's enrollment in 1Password (Thanksgiving promotion) per an email offer I received. When I log into my 1Password account, I do see the opportunity in the column at the right to make the gift, but when I click on it, nothing happens. Thoughts?

    Maury.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2018

    I don't know what you mean by this: "..save your text TOTP secret and/or QR code just in case you ever need it". I have my Secret Key and Master Password saved, along with a QR code in my 1Password Emergency Kit. Are you referencing something in addition to that?

    @Maury: I'm saying that you should ensure you have everything you need to access your account in case of an emergency, so that you're not locked out for all eternity if your devices are all lost, stolen, or destroyed.

    Under what circumstance should a user be asked to sign in during routine use? Once unlocking 1Password to autofill a log in for a particular website, should the user be expected to have to unlock 1Password again after leaving that website and logging in/autofilling to another?

    I'm not sure what you're asking here, but I'll do my best.

    If you mean unlocking 1Password, then you should have to enter your Master Password any time it is locked, whether because you locked it yourself, it auto-locked based on your settings, or you closed the browser.

    If you mean signing in to your account with all of your credentials, bearing in mind "should", that would be when signing into the account in an app/browser which is not already authorized. But "should" is one thing, and reality is another. If there's a network failure or interference, that can cause 1Password's connection to be rejected, and it can then fall back to requiring you to authenticate again securely. Sometimes flaky internet can cause this, or "security" software that tries to insert itself into your secure communications.

    I tried to gift a year's enrollment in 1Password (Thanksgiving promotion) per an email offer I received. When I log into my 1Password account, I do see the opportunity in the column at the right to make the gift, but when I click on it, nothing happens. Thoughts?

    It sounds like there's definitely something either wrong with your browser, or you have some other software there that's interfering. Have you tried it in a new profile, or another browser? Let me know what you find. :)

  • Maury
    Maury
    Community Member

    Appreciated, Brenty.

    Yes, I meant "unlocking", and, yes, I realize that it is required after the program is locked for any reason. What I have found specifically, is the requirement to unlock when moving from one website to another. It just may be that in doing so I am reverting to my desktop and, I guess, effectively closing Chrome---thereby engendering the requirement to unlock 1Password when opening a new website that requires logging in. I'll have to track that.

    As to the gift, well, I think the offer is now over. So, unfortunately, will have to consider that a loss.

    Thanks for your attention to all of this.

    Maury.

  • AGAlumB
    AGAlumB
    1Password Alumni

    What I have found specifically, is the requirement to unlock when moving from one website to another.

    @Maury: Can you give me a specific example?

    It just may be that in doing so I am reverting to my desktop and, I guess, effectively closing Chrome---thereby engendering the requirement to unlock 1Password when opening a new website that requires logging in. I'll have to track that.

    It does sound like that may be the case, but let me know what you find.

    As to the gift, well, I think the offer is now over. So, unfortunately, will have to consider that a loss.

    I can't make any promises, but shoot me an email at support@1password.com and post the Support ID you receive here. I'll see if there's something I can do to help. :)

    Thanks for your attention to all of this.

    You're very welcome! Happy to help in any way I can. :chuffed:

This discussion has been closed.