How do I enable multi-factor authentication to 1password on all my devices?

thriving62236
thriving62236
Community Member

I have multiple phones, one for work and one that's personal. For various reasons, I don't consider my laptops to be fully secured and would like to always have MFA enabled for every login attempt to 1password. From what I can see, right now 1password only allows one of your device to for MFA. Is this accurate? If yes, is there a way to enable MFA on multiple phones / devices?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:How do I enable multi-factor authentication based 1password login on all my devices?

Comments

  • You can use the same key to set up multiple authenicator apps on different devices. If you have all the devices handy, you can scan the same QR code with all of them. I don't recall if 1Password also shows you the text of the TOTP key, but you can extract it by using the 1Password app on a computer to scan the barcode, if not. Then you can manually enter the key into any authenticator app you want.

    Of the various authenticator apps, Authy probably makes this easiest, by backing up syncing your TOTP tokens.

  • thriving62236
    thriving62236
    Community Member

    Maybe I'm using the website wrong but I'm unable to see the QR code after adding my first device. Also, unsure how I'll be able to add the TOTP to confirm the authenticator app. The documentation is confusing around this.

  • First, scan the QR code with each device/app. Then check that they all display the same TOTP code at the same time. After they're all set up, enter the current code from any of them in the form on the website to activate.

    If you use the 1Password app to scan the QR code, it is possible to extract the key so that you can manually add it to another authenticator app later. This is one of the things I like most about using 1Password for TOTP codes.

    If you don't know how TOTP works, the server and the authenticator app each store a copy of the same randomly-generated key, which is combined with the current time to produce a new code every 30 seconds. There's nothing preventing multiple authenticator apps from storing the same key, and thus all being able to provide the same TOTP code; the server can't tell the difference. It's not like a U2F hardware key, where each one must separately register a public key with the server.

  • thriving62236
    thriving62236
    Community Member

    Thanks. Scanning all the apps while the QR code did the trick. I still don't get why showing the QR code again is not an option. It wasn't obvious that scanning the QR code was a one-time option.

    Also, it's a bit odd that I don't have an easy way to require 2FA on all my devices (around 15~17), so had to click on all of them. Would have been nice to have an option to require TOTP for every login attempt every X days. Currently, it seems if you can login once, the device is assumed to be owned by me and secure forever.

    Oh well, maybe someday U2F support will make these complaints the thing of the past.

    Once again thank you @gedankenexperimenter

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2019

    Thanks. Scanning all the apps while the QR code did the trick. I still don't get why showing the QR code again is not an option. It wasn't obvious that scanning the QR code was a one-time option.

    @thriving62236: Sorry for the confusion there. You can always re-do it, and save the QR code if you want to keep it. Not everyone does.

    Also, it's a bit odd that I don't have an easy way to require 2FA on all my devices (around 15~17), so had to click on all of them. Would have been nice to have an option to require TOTP for every login attempt every X days. Currently, it seems if you can login once, the device is assumed to be owned by me and secure forever.

    That's not true at all. Otherwise 1Password wouldn't secure its data separately from the device/OS. I get where you're coming from, but 1Password works very differently from other services which rely heavily (or solely) on authentication. 1Password's security is built on encryption.

    When the data is already on the device, so it can be accessed offline, authentication doesn't happen (your data is encrypted, and just needs to be decrypted using the Master Password and Secret Key). We don't have plans to introduce the security theater of having you enter an authentication code periodically when no authentication is necessary (you can access it offline, and so could anyone else with access to your device). I hope this helps. :)

    Oh well, maybe someday U2F support will make these complaints the thing of the past.

    Perhaps. :)

    Once again thank you @gedankenexperimenter

    I second that! Thank you! :chuffed:

This discussion has been closed.