Asked for 2FA every time on 1password.com

riccardobrasca
riccardobrasca
Community Member
edited January 2019 in Lounge

Hi all,
I've set up 2FA for 1password.com using google authenticator, and it works. The only issue is that it requires me to enter the code every time I log in (using of course always the same computer). Is this normal? I use Firefox on Debian Stretch.

I can use the app and 1password X without entering the code every time.

Thank you!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • riccardobrasca
    riccardobrasca
    Community Member

    Hi all,
    I have set up 2FA on 1password.com and it seems to work. The only issue is that I'm asked to enter the code every time I log in (of course using the same device). Is this normal? I use Firefox on Debian Stretch.

    I can use the app and 1password X normally, entering the code just once.

    Thank you!


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Manaburner
    Manaburner
    Community Member

    @riccardobrasca Do you maybe delete all history, cookies, etc. when Firefox closes? This will log you out from 1Password.com. Same goes if you are using "In Private Mode" or how it's called with Firefox

  • riccardobrasca
    riccardobrasca
    Community Member

    I deauthorized manually the browser reauthorized it, now it seems to work correctly... I will let you know if this happens again.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the update. You shouldn't have to reauthenticate if you aren't deauthorizing from your account or clearing/resetting your browser, but we're here if you need us. :)

  • univbee
    univbee
    Community Member

    Now here's a question/feature request, as I actually would like 1Password to ask me for 2FA every time. The reason being my computer wound up being compromised with a keylogger as well as them taking remote control of my PC while I happened to be away, and they were thus able to login to my 1Password Vault (yes, I have since changed my master password and secret key, as well as my compromised passwords). I've had to restrategize how I use 1Password to prevent further issues.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @univbee: It's not something we have plans for currently not only because 1Password's security is based on encryption not authentication, but also since people expect (and often need) to be able to access their 1Password data without an internet connection. It's certainly something we could consider implementing in the future, but then you'd be in a situation where you would be unable to access 1Password at all offline -- which is not uncommon when traveling to other countries, or just being far outside of the city.

    And while I can appreciate where you're coming from, it would be trivial for an attacker to just grab the two-factor code you enter and use it instead anyway. So I'm not sure that would be a sufficient protection against someone else controlling your machine. I'm not sure that there is one. :blush:

  • univbee
    univbee
    Community Member

    Hmmm, I guess the best approach then is to remove 1password outright from any computer I have on continually, and limit what I log into from there. Going to have to mull some more, the breach I went through has made me quite paranoid.

  • I suppose that would be one option. It is worth considering if you're actually improving your security by limiting your access to 1Password though. Does doing so cause you to utilize more insecure practices, such as reusing passwords?

    Each individual needs to evaluate what threats they may face, and what tools are available to them to help mitigate those threats. 1Password is one possible tool in the toolbox. :)

    Ben

  • univbee
    univbee
    Community Member

    My plan is somewhat of a work-in-progress for sure, although I don't use my desktop that much (I'm on my laptop mostly) and most of the time I remote into my desktop instead of being directly in front of it, so the desktop not having easy or 1password-based access to ways to siphon money from me wouldn't be terribly impractical. What I did, for the long story, is put the more money-sensitive logins into a separate vault using the desktop app, and set that up on my laptop and phone only. We'll see how that goes, I might re-evaluate in a month or so once I've mulled on it some more.

  • Sounds good. :+1:

    Ben

This discussion has been closed.