How can I force 2FA when logging into my.1password.com every time?
Is this even possible. I didn't check the "This is a public or shared computer" box the first time I logged in since I don't use a public or shared computer. Nevertheless, I'd like to use 2FA for the sake of consistency and peace of mind.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:force 2fa
Comments
-
Hey, @xumbar.
I totally understand your concern, I had if for a while myself. My understanding is that always-active 2FA isn't something 1Password has available. Most important of all, however, is to know if you really need 2FA active all the time.
- Having it active all the time doesn't actually make your 1Password account more secure.
- You'd need to be online every time you want to use 1Password.
You can read more about in this thread: https://discussions.agilebits.com/discussion/90795/2fa-beyond-the-first-login-option
I'm not a 1Pass team member though, so definitely wait for a response from them :blush:
0 -
@xumbar - thanks for the question. arturoaubry is essentially correct. As brenty mentions in the linked thread (and rickfillion goes into further detail in a reply to a thread linked off that thread), 1Password's primary security is encryption-based, not authentication-based, so anyone who gains access (either direct or remote) to your computer wouldn't be trying to attack your 1Password database via any method where authentication would provide any additional security benefit whatsoever.
Having said all of that, if you have browsers for which you've signed into your 1password.com account and forgotten to check the "This is a public or shared computer" box, you can reset those permissions by deleting the local storage/cookies for the particular 1password.com site in question. For most users (if you have an individual account or a more-recent 1Password Families account), that will be https://my.1password.com -- just find and delete all history, cache, cookies, local storage for the site, and the next time you sign into your account in that browser, you should be prompted once more for your 2FA code (as well as ALL your other sign-in credentials including your Secret Key and email address, not just your Master Password). I have to stress that in my opinion (not 1Password's, my personal opinion) this is likely to be overkill for most people. I say that because (as mentioned above) in many situations, it provides little additional benefit. You are certainly the best judge of whether that's true for your own specific situation, and because I don't know your situation, I can't comment on it at all. But doing things this way will certainly be more effort, each time you sign in. Not checking that box allows your browser to save the Secret Key and record that you successfully passed the 2FA challenge, meaning you can sign in on subsequent visits to that account with only your Master Password, rather than having to enter everything, every time you visit.
An even better way to solve this issue would be to do most of your interaction with 1Password via 1Password for Mac instead of in a browser at 1password.com. Hope this was helpful! :)
0 -
Thanks for your replies @Lars and @arturoaubry.
Obviously, some of my concern stems from a lack of understanding of how 1P works. I will look up the documentation.
Beyond that, I'm mostly interested in consistency. For the vast majority of services and web sites, 2FA is a good thing. I enable it wherever it's available. Now I learn that my.1password.com is a different kind of web site, one where 2FA does not enhance security. I'd rather not deal with three categories of web sites: 2FA available, 2FA not available, and 2FA irrelevant. This is not a security concern so much as it is one of social engineering. With the proliferation of logins, I find that a consistent interaction, that includes 2FA, with each web site reassuring.
Finally, the "This is a public or shared computer" check box requires users to opt in to 2FA. Wouldn't it be more prudent to change the label to something like "Trust this computer or browser" and have users explicitly opt out.
0 -
Now I learn that my.1password.com is a different kind of web site, one where 2FA does not enhance security.
I don't think that's what either arturoaubry or I said -- certainly, it was not the impression I meant to give either you or anyone else reading this thread, mostly because it's not correct. 2FA does indeed provide increased security for a limited class of authentication-based attacks. You can read more on our thinking on the subject and why we've made the choices we have, in Authentication and encryption in the 1Password security model. You might also find enlightening our support page on your 1password.com account's Secret Key; how it functions in many ways like a 2FA, but is stronger. And finally, if you're interested in a really deep dive into how we keep your data both secure and private in 1password.com accounts, I'd recommend our full 1password.com security white paper (be warned: at 80 pages and counting, I'm not kidding when I say "deep dive").
Finally, the "This is a public or shared computer" check box requires users to opt in to 2FA.
It doesn't. If you have not enabled 2FA on your 1password.com account at all, the "This is a public or shared computer" check box will still require you to sign in with your full credentials (email address and Secret Key in addition to just Master Password). It also will not store your Secret Key in the browser's local storage.
I'd rather not deal with three categories of web sites: 2FA available, 2FA not available, and 2FA irrelevant. This is not a security concern so much as it is one of social engineering. With the proliferation of logins, I find that a consistent interaction, that includes 2FA, with each web site reassuring.
I certainly understand the value of consistency and allowing routine habits to strengthen your security. Again, if you'd like to do this, there's nothing stopping you from doing it. If I'm misunderstanding something about what you're saying or asking for, please clarify.
0 -
:) :+1:
0
