To protect your privacy: email us with billing or account questions instead of posting here.

Will 1Password allow option to require 2fa with every sign in?

sjdc
sjdc
Community Member

Hello. I’m a Lastpass user considering 1Password (1P). I like the UI and the app very much, except when it comes to 2FA (two factor authentication). I have looked at posts and 1P does not provide an option for users to require 2FA with every sign in. Lastpass does. Will 1P reconsider?

In a world of smartphones that are easily swiped (or accidentally left behind) and where we are constantly subject to video surveillance as we go about our lives — such as when typing in our master password as we are in a restaurant — I want an option where I can be confident that no one is getting into the 1P account on my phone WITHOUT ALSO having access to the yubikey in my pocket. As someone who has accidentally left my phone behind at places, I don’t like having to hope that my phone screen darkened before it was picked up by someone else or depending solely on Touch ID to protect my apps.

This fall, Apple and yubikey will allow for physical yubikey entry on iPhones with Fidou2f as 2FA, when the new iOS yubikeys come out. Indeed, both 1P and Lastpass are partners with that program already.

It will then be possible to configure password managers in such a way that to get into the app on an iPhone, you would need both the master password and one of the 3 yubikeys I plan to own (one on my key ring and two backups housed in two separate locations) and with NO other means of access or recovery. (At least for online access). I am willing to own the risk of non-recovery if I lose all 3 yubikeys, because I very much like guarding the front door of a password manager on a portable computer (smartphone) with more than a master password that can be so easily shoulder surfed or otherwise noticed. Others may not. But I’d at least like the option.

Otherwise, I confess to not really understanding 1P’s current structure for 2fa. You only require it on the initial sign in on a particular device but don’t require it thereafter. But that does not seem to do much more than what the secret key already provides....

What say ye?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2fa

Comments

  • Hi @sjdc

    I'd like to offer a couple of resources on this subject that may help better understand how this works and why it works the way it does:

    If you have any questions or concerns not addressed there please let me know and I'll be happy to elaborate.

    Ben

  • sjdc
    sjdc
    Community Member
    edited July 2019

    First of all, thanks for the links and your response. Clearly 1P offers service that beats the competition!

    I guess what I don’t understand is the decision not to make an option for smartphone-only-online-access-via-yubikey-and-master password option. Maybe it is cumbersome and not desired by all. But unless I’m missing something, it would dramatically narrow an attack surface — you wouldn’t be able to either access or decrypt 1P data without a) the secret key already installed on the smartphone, and b) downloading the data through the use of the yubikey and decrypting it with the master password.

    I don’t see the current model as recognizing the fundamental risks that come with carrying a portable computer that is so easily captured — particularly in a surveillance world where recoding the master password is so easy via camera, and perhaps done more often than we realize and unwittingly.

    To put it differently, using Fido u2f via a yubikey adds far more protection for the app than a pin code or even touch/Face ID. Why not eliminate as many attack surfaces as possible — or at least offer the option for potential customers who would like to do so and are willing to own the risks of yubikey loss in doing so? That does not seem like security theater to me.....

  • smartphone-only-online-access-via-yubikey-and-master password option

    That might be fine for the very small portion of the world that has access to unlimited mobile data, but for most downloading their entire vault every time they unlocked would be completely unacceptable. I would suspect it would be difficult to justify building such a thing for the handful of people who are willing to both have that kind of data usage and also give up offline access.

    That said we'll certainly continue to evaluate what sort of threats are out there and also what sort of resources customers have at their disposal to make sensible decisions about such topics. Thanks for taking the time to share.

    Ben

  • sjdc
    sjdc
    Community Member

    Thanks for your responses. I appreciate your taking the time to respond. And it does help clarify that 1P’s present use of 2FA is a choice and not because taking advantage of Fido U2f in other ways would be an impossibility.

    If you do consider other uses of 2FA down the line, I’d note that downloads for most users of 1P are likely to be a few megabytes at most.....

  • sjdc
    sjdc
    Community Member

    Thanks for your responses. I appreciate your taking the time to respond. And it does help clarify that 1P’s present use of 2FA is a choice and not because taking advantage of Fido U2f in other ways would be an impossibility.

    If you do consider other uses of 2FA down the line, I’d note that downloads for most users of 1P are likely to be a few megabytes at most.....

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for the feedback! While I can tell you from personal experience that most people don't have unlimited data, and that "a few megabytes at most" isn't a given since each 1Password account includes a gigabyte for Document storage by default (and many people use a lot of that) with no restriction of file size, it's absolutely something we'll continue to evaluate over time as things evolve. Cheers! :)

  • tsmf
    tsmf
    Community Member

    I agree with sjdc. I want to force 2fa using a security key with every access.

  • @tsmf Thanks for sharing your thoughts.

    Ben

  • Peter_Swe
    Peter_Swe
    Community Member

    Hi,

    I am a new user to 1Password and I also agree with sjdc, coming from using LastPass Premium with 2FA enabled for my YubiKeys for every single login. I understand your reasons why you have implemented it as you have, but it would be a really nice (maybe premium) feature to have 2FA enabled on every single login. The options to not download the gigabyte of Document storage offline could be a solution to people that have limited data plans, then the encrypted passwords should be fairly small to download. Maybe allow for an option to set how many days (if any) you should allow for offline access?

    Also I was trying to find a way to disable the Software TOTP authenticatior for 2FA and only use my registered hardware YubiKeys, but could not find a way to remove this, is this possible?

    Besides the 2FA concerns I have above, I think your product is great and I am looking forward to using it.

    /Peter

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Peter_Swe: Thanks for the encouragement! Those are certainly possibilities. The problem is that a "number of days offline" limit and/or requesting authentication is not actually enforceable and will not stop anyone malicious who has already captured the device/data from attacking it offline indefinitely.

    I think there's a good chance we will have a way to disable TOTP two-factor authentication in favour of hardware key authentication in the future though, when there's critical mass of availability. Browser support for it is still very new, and we do not yet have it implemented on all platforms, both due to development time and available tools on each. I'm sure that will continue to improve over time though. Cheers! :)

  • Peter_Swe
    Peter_Swe
    Community Member

    @brenty : Thanks for the super quick reply! :-)

    Given the circumstance that you described having offline data stored on a stolen device or harddrive, only a strong master key can protect your encrypted data. But if there was an option to disable offline content completely as I suggested, and only access it "online" this would certainly be a killer feature for people like me who are less conernced about having offline access and more concerned of someone getting a hold of your encrypted data.

    I understand that it is probably not enough people that are running around with hardware key authenticators, but for the ones like me who have been using it for many years now, this would be a feature I would really like to have. That is why I also use other tools like BoxCryptor which supports this.

    I am no expert when it comes to what is safer, a hardware based key like YubiKey or a software based one like Google Authenticator (though YubiKey supports much more then only TOTP). I guess hacking a phone and it's software require some skills and stealing a hardware key requires other skills, but to me it feels safer not having everything "software"-based. I am sure you will continue to develop great features and hopefully the disabling of the TOTP two-factor authentication should be a low hanging fruit for your developers to implement :-)

    Cheers!

  • Hi @Peter_Swe

    Given the circumstance that you described having offline data stored on a stolen device or harddrive, only a strong master key can protect your encrypted data.

    Yes, exactly.

    But if there was an option to disable offline content completely as I suggested, and only access it "online" this would certainly be a killer feature for people like me who are less conernced about having offline access and more concerned of someone getting a hold of your encrypted data.

    I don't imagine that we're going to go down that road. While it is certainly possible that there is a major shift in the landscape that would cause us to re-evaluate, this isn't something that is current on the roadmap. As such I wouldn't want to get your hopes up or give false impressions about the future. The cache isn't solely for offline access. It is really a core part of how 1Password operates.

    I am sure you will continue to develop great features and hopefully the disabling of the TOTP two-factor authentication should be a low hanging fruit for your developers to implement :-)

    That'll be much more realistic once all of the clients support U2F.

    Ben

  • Peter_Swe
    Peter_Swe
    Community Member

    Hi @Ben ,

    I am impressed at how fast your response time is!

    Thank you for letting me know what I can realisticly expect in the planned roadmap for 1Password.

    Since you have invested in using a cache and it is core part, do you see a feature using a challenge-response type like the built in functionality for YubiKeys HMAC-SHA1 to add further security besides the master key to the encryption of the cache?

    /Peter

  • @Peter_Swe

    Since you have invested in using a cache and it is core part, do you see a feature using a challenge-response type like the built in functionality for YubiKeys HMAC-SHA1 to add further security besides the master key to the encryption of the cache?

    My concern with that would be what would happen if that Yubikey were lost or destroyed? Maybe I'm not understanding what you're suggesting?

    I am impressed at how fast your response time is!

    Thanks for saying so. :)

    Thank you for letting me know what I can realisticly expect in the planned roadmap for 1Password.

    You're very welcome.

    Ben

  • Peter_Swe
    Peter_Swe
    Community Member

    @Ben

    My concern with that would be what would happen if that Yubikey were lost or destroyed? Maybe I'm not understanding what you're suggesting?

    That is why Yubico always suggest you should buy 2 :) . Then program them identically and store one in a safe place.

    But is this extra layer of security for the encrypted cache something you are looking into?

    /Peter

  • That is why Yubico always suggest you should buy 2 :) . Then program them identically and store one in a safe place.

    I see... so two Yubikeys can generate the same HMAC-SHA1?
    If so I'm not sure I see the advantage over just using a longer Master Password (which could potentially be stored on the Yubikey).

    But is this extra layer of security for the encrypted cache something you are looking into?

    I'll ask our security team about it, but I haven't heard of any definite plans.

    Ben

  • Peter_Swe
    Peter_Swe
    Community Member

    I see... so two Yubikeys can generate the same HMAC-SHA1?

    Yes, you can set it up to generate the same response.

    If so I'm not sure I see the advantage over just using a longer Master Password (which could potentially be stored on the Yubikey).

    Maybe you are right, but a challenge-response is not static as it is the case with a Master Password, and yes, you could as you say store a static password on the YubiKey aswell, as you would for instance do if you were to use it when using it with BitLocker which currently does not support HMAC-SHA1 challenge-response.

    I'll ask our security team about it, but I haven't heard of any definite plans.

    Great, and thank you again for your quick responses!

    /Peter

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for the feedback! :)

This discussion has been closed.