Which 2FA app do I have to choose?

Martijnn
Martijnn
Community Member

I would like to set up 2FA for my 1Password account, but I don't know which app to choose.

I want an easy 2FA app that backs up my codes.
Otherwise I would have a major problem if my phone were stolen or lost.

Does anyone know which app is best?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Martijnn

    I'd recommend printing out the QR code that 1Password.com shows you when enabling 2FA, and storing that with your Emergency Kit (you do have a printout of your Emergency Kit, right? ;) ). That way if you were to lose access to your phone you could re-scan that QR code into a 2FA app on a new one.

    Get to know your Emergency Kit

    Something to consider. :)

    Ben

  • Martijnn
    Martijnn
    Community Member
    edited August 2019

    Hey @Ben , that's actually a very good idea. 🤔💡
    I'm going to make a copy of it and merge it with my printed emergency kit.

    Is it perhaps an idea to add this as an option when downloading your Emergency Kit, if 2FA is enabled?

  • Zaka7
    Zaka7
    Community Member

    Authy is the best app for this, I have my whole families 2FA tokens for 1PW in that and then of course all other sites are contained within 1PW itself.

    Authy is great, it allows multiple devices and is backed up to the cloud. Just be sure to set up all the devices you want and then disable the multi device function.

    This would work great alongside having a print out of the QR code, but for me personally I just have authy on multiple devices to avoid a total lock out, but equally to avoid the emergency kit being the key to everything.

  • Martijnn
    Martijnn
    Community Member

    @Zaka_7

    I also considered Authy first, but I don't like it because of more passwords (backup password and Authy master password).

  • Is it perhaps an idea to add this as an option when downloading your Emergency Kit, if 2FA is enabled?

    It isn't possible to retrieve your 2FA secret / QR code after the fact (e.g. when downloading a new Emergency Kit) — it would have to be done at the point when you turn on 2FA.

    Ben

  • Zaka7
    Zaka7
    Community Member

    @Martijnn I just keep this in 1Password.

    You don't need to enter the password everytime you open Authy so almost guaranteed to be able to open it one one device. If you set to use Touch ID or Face ID, you don't even need the password full stop, only when you went to install on a new device.

  • @Zaka_7

    How would that work in the event that you lost access to your device and had to install Authy & 1Password from scratch? May be worth thinking through what that process would look like. It sounds like you may have a situation where you need the password for Authy from 1Password but you can't access that because you need the 2FA code for 1Password from Authy.

    Ben

  • Zaka7
    Zaka7
    Community Member
    edited August 2019

    @Ben I have Authy installed on 6 devices at multiple locations :) and also 1PW installed on 3 different devices. It wouldn't be possible for me to lose them all to be honest,

    If the worst did happen and I did lose all devices at all locations, which as I said I don't think is possible given the multiple locations (etc), I do have a family account with recovery powers :D

  • AGAlumB
    AGAlumB
    1Password Alumni

    Perfect! :) :+1:

  • dsm363
    dsm363
    Community Member

    Can you not just use 1Password for the 2 factor code for the 1Password.com site?

    I have Google Authenticator, Authy and 1Password but trying to consolidate everything to 1Password for simplicity.

  • dsm363
    dsm363
    Community Member

    Ok. I found another topic about this. It's like locking the key to the safe inside the safe=) I'll use Authy for 1Password.com but can use the 1Password app for all my other 2 factor codes if I have that right. I'm looking for simplicity mostly if I change devices, get a new phone...etc. I know it may not be the most secure but better than what most do I believe. I've added a Yubikey as well.

  • gordcook
    gordcook
    Community Member

    Yes and no. It’s more like you locked the master key to the safe in the safe, but you made copies and stored them in various secure locations (1Password vaults on your computer, phone, tablet, etc.). That’s not a perfect analogy either, but you get the idea. :)

    I, personally, did what @Ben suggested and printed my QR code and stashed it with my Emergency Kit. Now I don’t need to worry about getting a new phone, or even losing all my devices. As an added benefit, it makes things much simpler for my family in the event of my death.

    Regardless, it sounds like you found a solution that meets your needs. Having two different authenticator apps doesn’t really help you achieve your goal of simplicity, but Authy is a great choice if that’s the path you’ve chosen.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    That is a very fine way to go if you feel that the security value of 2FA comes from the "second factorness" (and that is in the name).

    If you are very strictly thinking about the second-factorness as the security goal, then you will want the long term secret to be bound to a specific device. And so something like Google Authenticator will be the better choice as it enforces that. If you are less concerned about it being tied to one specific object, then something like Authy may be a more appropriate choice.

    The situation with using 2FA for 1Password is (more than) a bit different from how it is used in the typical case. For the typical case, I hold the (controversial and non-consensus) view that the second factorness security property is vastly overrated, and the real value (for typical services) lies elsewhere.

    The typical (non-1Password) scenario

    Consider a typical service, like logging into, say, Dropbox for a typical user (who is not using a password manager). The typical user (not using a password manager) is using a password that is probably reused elsewhere or is otherwise guessable. And they are also subject to having their Dropbox passwords phished. That is, they can enter it onto a malicious web page that appears to be Dropbox's, but is actually something controlled by an attacker. Of course, when using 1Password you are far far less likely to have that happen. First you should be using a unique password for Dropbox, and 1Password won't fill your Dropbox password into a site that isn't Dropbox's. But remember we are talking about people who aren't using 1Password or aren't using it in a way that gets the full security benefit.

    So those typical attacks on passwords (password reuse and password capture on the net) are things that lots of people are vulnerable too. What something like TOTP gives you is

    1. A long term secret that is unique and unguessable. (This is a long, perhaps 120 bit number that is encoded in the QR code and is generated randomly by the server when you first set things up.)
    2. That long term secret is only ever transmitted during set up when the server presents you with the QR code. The code that you use to authenticate is a one time code. (The "OT" of "TOTP" stands for "one time".)

    So something like TOTP nicely fills in for the practical weaknesses of typical password authentication., It gives you a unique, unguessable secret, and that secret is not transmitted during authentication. In the typical case, those two security properties are where the real value of TOTP comes from for most people and most services.

    The case with 1Password is trickier

    1Password's authentication system is not typical. Furthermore, your 1Password security is encryption-based instead of authentication-based. So the threats that you face are different and 2FA plays a different role in your security. Let's consider what different components do

    1. Your Master Password (and the design of our Key Derivation Function) is your defense against an attacker who gets a copy of your local 1Password data from your devices.
    2. Your Secret Key (and to an extent your Master Password) is your defense against someone who gets your local data from our servers.
    3. Our authentication protocol (SRP) is your defense against someone who can break TLS and listen to the communication between you and our server when you authenticate.
    4. 2FA is your defense against an attacker who has somehow acquired your both your Master Password and Secret Key but has not acquired a copy of your encrypted data.

    So in this case, it might be worth giving more weight to the second factorness of 2FA that exists for the typical service. Unlike the typical case authentication case, 1Password already gives you a client side unguessable long term secret (Secret Key). And no secrets are transmitted during authentication with our server (SRP). So the normal benefits of 2FA don't really apply. As a consequence, the second factorness of it, is more prominent.

  • Martijnn
    Martijnn
    Community Member
    edited October 2019

    I now use Google Authenticator to store the one-time password(s) for 1Password.
    I've protected Google Authenticator with McAfee app lock from McAfee Mobile Security.
    This way nobody can open the app except me.

  • I'm glad to hear you've found a solution that you're happy with @Martijnn. :)

    Ben

This discussion has been closed.