Wirecutter says not to use two factor authentication in 1Password

JeffRichardson
JeffRichardson
Community Member

In a recent article on Wirecutter, the author says that one should not use 1Password for two-factor authentication. "Our favorite password manager, 1Password, includes a built-in authenticator, but all the security experts we spoke to were hesitant to recommend putting all your eggs into one basket in this fashion—on the off chance someone were to gain access to your 1Password account, they’d have access not just to your passwords but also to your authenticator." https://thewirecutter.com/reviews/best-two-factor-authentication-app/#the-competition

I'm curious to hear what the security gurus think about this recommendation. I like using 1Password for 2FA. Should I change that?

-Jeff


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ben
    Ben
    edited October 2019

    but keep in mind that you’d still want Authy to protect your 1Password account.

    We agree on that point. If using 2FA with your 1Password account you should be using something other than (or in addition to) 1Password to store the TOTP secret for 1Password. Otherwise, for most use cases, it seems we respectfully disagree. Our Chief Defender Against the Dark Arts Jeff Goldberg (jpgoldberg) explains in this thread:

    Why is it a good idea to store 2FA tokens in 1Password? — 1Password Forum

    (along with some other excellent replies)

    Please give that a read through and let me know if you have any further questions. :)

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    The encryption is so solid, only bad practices ie writing your password down would jeopardise everything. I write my secret key down in a postit but my actual password remains in my mind. 1password is bulletproof security.

    Theres no way someone could get in unless your copying and pasting your password with malware installed and or if the same malware has access to your tokens.

    Just keep your password around 13 characters minimum and memorized in your head. Never paste it , always type it from memory that's what I do.

    If your database was compromised from hackers who managed to infiltrate 1passwords servers , they'd find nothing but scrambled data they'd never be able to decipher without a password.

    I hope this helps

  • danco
    danco
    Volunteer Moderator

    But BEWARE of keeping the master password only in your mind. What happens if you are killed, are in a coma, etc.?

    Some emergency system is probably advisable. Some people keep the master password in a safe deposit box, and there are other discussions in the forum about what to do if your mind is not accessible.

    Of course you can always decide that you don't want your executors, attorneys, or the like ever accessing your online accounts, so you are not concerned about that situation.

  • AGAlumB
    AGAlumB
    1Password Alumni

    But BEWARE of keeping the master password only in your mind. What happens if you are killed, are in a coma, etc.?

    @danco: I keep the things that my family would need in a shared vault. A lot will be lost when I die, but nothing of importance to anyone but me. And then I can finally rest. :lol:

    Some emergency system is probably advisable. Some people keep the master password in a safe deposit box, and there are other discussions in the forum about what to do if your mind is not accessible.

    That's not to say that everyone needs to do what I do though, so this is a good alternative for many. :)

    Of course you can always decide that you don't want your executors, attorneys, or the like ever accessing your online accounts, so you are not concerned about that situation.

    Indeed, it really comes down to each individual's situation/preferences.

    @montana: But yeah, we are very happy at 1Password with not having the "keys" to our customers' data. :sunglasses:

  • [Deleted User]
    [Deleted User]
    Community Member

    @danco What if I had a coma and someone found my master password and I couldn't do anything about it ? Lol ( joking )

    It's a sort of trade off... i know if i wrote it down and put it somewhere secret secure like a fake clock or inside a book , it should be ok but I'm too paranoid. I feel more secure keeping it in my head. If something unfortunate like that did happen , I guess I'd be screwed. Your suggestion is food for thought , I will think about it . I'm thinking of maybe sharing it with a loved one, then I wouldn't have to even write it ?

    It's very hard to blend security and convenience... Well until 1password came along.

  • MerryBit
    MerryBit
    Community Member

    Personally, I wrote my master password down on a printed copy of my Emergency Kit. Then I cut it into three parts vertically and supplied a trusted third-party with one third of the Emergency Kit each. Unless these three trusted third-parties collude with each other against me, I'm safe.

  • AGAlumB
    AGAlumB
    1Password Alumni

    A very practical solution. :)

  • [Deleted User]
    [Deleted User]
    Community Member

    @MerryBit I might do something like that , thanks.

  • danco
    danco
    Volunteer Moderator

    I see that currently there are two threads from people who have lost their master password. So it is defintely worth having it stored somewhere other than your head. Just a matter of finding a way that leaves you convinced that others can only gain access to it when it is really needed, and not by simple means like reading an emergency kit stored near your computer.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ultimately it's up to the individual how/what they do to make sure they don't lose access to their data, but that would be my recommendation. There is nothing we can do to bail people out if they lose their Master Password, as we never have it. :(

  • arunsathiya
    arunsathiya
    Community Member

    I really like @MerryBit's idea of cutting down the secret kit to three parts and giving one to each trusted member!

    But BEWARE of keeping the master password only in your mind. What happens if you are killed, are in a co…

    I was worried about the same, but similar to @brenty, I have stored important entries on my shared family vault and personal ones on my private vault. In case of my death, family members can always recover them.

    Another point that I was worried about was, what happens when if I forget my master password. In such a case, I find 1Password's ability to have a family organiser rescue me helpful. My entries will not be erased when that happens.

  • I really like @MerryBit's idea of cutting down the secret kit to three parts and giving one to each trusted member!

    Me too. :)

    Ben

  • williakz
    williakz
    Community Member

    @MerryBit

    I get the inherent protection against misuse, but what are the "rules" that govern (or force) co-operation between the trusted parties in the event you're incapacitated? Also, three parties instead of just two? The difficulty of achieving unanimity for action both beneficial and detrimental increases exponentially with the number of parties involved.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ultimately it's up to each person to decide what means the most sense for them personally.

This discussion has been closed.