Two-factor authentication without QR code
I am trying to enable two-factor authentication for the sites that watchtower suggests it is available. Am I correct in assuming that this can only be done in 1password if there is a QR code? How do I know if there is going to be a QR code provided before I enable two-factor authentication on a site?
1Password Version: 7.4.2
Extension Version: Not Provided
OS Version: 10.15.3
Sync Type: Not Provided
Referrer: forum-search:two-factor without qr
Comments
-
Hi @alphi!
Am I correct in assuming that this can only be done in 1password if there is a QR code?
That is correct.
How do I know if there is going to be a QR code provided before I enable two-factor authentication on a site?
You can check the documentation of the specific website, or you can just try activating 2FA there: if they support a QR code, it will be shown to you before the end of the procedure. If they don't support it, you can decide not to activate it.
0 -
Thanks @ag_ana ... I was hoping I was missing a bit on https://twofactorauth.org telling me which 2FA implementations used QR codes :(
0 -
If the site gives you a code you can indeed paste the code into 1Password.
From https://support.1password.com/one-time-passwords/
On the website, choose to enter the code manually. Copy the code, then paste it in the One-Time Password field.
If the website only supports QR codes, you’ll need to scan it using a 1Password app.0 -
I am confused after almost locking myself out of Amazon trying to get 2fa to work. I edit my Amazon record to have an OTP field into which I paste the OTP Amazon provided me with. I save, by which time I notice the little timer 1Password has on that OTP has expired, and it immediately generates a new one...and then a new one....seemingly divorced from any password Amazon is expecting as my failed tries suggest. There's no sign of a QR code so I type in the original texted code and it works. I guess I don't understand what role 1Password has to play in 2fa if it cannot know what a given website's OTP will be...and if it did know that, it still seems faster just to type it in. If you guys think there's value here, I trust you, but what am I missing? Does the existence of a QR code establish a live link to a site allowing OTPs to be sent and used without interaction? That would be a useful thing.
0 -
into which I paste the OTP Amazon provided me with
It sounds like this may be the problem? The 6-digit OTP code isn't what goes into that field... that would defeat the point. That would mean that anyone who got one of your OTP codes could then generate OTP codes indefinitely for your account. The purpose of OTP is to prevent that.
The OTP secret (which the code is generated from) is what goes in 1Password. You need the OTP secret from Amazon, which is generally only available when enabling OTP. To get one, you may need to disable OTP, and then set it up using 1Password as your authenticator app (instead of SMS).
Ben
0 -
“set it up using 1Password as your authenticator app (instead of SMS).” That’s what I needed, thanks. The instructions at support.1password.com/one-time-passwords could possibly use a patch, in that they instruct me to follow the instructions at Amazon, which are in fact primarily geared to use texted OTPs with a more deemphasized option to use an “authenticator app” (I personally think of Google Auth and not my password manager). After I got the QR code and saw the otpauth link it creates, then I started to understand. I guess I’m suggesting padding a few more sentences in that explain what’s happening along with the directives. But thank you!
0 -
You're welcome. Thanks for the feedback. :)
Ben
0
