1P 2FA and saved 2FA for Logins Question
It's about the current hack.
What about the security of the 2FA codes?
I found this statement. Are they secured separately at 1P?
If a hack happens somewhere, you can get to the database and at least read it out. That's the moment when everything is open. It can easily be read out the secret of the 2FA. If there is write access, you can simply disable 2FA.
In the case of a hack 2FA is pointless, because there is complete access to the database. If already the mail and possibly passwords are leaked, it is not a problem to leak the 2FA Secrets. Stand right next to it.
If you only look at the data of the leaks, the only question is whether the Secrets were leaked. If not, you were lucky and the hackers were probably just looking at the mailing addresses.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @blaxxz,
Could you supply some context to that quote please, it will help ensure I'm not misunderstanding. Also, are you more referring to the 2FA associated with a 1Password account or 1Password's ability to generate 2FA codes for sites you have stored in 1Password?
0 -
@littlebobbytables
This was the Question to that:I would like to understand that. If I set on a web site that a second factor is needed to complete the login, how can an attacker, with only my email address and password knowledge, undo that 2FA on my account?
0 -
Hi @blaxxz,
2FA is a per site feature and how each site handles issues with lost 2FA can vary widely. An answer can only really be given by the site in question.
1Password accounts do support 2FA on the account itself, separate from using 1Password to generate 2FA codes for other sites and we show how to enable it on the 1Password account on our support page Turn on two-factor authentication for your 1Password account. If you get into the situation where you've effectively managed to lock yourself out of your 1Password account you would need to reach out to us and it's best to do so via our contact form at Let’s get you some help.
When it comes to 2FA only a specialised few are allowed to help. As you can imagine disabling 2FA is not something that can be taken lightly and any such request must be handled very carefully until those with the right training are convinced. I don't know what goes into the process because the frontline staff are not to try and help, not with something this sensitive or critical. All I would say is if you feel like you're being treated with suspicion it's only because we value your security and we're not about to allow an attacker to ruin your day if we can help it.
Does that help at all?
0 -
Thanks for the explanation. :)
0 -
If anything wasn't clear or you feel I've misunderstood at all please do let me know. If it helped though I'm happy :smile:
0