I have a very simple question about the effectiveness of two stage authentication with 1 Password.
Hello support.
Clearly, the greatest security risk in using 1Password lies with the trove of data contained within 1Password itself - the IDs, passwords and other data relating to internet banking and other "risk-sensitive" sites. If a cracker were to gain access to this data, your goose (and your bank balances) would be cooked.
Clearly, again, the answer is to have a strong password for entry into 1Password, plus two factor authentication.
However, if, say, your mobile phone with 1Password included is lost or stolen and some nasty person, familiar with 1Password, cracks the password, then any two factor authentication that is provided via phone app or SMS would be available to the cracker and effectively render the two factor security useless.
The only way around this problem that I can see would be for the phone owner (ie me) to have a second "password" available that might complicate the hacker's path to access.
I hope my analysis is wrong, and that you can tell me that the second stage of authentication can provide a strong barrier against cracking. Would appreciate your advice. Cheers.
1Password Version: 680014
Extension Version: 4.7.3
OS Version: High Sierra 10.13.6
Sync Type: wifi
Referrer: forum-search:two factor authentication for 1Password
Comments
-
@elizabay - good questions, and good for you for thinking strategically about data security! :)
However, yes, that analysis isn't quite right, and here's why: if an attacker comes into possession of one of your physical devices (phone, tablet, laptop), the first hurdle for them would be to access your user account on the device (your device passcode). That's not an impossible problem for a competent adversary, but it's not a trivial one either unless you intentionally have no device password. But - and here's where you missed a bit - if an attacker 1) gets your device and 2) is able to unlock it and access your data, then they won't bother with trying to use the 1Password interface to access your 1Password data; they'll simply extract the raw encrypted data cache on your device (buried in the Library folder of any device on which you use a 1Password app), and run automated password-cracking tools on it. So at that point, 2FA for your 1password.com account becomes a moot point, because the attacker isn't trying to sign into 1password.com to get your data, they already have the data...they just need to decrypt it. And that requires your Master Password only, since stealing or otherwise acquiring the device would also get them a copy of your Secret Key as well.
If this sounds bad or frightening to you, don't panic. It's a lot less scary than you think. Don't get me wrong, it's certainly far from an ideal situation and nothing you'd want to have happen...but the situation I just described is essentially the same one that's always been the case with 1Password, from long before we had 1password.com memberships. In the days before 1password.com accounts, when 1Password was ONLY a standalone product, there was no Secret Key; only your Master Password stood between you and any "hackers." It is the Master Password that has always protected you, since that's what's used to derive the actual AES256 key that de/encrypts your data. And that's precisely why we have always urged users to create strong, unique Master Passwords: because a weak Master Password is easy to "brute force" crack, but a strong one is all-but-impossible (note: nothing is actually impossible, but a good Master Password takes MUCH longer to crack). Have a look at that link, and let me know if you have any follow-up questions. :)
0 -
Thank you Lars. Very clear. In short, the degree of security relating to one's 1Password cache of passwords and other confidential data derives directly and solely from the strength of the 1Password password. Cheers, Peter
0 -
@elizabay - yes...if you're referring to the data stored by a 1Password app on devices you've installed (and used) a native 1Password app on. The Secret Key increases your security if a hacker were to come into possession of your data by any other means (i.e. - not from a device of yours which also had a copy of your Secret Key already on it). For example, if an attacker were somehow able to bypass all the security measures on our website where 1password.com data is stored and obtain a copy of your encrypted data, they would need not only your Master Password but ALSO your Secret Key...neither of which are ever transmitted to us in any form.
0 -
Interesting points. If someone had their device lost/stolen, to be 100% safe, could they simply change all their passwords? That way, even if the hacker was able to brute force it, all the passwords would be obsolete.
Of course you would have to prevent your new passwords from synching to the lost device. I assume if we changed the security key, this would break the link to the lost phone and prevent syncing?
Thanks.
0 -
@chris000 - if a device on which you run 1Password is lost or stolen, first of all, don't panic. We designed 1Password to keep you safe as well as to be a convenient place to store your most important data, and that safety starts with assuming it can and in some unfortunate cases, will fall into malicious hands. We've got a list of steps to take if you have a lost or stolen device, in fact. You should certainly sign into your account in a browser and regenerate your Secret Key, for example, as well as deauthorizing the device that was lost/stolen.
But unless you have reason to believe your Master Password is compromised somehow (or was weak to begin with), there's no need to change it. Before 1password.com accounts, all 1Password was what we now refer to as standalone, and we felt (and still feel) pretty comfortable telling users it's quite secure. AES256 encryption has never been broken, and that means as long as you create a good strong Master Password and don't disclose it to others or leave it available anywhere, it would take quite a long time indeed to brute-force crack your data. Exactly how long depends upon the specific Master Password, of course, but here’s a post I wrote last year that includes a chart which should give you some idea. It's figured in password entropy which is how we measure such things, but to give you an idea, a 23-character password (depending on the character-set used) is considered roughly equivalent to 128 bits of entropy, a figure that's off that chart.
Typical "best practices' suggest if you have a device you know has been stolen or lost, you should change your passwords everywhere -- or at least the important ones, such as banking, medical, email, etc, in the same way that you'd call all your credit card and bank card providers and report cards stolen if your wallet goes missing. But typical cases that give the public guides on what to do, do not include the use of a truly secure password manager. Depending on the number of accounts you have in various places, changing your passwords everywhere would be a significant effort. If you want to be as secure as possible, you can certainly go through with it and change all of your passwords everywhere. But in thirteen-plus years of 1Password where we've had customers with stolen or lost devices, no one's reported either to us or to the media that a thief was able to brute-force their strong Master Password. I don't want to tell you "don't worry," because your own risk tolerance and assessment of your threat profile is of course up to you. But 1Password significantly ups your security when you DO experience a theft or loss. Hope that helps. :)
0 -
Great, thanks Lars for the clarification!
0
