2FA - what exactly is it for?

claus
claus
Community Member
in Mac

Hello,

I activated the Two-factor authentication.

But now I wonder what exactly is it for?! On the website I read: "With two-factor authentication, a six-digit authentication code will be required to sign in to your account on a new device ...". Ok, I understood!

But now on my Mac, using 1Pwd for a long time, I had to enter the 2FA code after starting 1Pwd. But even without entering a code the app started and I could use 1Pwd. Closing the 2FA window opens a new window telling me that from now I work offline (no sync anymore) until I enter a 2FA code.

I thought it is an extra layer of protection before opening 1Pwd). But why do I have to enter - on a device using 1Pwd for a long time - a code although I could open 1Pwd without entering the code?!

Greetings,
Claus

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @claus - excellent question! The answer lies in the difference between encryption and authentication. In standalone 1Password (not a 1password.com account), everything was encryption-based. You needed your Master Password to unlock your 1Password data, every time you launch the 1Password app. With 1password.com accounts, your Master Password is still required to decrypt your data, but there's an additional component that didn't exist previously, which is authenticating to the 1Password website (for things like account management, billing, etc). It is in the area of authentication where 2FA (Two-Factor Authentication) can add some additional security. Turning on 2FA for your 1Password account means what it says: you now are required to enter the 2FA code to authenticate on any new device.

    But I put "authenticate" in italics because on your Mac, you already HAVE a local cache of your 1password.com account data. You can work with this data just as 1Password has always worked: directly editing/adding to the local data on your Mac, using only the Master Password for encryption. No authentication feature can REMOVE data from your device that already exists. But that's why, after turning on the feature at 1password.com and then choosing not to authenticate, you received the message that you would only be working on the local data, in offline mode: because you didn't authenticate with 2FA to the server, so no changes are pushed/accepted...until you DO authenticate via 2FA. Make sense? Let me know if you're still unclear.

  • claus
    claus
    Community Member

    Phuu, more or less it is clear! Thank you for explanations. Well, it is clear!
    I will keep on using the 2FA, it makes sense!
    But I am afraid that one day I "loose" the Authentication app (loosing the phone, deleting the app by chance, ...) and I can not authenticate anymore. It is different without the extra layer of security - "just" using the Master Password or the TouchID.
    Some days ago here I asked something about the 2FA and Ben, a 1Pwd Team Member, said something about setting up multiple apps/devices to generate the codes ... (https://discussions.agilebits.com/discussion/100980/2fa-for-1pwd-account-via-1pwd#latest). Have to dive deeper into it. Something to do for the weekend!

  • Lars
    Lars
    1Password Alumni

    @claus - that is indeed a danger of 2FA for your 1password.com account: losing access to whatever authentication app or device (Yubikey, etc) you're using to store the 2FA code for your 1password.com account. I read Ben's advice in that thread when it was posted, and it's all spot-on. If I were going to set up 2FA on a 1password.com account, I'd make sure I had a back-up way to enter the code, so I was never left with a single point of failure. :)

This discussion has been closed.