2FA is it safe to store this with your passwords?

MrCaspan
MrCaspan
Community Member

So I know this is a stupid question and I already know the answer but why does 1 Password allow the storing of Two Factor Authentication token in the app? I get the convenience of it but does this not completely break the whole point of 2FA? SO now if someone got access to my database they have my passwords and my 2FA tokens! Where as before they would have to gain access to my 1Passwrod database AND access to my Google Authenticator on my phone. As a make of an application to keep people safe this seems like a really really really really bad idea to encourage users to do this! Am I just crazy here or what were they thinking?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @MrCaspan - thanks for the question. :)

    I get the convenience of it but does this not completely break the whole point of 2FA?...Am I just crazy here or what were they thinking?

    Well, speaking as one of "they," ( ;) ), let me try to answer your "doesn't this break 2FA" question:

    Yes and no. You're quite right to note there's indeed a difference between genuine 2FA and what's often called 2SV (Two-Step Verification), which is what we offer in 1Password. In technical terms, the two are very similar in process and achieve many (though not all) of the same results. Each functions as a second layer of verification for authentication-based systems. here’s a good chart for both. If one's self-assessed threat model includes things like well-funded, highly skilled adversaries that intend to target you specifically, then without a doubt a second separate, (probably) hardware based authentication factor is worth looking into.

    But both 2SV and 2FA protect you against much more common types of ways people get "pwned" - the casual shoulder-surfer who may have stolen your password for a given site, or the random password-dump onto the dark web that might've happened as a result of any of the various website breaches that have occurred in recent years. In these cases, typically only your password is known by your attacker, and so either a separate second factor like an external authenticator app or even hardware token does the same job of protecting you as 1Password does - no worse and no better. Again, if you are Ed Snowden or Bill Gates or some other high-value target for whom you judge skilled and well-funded adversaries would consider it worth their while to attempt to gain access to your decrypted 1Password database (and have a reasonable chance of succeeding), then yes -- for you, in such circumstances, a true, separate second factor would definitely be worth investigating and using. We offer the TOTP functionality in 1Password for the majority of our users who don't consider themselves in this category and for whom storing TOTP with 1Password, with its ability to automatically copy the TOTP code to your clipboard for easy pasting (then clear it after 30 seconds), fulfills their security needs.

This discussion has been closed.