To protect your privacy: email us with billing or account questions instead of posting here.

When does 1Password require two-factor authentication? Seems very rare.

bobbydoololly
bobbydoololly
Community Member

Just switched to 1Password from LastPass and love it. However, even though I have 2-factor auth. set up, it basically hasn't really been asking for it. I restarted my computers several times and each time it just asked for my master password but doesn't two-factor me. Just to test it, I tried to log into the 1password.com website and it let me through with just my master password (and I checked, 2-factor is enabled).

So when is 2-factor required? I'd love it if it was a bit more often: like at every app boot-up, or device restart. Any guidance would be appreciated.

Thanks,
Rob


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:when two factor authentication

Comments

  • peacekeeper
    peacekeeper
    Community Member

    It only asks on first login on a new device or in an unknown browser. You can test that by visiting 1password.com in a different browser or in private mode.

    It would bring no benefit security wise to ask more often on an authorized device since the security of the password-database comes from encryption, not authentication. If someone were to attack you locally he would just attack your local cache of the encrypted database, thus not caring if 2FA is enabled or not. 2FA mainly protects you in case an attacker somehow gained your Masterpassword and Secret Key but not your local data cache and then tries to login on 1Password.com to access your data.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @bobbydoololly - glad you're enjoying 1Password! Our guide to using 2FA with your 1password.com account mentions right at the top that you'll see the two-factor prompt (as @peacekeeper mentions) on every new device/browser you use. That adds additional protection for you if someone tries to sign into your 1password.com account from their own computer, but it adds no significant protection for you on your own device(s).

  • bobbydoololly
    bobbydoololly
    Community Member

    @Lars @peacekeeper Thanks so much! All is clear.

  • Lars
    Lars
    1Password Alumni

    :) :+1:

  • MPR
    MPR
    Community Member

    @Lars It's all well and good doing the RTFM thing, but it's rarely helpful and it does tend to make you look a bit of a knob. This wasn't obvious to me either (tech directer of 3 ISPs over the last 15 years) so I suspect that this COULD be a little clearer in your docs.

    I'm trying to use a Yubikey for 2FA. But before you can register the key you have to set up 2FA using an authenticator. Having done that (and tested it) there's no opportunity to test the key without creating a "first login" situation again.

    This is definitely not made clear in the docs!

    Even then, despite having registered my key, I only get the option to enter a 6 digit authenticator code. Still can't use the key...

    Very frustrating!

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @MPR! Sorry to give the impression I was "doing the RTFM thing." :( That certainly wasn't the intention. We're here to help and to answer questions on this forum as well as via email. But when answers to those questions are already documented, we'll often link people to these resources because doing so is both faster and likely clearer than one of us trying to type the same information out again in a reply here.

    Regarding your Yubikey, you're right that 2FA for your 1Password account must be set up first with an authenticator app, but can you clarify what you mean by "there's no opportunity to test the key without creating a 'first login' situation again?" If you can let us know the specifics, that will help. Thanks. :)

  • MPR
    MPR
    Community Member

    Hi,

    Sorry, that seemed more lighthearted as I wrote it...

    I mean that having authenticated a device using an authenticator app, you can't then test a key without first un-authenticating that device. Because otherwise 2FA auth won't be triggered. That seems like a thing that could usefully be documented...

    In my case though, even after resetting 2FA I can still only authenticate using a 6 digit pin. I have absolutely no idea how to troubleshoot this. I'm not really sure what the expected behaviour is. Judging by your docs (and video) I guess I'm expecting to be prompted to press the button on the key?

    But there's no prompt and no error. Just silent failure...

    Any ideas?

    Thanks

  • MPR
    MPR
    Community Member

    Hi @Lars

    So... I've managed to get Yubikey working with the 1Password website in Chrome but I had to register the key in Firefox first. It's sort of misleading that it is possible to register a key in Chrome but it actually doesn't work despite being "registered". I had to remove the key and then re-register it in Firefox. Then it worked in Chrome. Safari at least has the option to register a key greyed out which avoids a lot of time-wasting...

    My next challenge is to get the key to work with the 1Password app / plugin. That still only allows me to use the Google auth app (or similar). Is this something I should battle on with or am I wasting time here too? I can't find anything in the docs which differentiates between web logins and the app.

    Also, your PAM integration destroyed my OS following an update. Had to restore from backup. Should be more robust than that. Makes it unsafe to use for OS level protection. See some info about this in the docs too so I guess I'm not the first. Thing is... I couldn't follow the docs to fix the PAM config files because the broken OS wouldn't let me escalate privileges either in System Preferences or via sudo.

    Honestly, at this rate I can see us sending a big bag of keys back to you.

    Am starting to play with the Yubikey Authenticator now. The fact that it looks as if it was written 20 years ago is not filling me with hope :-/

    Any help with the 1Password app login would be appreciated. The remainder of the above is mostly advisory...

    Ta

    Matt

  • Lars
    Lars
    1Password Alumni
    edited August 2019

    @MPR - thanks for the update, and I'm sorry to hear about the difficulties! Can I ask what clients you're using (or expecting to use) your Yubikey with? Also, what version of Chrome are you currently running?

  • rudy
    edited August 2019

    @MPR,

    If i'm reading your query right you're wondering why the key that you registered in chrome isn't then prompted when you sign into your account using Chrome. This is because you've just 2FA authenticated Chrome by registering the key in Chrome. Once a device is 2FA authorized you won't be prompted to use the key on each time you login, you'll only be prompted for that "device" (in this case chrome is considered a device, so is firefox, so would any other browser, so would any of the native apps) when you purposefully deauthorize the device or otherwise mark a particular device as needing 2FA on next authorization via your account profile device list.

    Native-application-wise only 1Password for iOS supports the YubiKey 5ci, so if you're using some other combination of 1Password and YubiKey, please be aware of that. 1Password X and 1Password.com do work with other keys and do work in a number of browsers at this time.

  • MPR
    MPR
    Community Member

    @Lars

    I was hoping to use Yubikey with all 1Passwprd clients and at the least, with the web login on all native browsers.

    As it happens, the 1Password OSX client doesn't work with Yubikey and nor do any native browsers. I haven't tried Windows or any mobile clients as I'm already at the point where the integration is too poor to be useful.

    @Rudy

    Thanks for your post. However, as per my post above:

    "I mean that having authenticated a device using an authenticator app, you can't then test a key without first un-authenticating that device. Because otherwise 2FA auth won't be triggered. That seems like a thing that could usefully be documented..."

    I already know what you're telling me. I was just saying that this behaviour is badly documented.

    @Lars @Rudy

    Honestly, the integration between 1Password and Yubikey is so incomplete that I actually think it's misleading to suggest that there is usable support at all.

    Again though, this is primarily a documentation issue. Or at least, better documentation would have saved me a lot of wasted time. I only attempted to use a combination of 1Password and Yubikey because your docs suggest that there is a workable integration. There isn't!

    Matt

  • Thanks for taking the time to share your perspective on the situation @MPR.

    Ben

This discussion has been closed.