Enable 2 Factor Authentication for every login

Hi,

is there a way, to enable 2 Factor authentication for every login, and not only for add new device?
What is if my local storage / profile folder will be stolen from userprofile folder?, than someone can login without my yubikey


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_anaag_ana

    Team Member
    edited November 2019

    Hi @Grex! Welcome to the forum!

    is there a way, to enable 2 Factor authentication for every login, and not only for add new device?

    2-Factor Authentication is required when you sign in to your 1Password account.

    What is if my local storage / profile folder will be stolen from userprofile folder?, than someone can login without my yubikey

    They would still need to know your Master Password decrypt your data, because that's how your data is encrypted. The Yubikey plays no role in the encryption of your data, so it would not protect you in that scenario anyway.

  • Hi @ag_ana,

    2 factor authentication is based on something I have, and on something I know.
    So if someone steal my profile folder from FireFox (C:\users\myUser\AppData\Roaming\Mozilla\FireFox\Profiles), he has my login name and secret key, because it is saved in this folder. And if my pc was infected with a trojaner, included keylogger, he has my password and the local storage, and can access the 1password.

    I tried this, and it worked! (Move this folder to a complete new pc, overwrite the existing profile data and login with only masterpassword)

    I deleted all my passwords in 1passwords, until the feature "always 2 factor required" will be added.

  • brentybrenty

    Team Member

    @Grex: We can't stop you from giving your Master Password and data to an attacker. What you actually asked for here -- "Enable 2 Factor Authentication for every login" -- is exactly how 1Password memberships work: if you have two-factor authentication enabled for your account, it will be required any time you login. I think what you meant to ask for was that 1Password require you to login every time you use it. If that's really what you want, you can accomplish that today by clicking the box that says "This is a public or shared computer" on https://start.1password.com when signing in. That will prevent the browser from being authorized with your account, and your Secret Key being saved in the browser's local storage, and therefore also you from copying the browser's data to another computer and being able to sign in there without authenticating.

    However, nothing will protect you in your proposed scenario:

    if my pc was infected with a trojaner, included keylogger, he has my password and the local storage, and can access the 1password.

    In that case, the attacker just needs to wait for you to access your data to capture it. Two-factor authentication does not protect you against that attack; it only prevents someone from capturing all of your account credentials to reuse later. What you're talking about is you've already got your 1Password data on the device, and in that case there is no authentication involved, as it does not need to be retrieved from the server; it's protected by encryption.

    It's fine if you don't feel that 1Password is the right fit for you. But we're not going to lie to you or our customers even indirectly, by offering "security theater" in the form of requesting authentication in a situation where none is required, since the encrypted data is already present; or by pretending that you can be protected from someone you've ceded control of your machine to when nothing can.

  • @Grex - if a keylogger is installed on your PC, you have more serious issues than someone simply getting into your 1Password database because they will already have logged everything else you use and have access to all your data already.

    I personally use Bitdefender on my Windows PC as it has a Keylogger monitor. Another tool you may want to add to your arsenal is SpyShelter which is a dedicated defense against keyloggers.

    The best way to protect against hardware keyloggers is to routinely check the back of your PC to see if there is anything inserted into your USB ports that shouldn't be there. Especially in-line with your USB or PS/2 keyboard connector. If you see yourself as being vulnerable to hardware keylogging, you might want to consider the value of the data you have access to and determine moving that PC into a physically secured location with 24x7 movement detection/camera monitoring/recording.

  • ag_anaag_ana

    Team Member

    Thank you for chiming in and for the tips :+1:

This discussion has been closed.