Recovery codes for 1Password 2-factor auth
Does 1Password support 2FA recovery codes? I don't use services like Authy which backup my TOTP secrets to the cloud, and I don't want to rely on having a device which is pre-authenticated with my 1Password account in order to reset 2FA. Normally this would be fine because I would securely store backup codes, but https://support.1password.com/two-factor-authentication/#if-you-lose-access-to-your-authenticator-app makes no mention of this, and I don't see how to generate them in the UI.
If this is not supported, why not?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@lookingforentropy - we don't support backup codes for 2FA in 1password.com accounts. Our Chief Defender Against the Dark Arts, jpgoldberg, runs down the reasons for that in this post from back in September:
- The single biggest reason is that we are desperately trying to get people to make backups of their Secret Keys. We don't want to dilute that message in any way whatsoever, and giving people something else they should save would be diluting it.
- The Secret Key is confusing enough on its own, and we don't want to make it easier for people to think that they have it backed up when all they really have are TOTP backup codes.
- TOTP back up codes don't really add a lot of value. So we aren't really losing much by not offering them. Sure, it isn't a lot of fun when people write in to tell us that they've lost their TOTP secret, but we can get those sorted out. (And as unfun as that process is, it is a picnic compared to when people write in saying they have lost their Secret Keys.)
- There are (easy?) alternatives to TOTP backup codes. If you want a back up mechanism for TOTP just save the TOTP long term secret or QR code some place. You have ways other than backup codes to back up your TOTP access (which is the one thing we can reset anyway. (Some apps make it hard to do this; others make it easy.)
That last one is the most-salient one for you, if you're worried about losing your 2FA app/device/secret: take a screenshot of the QR code you're showed when you first activate 2FA on your 1Password account. You can keep it anywhere you like, printed or saved as an image or PDF file, in case your authentication secret is lost. And if all else fails, as jpgoldberg alludes to, you can get in touch with us and we can help get you sorted out in most cases. Hope that's helpful.
0 -
I appreciate the quick response, Lars, that is very helpful! I wasn't able to find that thread when searching for a prior discussion on this topic. I'm certainly sympathetic to the situation you're in, needing to educate customers to ensure they are backing up their secret key (which is a phenomenal feature of your product, by the way, thank you!).
My fallback strategy was, indeed, to backup the TOTP secret itself. I am curious, though, if someone loses their 2FA device/secret entirely, what process do you follow before resetting 2FA for their account?
0 -
@lookingforentropy - thanks for the kind words about the Secret Key; we're pretty happy with that feature too! I'm glad to see you thinking proactively about how to safeguard your account, not only via encryption and authentication, but also by making redundantly sure you'll be able to access your data. The most-secure files in the world aren't worth much to you if you can't open them yourself. ;)
To answer your question regarding lost access to a 2FA secret or authenticator app/device, there's a few methods we can help with. The first (and often, successful) one is: do you have any devices (apps) or browsers available on which you've previously authenticated with 2FA? Remember, in 1Password accounts, only the first sign-in on any device after enabling 2FA for the account requires 2FA. Subsequent unlocks from the same device will not prompt for 2FA, and that means often an existing browser can be used to sign in with only the Master Password, after which the user themselves can turn off 2FA.
We also will in some cases ask a series of verification questions about the account that only the user would know, which can vary depending on individual circumstances and type of account. There's a bit more to it than that, but that's why I say we can help in most cases -- because each individual situation is slightly different.
0 -
Thanks Lars, enjoy your weekend!
0 -
:) :+1:
0