How 2FA one time passwords works with 1Password and isn't it less secure?

Hi,
I'm currently using Google Authenticator to store my one time passwords for the purpose of 2FA.
Today I tried using 1Password to store a one time password for a new website. I scanned the website QR code in the 1Password App and enabled 2FA for the website. So far it worked as I expected.
Then I opened the browser 1Password extension, entered my master password and searched for the item in question.
I was surprised to see that the extension displayed the rotating one time password and offered to fill it (it worked also when I turned my phone off).

My question is how does 1Password manage one time passwords? More specifically how does it transfer it from the device (mobile app) to the desktop browser extension?
Followup question is security related, given that the second factor requires me to have my phone (something you have), doesn't this mechanizm bypass the need for access to the phone and reduces security?

Would appreciate any input.

Thanks,
Dan


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2fa

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @dan_simplex ,
    2FA is, as it is called, a two factor authentication method, which means your base credentials (email/password) will not allow you to access your account without another failsafe, which is a one time passcode that only you and the website know. These one time passcodes are only valid for a very short amount of time, which makes it safe to use and increases your account's security by a ton.

    These one time passcodes are being generated using a shared secret that only your device(s) and the website know, and that secret is being computed with the current time and date, which generates that one time code. That means any device you put that secret on (by scanning a QR or by manually entering that string), will be able to generate the correct one time passcode. It doesn't matter if it is on your phone, or if your'e using Google Authenticator, Authy or 1Password. The algorithm is the same. As long as the secret is correct, and your device's time/date settings are correct, the generated one time passcode will be valid.

    Security wise - if hackers get their hands on your email/password, they still won't be able to access your account since they don't have the 2FA secret. It has been proven to work and prevent many unauthorized access attempts.

    1Password on your phone is being synced with 1Password on your computer, which is why it showed up there. How it syncs? You should know. The options are:

    • iCloud.
    • Dropbox.
    • 1Password.com account.

    1Password does make it a lot easier to work with 2FA since it automatically fills in your login credentials AND the 2FA afterwards, which is just a great experience. You can learn more here: https://support.1password.com/one-time-passwords/

  • dan_simplex
    dan_simplex
    Community Member

    Hi @Yaron,
    Thanks for the detailed response.
    I still have a followup question if I may.

    The way I understand it, the shared secret one puts on the device (by QR code or string) is responsible for generating the OTP (together with a timestamp).
    Is it correct to say that 1Password sync this shared secret from the device it was was put on to all other connected devices?

    Regarding "how secure is it" I understand your point regarding increased security. I just wander if there is slight reduction in security due to the fact that my mobile device is not needed anymore (the second factor falls under the security of my 1Password account)

    Thanks,
    Dan

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey Dan,
    The answer is Yes. 1Password syncs whatever you put in it across all of your devices, whether it is a login, a note, a credit card or a 2FA passcode. That's the whole point and that is why 1Password is so great to have :)

    It does not reduce your security in any way, so if you have any specific suspicions or questions on the matter I would love to answer them.
    I know it "feels" safer to use a totally different device to authenticate, but the logic behind 2FA is to have anther temporary password to verify with, and not necessarily with another device.

    That being said, needing to authenticate with a specific 3rd party device can increase security even more, and there are special devices that allow this, such as Yubikey, but using it on a daily basis for every single website is an overkill, you're much better off allowing 1Password to autofill 2FA codes for you. You can use a device like Yubikey to apply 2FA on very sensitive and important websites, like your 1Password.com account: https://support.1password.com/security-key/

    Security-wise, the only way someone can gain access to your websites if 2FA is enabled is by gaining access (physical or remote) to your computer/phone while 1Password is unlocked. If using a physical device such as Yubikey, they will need physical access to that Yubikey and your 1Password data.

    Stay vigilant, keep your devices clean and secured, make sure that 1Password locks automatically when you are not using it and you will remain safe :)

  • dan_simplex
    dan_simplex
    Community Member

    Thanks @Yaron again for all the information!
    No doubt 1Password makes 2FA UX great.

    Dan

  • ag_yaron
    ag_yaron
    1Password Alumni

    Glad I could help, @dan_simplex :)
    Enjoy your 1Password.

This discussion has been closed.