MFA in ios app causing some additional clicks to get to your data
Hi,
I am using 1password with great pleasure. It's a great tool with mighty powers. Hence, I enabled 2FA: OTP as well as a ubikey (belt, suspenders)
Most of the time I am using my desktop app, but now and than, I need the app. It makes total sense for the app too to request a second factor. It asks for the ubikey first, but the connection of my ubikey (usb-C) is incompatible with my phone, so I have to cancel that one. (click 1)
Once canceled, 1 password realizes the belt has gone and switches to the suspenders :)
As the OTP is in 1password itself, I cannot access it at this point and need to cancel that one too (left upper corner).
At this point, I have access to all data that has been cached from last time I did authenticate (you can find your OTP, copy it and trigger authentication again, where you can paste it).
I think it's great you have access to cached data without doing the second factor authentication, as in 99.99% of the time, the info I need is already cached.
For that use case (access cached data in the app when 2FA is enabled) it gets a little annoying that you have to cancel twice (in case you configured 2 factors) before you get to your data.
I think it would be great if there was a configuration option that allows you to go to your data directly (without being prompted for 2nd factor).
In that case, it may be a good idea to have a visual indicator that you may be looking at outdated data (maybe a little banner at the top? Or some different colour scheme?)
I see a benefit in a banner as there is place for some info (your data may be outdated) as well as a button or link to let you authenticate if you want to sync your data.
Would this be of interest to more people than just me?
Thx in advance!
1Password Version: 7.4.4
Extension Version: Not Provided
OS Version: ios 13.3.1
Sync Type: iCloud
Comments
-
Hi @qsdf
As the OTP is in 1password itself, I cannot access it at this point and need to cancel that one too (left upper corner).
We would strongly recommend against having 1Password be the only place you store your TOTP secret for exactly this reason.
From our Turn on two-factor authentication for your 1Password account guide:
Although 1Password can be used to store one-time passwords for other services where you use two-factor authentication, it’s important to use a different authenticator app to store the authentication codes for your 1Password account. Storing them in 1Password would be like putting the key to a safe inside of the safe itself.
As for some sort of banner indicating when you aren't connected and may not be able to see the latest changes to your data... I personally like that thought. I'll be happy to pass the suggestion along to the team for their consideration.
Ben
0 -
Hi Ben,
Thx for getting back at me. We do have the OTP's secret backed up, but it's convenient for those times I need it on the go on mobile devices.
The banner could indeed be nice, but to me, it would be the setting to enable bypass the OTP prompt at startup of the mobile app that would really benefit my habit.
Thx again!
0 -
The banner could indeed be nice, but to me, it would be the setting to enable bypass the OTP prompt at startup of the mobile app that would really benefit my habit.
I don't think we're going to go that route to be honest, but we do appreciate the suggestion. The reason we probably wouldn't is because 2FA works differently for 1Password than it does for most other services. The only time 2FA is involved in the process for 1Password accounts is when authorizing a device. Once the device has been authorized you shouldn't see a 2FA prompt on that device again unless it somehow becomes deauthorized. If you believe you've successfully authorized a device but are still getting 2FA prompts on that device then it is likely something has gone wrong with the authorization process, and we should troubleshoot via email. :)
Ben
0 -
Hi Ben,
Thx for elaborating on this: it makes a lot of sense and indeed: The authentication of my device had never succeeded: I assumed you had to authenticate each time. What was actually going on, was that I was entering the wrong OTP (I have a professional (for teams) and a family account).
Once I realised that, it works like a charm.
Thx again!
0 -
On behalf of Ben, you are welcome! If you have any other questions, please feel free to reach out anytime.
Have a wonderful day :)
0