Two-factor authentication without QR code

alphi
alphi
Community Member

I am trying to enable two-factor authentication for the sites that watchtower suggests it is available. Am I correct in assuming that this can only be done in 1password if there is a QR code? How do I know if there is going to be a QR code provided before I enable two-factor authentication on a site?


1Password Version: 7.4.2
Extension Version: Not Provided
OS Version: 10.15.3
Sync Type: Not Provided
Referrer: forum-search:two-factor without qr

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @alphi!

    Am I correct in assuming that this can only be done in 1password if there is a QR code?

    That is correct.

    How do I know if there is going to be a QR code provided before I enable two-factor authentication on a site?

    You can check the documentation of the specific website, or you can just try activating 2FA there: if they support a QR code, it will be shown to you before the end of the procedure. If they don't support it, you can decide not to activate it.

  • alphi
    alphi
    Community Member

    Thanks @ag_ana ... I was hoping I was missing a bit on https://twofactorauth.org telling me which 2FA implementations used QR codes :(

  • Jan1
    Jan1
    Community Member

    @ag_ana Are you sure? I'm almost 99.9% positive I added instagram 2FA yesterday by pasting the code into the field that shows up when adding a 1 time password..

  • ag_tommy
    edited February 2020

    @Jan1

    If the site gives you a code you can indeed paste the code into 1Password.

    From https://support.1password.com/one-time-passwords/

    On the website, choose to enter the code manually. Copy the code, then paste it in the One-Time Password field.
    If the website only supports QR codes, you’ll need to scan it using a 1Password app.

  • ag_ana
    ag_ana
    1Password Alumni

    @alphi:

    It looks like twofactorauth only tells you if the website offers a soft token I am afraid :( But as Jan1 wrote, if they show you your 2FA secret instead, you can manually paste that into 1Password, the QR code just makes it simpler :)

  • iWoodsman
    iWoodsman
    Community Member

    I am confused after almost locking myself out of Amazon trying to get 2fa to work. I edit my Amazon record to have an OTP field into which I paste the OTP Amazon provided me with. I save, by which time I notice the little timer 1Password has on that OTP has expired, and it immediately generates a new one...and then a new one....seemingly divorced from any password Amazon is expecting as my failed tries suggest. There's no sign of a QR code so I type in the original texted code and it works. I guess I don't understand what role 1Password has to play in 2fa if it cannot know what a given website's OTP will be...and if it did know that, it still seems faster just to type it in. If you guys think there's value here, I trust you, but what am I missing? Does the existence of a QR code establish a live link to a site allowing OTPs to be sent and used without interaction? That would be a useful thing.

  • @iWoodsman

    into which I paste the OTP Amazon provided me with

    It sounds like this may be the problem? The 6-digit OTP code isn't what goes into that field... that would defeat the point. That would mean that anyone who got one of your OTP codes could then generate OTP codes indefinitely for your account. The purpose of OTP is to prevent that.

    The OTP secret (which the code is generated from) is what goes in 1Password. You need the OTP secret from Amazon, which is generally only available when enabling OTP. To get one, you may need to disable OTP, and then set it up using 1Password as your authenticator app (instead of SMS).

    Ben

  • iWoodsman
    iWoodsman
    Community Member

    “set it up using 1Password as your authenticator app (instead of SMS).” That’s what I needed, thanks. The instructions at support.1password.com/one-time-passwords could possibly use a patch, in that they instruct me to follow the instructions at Amazon, which are in fact primarily geared to use texted OTPs with a more deemphasized option to use an “authenticator app” (I personally think of Google Auth and not my password manager). After I got the QR code and saw the otpauth link it creates, then I started to understand. I guess I’m suggesting padding a few more sentences in that explain what’s happening along with the directives. But thank you!

  • You're welcome. Thanks for the feedback. :)

    Ben

This discussion has been closed.