Feature Request: Additional MFA prompt criteria
At the moment, if you enable TOTP/Yubikey MFA on your account, it prompts during initial login from a new device or the next time you unlock a device after enabling it. This is great! But I'd love some more control. Things like:
- Prompt for X factors before accessing individual items
- Prompt for X factors before accessing items tagged with Y.
- Prompt for X factors before accessing items in Y vault.
- Prompt for X factors before unlocking Y class of device
- Prompt for X factors before Y action for Z group.
For the condition part (Prompt for X factors), I envision an interface that lets you select an arbitrary number of factors in any number of buckets. To pass the condition you need to provide one allowed factor from each bucket (no repeats). Factor lists would be something like: Master Password, Touch ID, Face ID, TOTP, YubiKey, GeoFence (yes, I just made up another feature :), Manager's approval (yes, another made up feature). For each condition, choose to apply this rule either: Every time, once per X duration, or once per user. Then apply the condition to any item or action inside 1Password: Individual items, vaults, tags, users, groups, device types (IOS, Mac, Windows, Web) and actions like login/unlock, share item, delete item, delete vault, change item password, etc.
Example "Two Factor" Scenarios:
- Vault full of break-glass accounts which should rarely or never be used and provide superuser access to various items. Require re-entry of master password AND a Yubikey to access items in this vault.
- Require master password AND any of touch ID, Face ID, TOTP, or Yubikey for to unlock 1password on a mobile device.
- Require Master Password or touch ID or FaceID AND Yubikey to unlock 1password on mobile device.
- Require Master Password and any other factor once every 30 days.
- Require initial device enrollment/sign in can only happen inside X geofence.
Example "one factor" scenarios:
- Require Master Password re-entry to access this item.
- Require Master Password to share this item.
- Require a Yubikey or TOTP to access this vault.
- Allow any of: Master password, biometrics, or a Yubikey to unlock a device (yes I realize the latter would "weaken" security)
- Always require Master Password to unlock mobile devices (i.e. block biometrics)
- Only allow access to this secret if you're in one of these two physical locations.
- Automatically unlock 1password if you're in this physical location
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @feat_ford
There is good reason this isn't currently possible. :) 2FA serves a different role with 1Password than it does with traditional authentication based services, because 1Password's security is encryption based.
Authentication and encryption in the 1Password security model
The function of 2FA with 1Password membership accounts is to help protect the device authorization process. Once a device is authorized 2FA is no longer required, unless the device is subsequently deauthorized through the web app, or the browser/app's locally cached copy of the secret is cleared. Essentially 2FA helps prevent a replay attack from authorizing a device. It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline).
Implementing these kinds of changes would require giving up offline access, which is one of the core functions of 1Password and part of our foundational design. And then there is some question as to the actual protection that these sorts of change would provide compared with the perception of protection, i.e. "security theater."
The Security Key is your best protection against someone who doesn't have access to one of your devices, and your Master Password is your best protection against someone who does.
Ben
0