Two Factor Auth (2FA) and Privacy. What data is being shared?

Jonah9B
Jonah9B
Community Member

Hi,
I haven't been able to find any information about this in your privacy policy so hopefully you can answer here:
If I'm using 1Password as an authenticator for sites with two-factor authentication, what data is being shared between 1password and the additional apps / sites?
Is my 1password login email is being shared with those apps? What about my IP address?

I'm very thoughtful about retaining my privacy and want to know what exactly information about me is being shared through this protocol.
Thank you


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • XIII
    XIII
    Community Member

    Probably only the 6 digit code?

  • Jonah9B
    Jonah9B
    Community Member

    After reading the Authy app privacy policy I wouldn't be so sure. It seems that they are collecting and sharing way more than that. Including email addresses from other accounts which is a significant privacy concern.
    1password team, can we get a response from you?

  • Hi @Jonah98

    I'd be happy to address those questions.

    If I'm using 1Password as an authenticator for sites with two-factor authentication, what data is being shared between 1password and the additional apps / sites?

    The only additional information that would be going from 1Password to such sites would be the 6-digit OTP.

    Is my 1password login email is being shared with those apps?

    No.

    What about my IP address?

    1Password itself doesn't share your IP address with such services, but certainly any services you're using are getting your IP address. In order for your web browser to connect to a website it has to send a request that includes your IP address, which tells the site where to send the requested information back to.

    Your IP address: Who can see it and what you can do about it | PCWorld

    (3rd party link; not affiliated with 1Password)

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Jonah9B.

    Ben was absolutely correct. The one-time-codes use a system called TOTP (Time-based One time Passwords). One of the really cool things about TOTP is that nothing is shared with any third party. I understand why you ask, as there are other systems where a third party can learn when and where you log into stuff, but that is not the case with TOTP. TOTP is directly between you and the service you are logging into. No third parties involved.1

    First sign up

    Roughly speaking, the way it works is that when first set up TOTP with some service, say Dropbox, you scan a QR code (the square bar code) which might look like this

    QR Code

    That contains some settings and a long term secret that was generated by the server (Dropbox in that example). It also contains things that identify Dropbox and your user name. The QR code will just be a scannable representation of something that looks like

    otpauth://totp/dropbox.com:alice@fastmail.fm?secret=qlt6vmy6svfx4bt4rpmisaiyol6hihca?issuer=dropbox.com
    

    And that is what is stored and encrypted in your 1Password. Just as we don't have your passwords or usernames or even the websites, we don't have that. This is all encrypted with keys derived from your Master Password.

    Getting the six digit code

    Anyway, once that is set up, when you use the thing 1Password computes the six digit code using a cryptographic hash function that uses the long term secret and the current time. So you do not even need to be connected to the network to generate your six digit code. All you need is for your systems clock to be reasonably accurate.

    Both the server on your item in 1Password have the same long term secret, and both know the current time, so they can compute the same six digit code.

    I wrote more about this back in 2012 in Doing the two step until the end of time. Some of the content is dated (like commentary about the Maya calendar, but my "ancient eunuchs" is no more awful today than it was back then.


    1. Both your device and the server need to have their clocks in sync, so in a very abstract sense there is a third party. But that third party is just the whole network system. ↩︎

This discussion has been closed.