How to setup two-factor authentication upon each login into 1PW?

tofucari
tofucari
Community Member

I would like 1PW to require 2FA upon each login. Is that possible? If so, how?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:How to setup two-factor authentication upon each login into 1PW?

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @tofucari! Welcome to the forum!

    1Password will prompt you for 2FA only when you add a new device to an account. It is not possible to configure it to ask for 2FA upon each login.

  • exatty
    exatty
    Community Member

    can 1PW consider allowing for users to require 2FA upon each login? Lastpass and Dashlane both do so, and it's an extra layer of protection for those who want it. It's the only thing causing me to hesitate from signing up for 1PW. Thanks.

  • Hi @exatty

    If we were going to require 2FA for each unlock, and for that to actually provide any protection, that would mean

    1. We'd have to give up offline access
    2. All of your data would have to be downloaded from the server each time

    That really isn't a practial option at this point. Offline access is important to a large percentage of customers, and is a core part of how 1Password functions. Downloading the entire dataset from the server every unlock would be a huge increase in resource utilization, and would prevent some people from using 1Password at all (due to data caps etc).

    I would be curious what protection this actually provides you with the other services, as I doubt they are downloading the full dataset from the server each time you unlock and then deleting it when you lock. As such: what happens if someone is able to gain access to a copy of the encrypted data (e.g. by stealing one of your devices)? I can't envision a way in which 2FA protects you there.

    I'm sorry I don't have the answer you were hoping for, but at least for now, the answer is 'no.' That said, it isn't without good reason. I would put forward that doing so would either be 'security theater,' or require the aforementioned restrictions, which are impractical.

    Ben

  • exatty
    exatty
    Community Member

    Thanks, Ben. I very much appreciate the promptness and thoughtfulness of your response. It is a very considered position and I respect it.

    I have a question by way of curiosity and not of challenge. Someone who steals my laptop or cell phone could conceivably, through brute force attack or other method, guess my password (very unlikely) and have full access to all of my passwords. Perhaps I'm being naïve, but why wouldn't requiring an additional authentication (a Yubikey, Titan, authenticator program) before access is granted just make it even more unlikely that someone with access to my laptop or cell phone could get my passwords? I think some of your competitors do that and then sync the user's various devices and browser-based access when the respective devices are online. That might just be marketing fluff that it's no real protection -- I accept that. But on the surface it seems safer to have an additional layer requiring a one-time password before access is granted.

    Thanks again for your response. I am enjoying my trial of 1PW and will probably make it my go-to method of password protection. I work in a non-technical part of the broad cybersecurity universe, so I do take this stuff seriously.

    Best regards.

  • @exatty

    I have a question by way of curiosity and not of challenge. Someone who steals my laptop or cell phone could conceivably, through brute force attack or other method, guess my password (very unlikely) and have full access to all of my passwords.

    Yes: absolutely true. Your Master Password is what protects you against attacks on the encrypted data that is stored on your device. If someone is able to get ahold of one of your devices and crack your Master Password that would indeed be a bad day. This is why we encourage everyone to choose a strong Master Password, regardless of what other protections they may take advantage of:

    How to choose a good Master Password

    Perhaps I'm being naïve, but why wouldn't requiring an additional authentication (a Yubikey, Titan, authenticator program) before access is granted just make it even more unlikely that someone with access to my laptop or cell phone could get my passwords?

    I think we have to talk about what 2FA actually is in order to explain this, but no: it would not; not without eliminating the encrypted data from your device each time you lock. Let's start from the beginning. 2FA is "two-factor authentication" (or perhaps more descriptively "second factor authentication" or "second step authentication"). Authentication is a process by which you prove to a system that you are allowed access by providing some verifiable secret. Traditionally this was done with just a password: if you had the password, you could prove you were who you said you were, and the system would give you access. We have a handy little graphic to explain this:

    2FA adds another step to this process: instead of simply saying who you are and providing a password, you also need to provide either a hardware token or time-based code that can only be generated if you know a second secret. The fundamentals haven't changed though, it is still authentication.

    The system that is doing this authentication is the server. You need to authenticate with the server in order to download your data from it. But that isn't the problem we're faced with here. In this scenario an attacker is bypassing talking to the server entirely. They already have the encrypted data from the server because it is on your device, and they now have your device. They can disconnect your device from the internet and work on the data directly, without the server ever even knowing. This bypasses authentication completely. That's why the data is encrypted using your Master Password: so that an attacker who can steal a device cannot access your passwords. They'd need your Master Password in order to decrypt the data.

    I think some of your competitors do that and then sync the user's various devices and browser-based access when the respective devices are online. That might just be marketing fluff that it's no real protection -- I accept that.

    To be fair I don't keep close enough track of what they are doing to be able to say for sure if this is just fluff or if there is any real merit to it. But as I say, I haven't been able to imagine a scenario where it is actually providing substantial benefit compared to what we're doing.

    But on the surface it seems safer [...]

    That is essentially the definition of security theater - something put in place to give the appearance of security, with no real security benefit.

    We tend to be fairly opposed to such measures.

    Thanks again for your response. I am enjoying my trial of 1PW and will probably make it my go-to method of password protection. I work in a non-technical part of the broad cybersecurity universe, so I do take this stuff seriously.

    Thanks, Ben. I very much appreciate the promptness and thoughtfulness of your response. It is a very considered position and I respect it.

    Thanks for the kind words. :) Happy to help if there are any further questions.

    Ben

This discussion has been closed.