Thoughts on 2fa 1Password v. Authy or other?

I'm leaning toward using 1Password as the authenticator and I stumbled upon an article this morning that had a good argument for 1P as an authenticator. Although since I had to search for this I'm wondering if this is like looking around for a doctor that will tell you what you want to hear :)

Here are the 2 sides of the argument-

from the 1P support page:

  • Although 1Password can be used to store one-time passwords for other services where you use two-factor authentication, it’s important to use a different authenticator app to store the authentication codes for your 1Password account. Storing them in 1Password would be like putting the key to a safe inside of the safe itself.

from the article:

  • “Guess where I kept all of my Emergency Recovery Codes? If you said “Inside 1Password” you’re correct! So, if anyone had been able to compromise my 1Password database, they would have been able to defeat my 2FA protections. So, to me, it seems like I am not giving up any significant security advantage that the old system might have had, but I am getting more convenience from the new system.”

https://www.macstories.net/tutorials/switching-from-google-authenticator-or-authy-to-1password/

I assume that most people are storing backup codes within 1P, does this limit the advantage of a 3rd party authenticator? Any other dis/advantages that I should contemplate?

A minor bit - from the 1P page on using 1P as an authenticator. Step #4 Saving the QR code within the Mac App;
"Drag the QR code from the website to the scanner window. If you can’t drag the QR code, most sites will give you a string of characters you can copy and paste instead." https://support.1password.com/one-time-passwords/

On my Mac the 1P scanner window was moveable and placed over the QR code.

Also, when choosing getting a QR code on a website I am given the choice of indicating whether I use an Android or iOS phone. Does this make a difference to 1P as to which I choose, is the QR code different?

thanks again,


1Password Version: 7.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Thoughts on 2fa 1Password or Authy or other?

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited May 2020

    Hey @J_schwinn !

    There are a lot of questions and things to address here, so get ready for a long reply :chuffed:
    First, I'd like to point out that I've used Google's authenticator in the past, then moved to Authy for convenience, and eventually moved completely to 1Password because it is just so much simpler having 1Password autofilling your login credentials AND your 2FA code automatically. It is literally a breeze.

    If you use another 3rd party authenticator, then your workflow would look like this:
    1. Get to a login page.
    2. Go to 1Password to autofill your username and password.
    3. Launch your authenticator app and get a one-time-passcode, then type it in manually or copy paste it into the website. <- This step here is very cumbersome, especially if you're on a mobile phone and have to switch between apps and the browser to get this done.
    With 1Password as an authenticator, you only have steps 1 and 2, which is so much faster.

    As for this part here:

    from the 1P support page:
    Although 1Password can be used to store one-time passwords for other services where you use two-factor authentication, it’s important to use a different authenticator app to store the authentication codes for your 1Password account. Storing them in 1Password would be like putting the key to a safe inside of the safe itself.

    This means that you should NOT store your 1Password account's 2FA in 1Password, because you won't be able to generate a code if you're locked out of your 1Password apps. This is literally, as written in the quote, locking your safe with your key inside the safe. You need to put the key (2FA code) in a different place (another authenticator app). That is the only thing I still use Authy for - to have my 1Password.com account's 2FA on it. Everything else is stored in my 1Password.

    from the article:
    “Guess where I kept all of my Emergency Recovery Codes? If you said “Inside 1Password” you’re correct! So, if anyone had been able to compromise my 1Password database, they would have been able to defeat my 2FA protections. So, to me, it seems like I am not giving up any significant security advantage that the old system might have had, but I am getting more convenience from the new system.”

    Your 1Password database on our servers is secured and encrypted using your Master Password and Secret Key, which makes it virtually impossible to crack with current technology, so that takes the possibility of having your data stolen from our servers and used against you off the table. The only other methods of a breach to your database are if a malicious 3rd party has remote/direct access to your phone/computer while 1Password is unlocked, in which case, nothing can help, even if you use a 3rd party Authenticator, as they'll gain access to that as well (they've already accessed your device and your other authenticator is also there). So what's the difference? If you keep your devices secure and stay vigilant to threats, the only factor here is convenience, and it is a pretty big factor here.

    I assume that most people are storing backup codes within 1P, does this limit the advantage of a 3rd party authenticator? Any other dis/advantages that I should contemplate?

    If you store backup codes in 1Password, that makes your other authenticator useless because if you experience a breach, the malicious party can use the security code to log into your account and bypass the authenticator, so there's really no use in using a 3rd party authenticator if the backup codes are in 1Password. Backup codes allow you to log into your account without the authenticator.

    Any other advantages/disadvantages are as I discussed above.

    A minor bit - from the 1P page on using 1P as an authenticator. Step #4 Saving the QR code within the Mac App;
    "Drag the QR code from the website to the scanner window. If you can’t drag the QR code, most sites will give you a string of characters you can copy and paste instead." https://support.1password.com/one-time-passwords/

    On my Mac the 1P scanner window was moveable and placed over the QR code.

    Not all app versions can drag the scanner over the QR code (the Mac App Store version can't if I recall correctly), so dragging the QR code image into the scanner is the best option. If you drag the scanner over the QR code and it works - great :)

    Also, when choosing getting a QR code on a website I am given the choice of indicating whether I use an Android or iOS phone. Does this make a difference to 1P as to which I choose, is the QR code different?

    I'm not sure why does the website offers different QR codes for different platforms. The QR code should remain the same regardless of operating system so it doesn't matter which one you pick.

    I hope that answers it all :chuffed:

  • J_schwinn
    J_schwinn
    Community Member

    Thanks Yaron!

    Clearly I'm new to the authenticator world :)

    Yes, I was confusing the use of an authenticator for the 1Password account and using an authenticator within 1Password for stored logins. Thanks for the clarification.

    I wish there was another option within the 1Password ecosystem, than using a 3rd party authenticator to login to 1Password, but I do see the advantage:

    Master Password+Secret Key+2factor

    So.... my question which can't be answered and a decision I will likely need to make is how important is the additional layer of 2factor when accessing the 1P account? 1P makes everything very easy and adding the 2factor for my situation and setup would remove some of that ease, and adds a little concern about future complications with yet another provider to rely upon access to the database.

    • Not all app versions can drag the scanner over the QR code (the Mac App Store version can't if I recall correctly),

    That's likely the case, I am using the 1Password Store Mac app (v7.5 - 70500003)

    thanks again,

  • ag_yaron
    ag_yaron
    1Password Alumni

    I'm glad I was able to clarify things for you, @J_schwinn :chuffed:

    If you're going to use 2FA on your 1Password.com account, it's not going to be cumbersome, since you will only need to apply the 2FA once for each 1Password app you sign into (e.g. the Mac app and the iPhone app). You will not be asked to input the one-time-code every time you open the apps. You will, however, have to input the one-time-code every time you want to log into your account at 1Password.com, and whenever you're installing 1Password on a new device.

    Adding 2FA is great if you fear someone might somehow get their hands on your email, Master Password and Secret Key (which is not that likely if you're aware of security threats and how to stay vigilant), but personally, I feel like 2FA on an individual 1Password account might be a bit of an overkill for the average user. I know some users only use 2FA on their work/business account but leave their personal account without 2FA, so it is completely up to you. You can never be too safe, but convenience is also a factor to consider.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the suggestions @Naxterra :+1: :)

This discussion has been closed.