I don't understand why anyone would use 1PW for 2FA....prove me wrong.
Help me understand this. 2FA is by definition the provision of a second factor/token to authenticate an account -- the first factor being username/password. If I use 1PW to store my username/password, then why would I want to use it also to provide my 2FA? If someone already has my username and password, it is highly likely that they have access to my 1PW account. And if they have access to my 1PW account, then they can see not only my username and password but my 2FA one-time passwords too.
In other words, I cannot see how using the same password password manager for username/password PLUS 2FA, is adding any security to the account. Sure, it may be more convenient than using a 3rd party authenticator such as Authy, but does it actually add any security? If I was planning to use 1PW for 2FA I might consider instead using simple SMS for 2FA. At least in that case, the source for my second factor isn't the same as the source for my first factor.
Perhaps I'm missing something - and I would love to be proved wrong. Do my arguments have merit or not?
Thanks.
1Password Version: 7.5
Extension Version: Not Provided
OS Version: 10.15.5
Sync Type: Not Provided
Referrer: forum-search:2FA
Comments
-
If someone already has my username and password, it is highly likely that they have access to my 1PW account.
I think the issue is that you are confusing the details for a single site with the details for 1PW itself.
If someone has your username and master password for 1PW, then they might have access to the 1PW account. Even so, if they don't have actual access to your computer, then your data is further protected by the Secret Key, and probably they could not decrypt your password database.
But much more likely is that some data breach has revealed the username and password for an individual site, without compromising 1PW itself. In that case, 2FA for the site within 1PW is still safe.
2FA within 1PW is more convenient than using Authy or another authenticator. That would not be valuable if it reduced security, but as I said above I don't think it does.
0 -
Hi @markgr!
If I was planning to use 1PW for 2FA I might consider instead using simple SMS for 2FA.
Please do not use SMS for 2FA: it has been proven that it is not secure, and it is actively discouraged. More and more sites are moving away from SMS and towards more secure systems for this.
In addition to what danco wrote, which brought up a good example, this is a decision that only you can make. Generally speaking, it's better to have 2FA enabled for your accounts than to not have it enabled at all, even if this means storing the codes inside 1Password itself. But only you can make the decision on whether this is acceptable for you or not.
We also wrote about this on our blog some time ago. I am quoting this part:
We need to make the distinction between one time passwords and second factor security. One time passwords are often part of second factor security systems, but using one time passwords doesn’t automatically give you second factor security. Indeed, when you store your TOTP secret in the same place that you keep your password for a site, you do not have second factor security.
However, you still have the benefits of the one-timeness of TOTP codes.
The article then goes on in more detail about this, so I recommend reading the post in full as I think it can answer your questions :+1:
0 -
Thank you @danco and @ag_ana for your comments. And thank you, @aga_ana, in particular for sending me to the piece on your blog.
It actually reinforces my view. Here is an excerpt:
"If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.
Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security."
@danco, I agree with your point that the more likely threat is not someone taking over my 1PW account but rather a data breach on an individual site that exposes my username/password. As such, having the TOTP in 1PW is as secure as in say Authy, with an added benefit of convenience. But "more likely" is the operative term here. I would rather insulate against the threat altogether, if possible. And using a true 2FA outside of 1PW is the best way to do it. Actually, using a Yubikey is even better but I'm not quite there yet...
0 -
You are welcome! I am glad I could help :)
I would rather insulate against the threat altogether, if possible. And using a true 2FA outside of 1PW is the best way to do it.
Indeed, this is certainly an option: this is why I mentioned in my previous post that this is something that only you can decide, based on your assessment :+1:
0 -
This is a pretty interesting question that I myself have thought about.
I suppose it comes down to whether one hopes for account security even if one's 1Password vault were to be breached. In that case, you shouldn't store TOTP's in 1Password, and should use a secondary app.
On the other hand, if you operate from the assumption that 1Password needs to be, and is, an unbreachable firewall, then there should be no additional risk of storing TOTP's in 1Password, and it adds considerable convenience to do so.
I don't see any additional security risk outside of the scenario where one's 1Password vault is breached; the risk assessment hinges on that.
0 -
I would agree with that assertion @IvanExpert. :+1:
Ben
0 -
I use it as a backup for Authy.
0 -
Not a bad idea, @pmcarrion. Thanks for sharing. :)
Ben
0