2FA not working as intended! [2FA secret isn't saved locally (yet)]

haplohaplo
edited September 1 in Linux Beta

I am currently using the Linux Preview on Ubuntu 20.04 LTS with the Suckless DWM tiling Window manager. Whenever I launch 1password, it launches, asks me to enter my secret, and then a few seconds later, another window pops up asking for my 2FA code (I mentioned my WM in case the fact that it is tiling and opens the window next to the original window has any bearing...I don't have a non-tiling WM setup right now to test normal behaviour). I have found that I can view I can use 1password to view all my information and reveal passwords without entering my 2FA, and I can even close the 2FA window without closing it and still access my secrets!


1Password Version: 0.8.0-22506
Extension Version: Not Provided
OS Version: Ubuntu 20.04 LTS
Sync Type: Not Provided

Comments

  • Typo! " I can even close the 2FA window without closing" was supposed to read "I can even close the 2FA window with entering anything"

  • In my haste to get the bug I'm seeing entered, I neglected a very important thing! Thank you so much for working on a native Linux client! I am very happy to see this, and quite excited at the prospects! I use 1password X browser extension to great effect, but am very glad to see the first class client option becoming a reality.

    As I type this and mention the browser extension, it made me realize that while I would not think being logged into the extension would affect the native client, it is logged in and working when I see this issue. Just another data point.

  • bundtkatebundtkate

    Team Member

    Thanks for bringing this up, @haplo, and my apologies for the alarm. This actually is working as intended, but it's definitely very different from how 2FA works for other apps and services so you're not the first to be thrown off and I'm sure won't be the last. I'll explain the whys and wherefores behind this and hopefully that will set your mind at ease, but if you have any lingering questions as at all, don't hesitate to ask.

    So the short reason this is the case is because 1Password isn't online-only. When you first sign in to your 1Password account on any device, you have to fully authenticate before your app can sync down your data. That means you need to provide your email, sign-in address, Secret Key, Master Password, and (if enabled at the time) 2FA. After you've done this once, your encrypted data is synced down to your device and available offline. From that point forward most of what you do in 1Password happens locally right on your device and there is no server to authenticate with so 2FA doesn't genuinely provide any additional protection.

    2FA is designed to protect authentication, not encryption. It's an extra step sites and services ask you to do before providing you access to remote data. With 1Password, your encrypted data is already available locally and that encryption is your protection against unauthorized access. Could we still ask for 2FA? Sure, but because because your data is already on your device, it won't do anything more to protect that data. Plus, we feel it could actually cause some harm because the perception that 2FA provides additional protection across the board might lead folks to use a weaker Master Password. Using a strong Master Password is the absolute best thing you can do to keep your data safe so we don't want to do anything that might discourage folks from making that a focus.

    Now, your particular experience is a bit trickier because it sounds like you enabled 2FA after you first signed in with this device. This puts you in a state where you're still able to unlock the data you already have, but new data will not sync in or out because your device isn't authenticated. You need to complete 2FA before changes will sync. You can think of this like being in offline mode. 2FA is still protecting you here because it has isolated this device to only having access to the data it already had before, but because 2FA isn't and can't be part of the encryption key that protects your data locally, you're still able to unlock your app. If you were an attacker attempting to authenticate a new device with no local data, of course, you'd be unable to gain access to any data without 2FA.

    2FA is a really great defense against someone with your account credentials (but not your 2FA device) gaining access to remotely stored data. This means 2FA still protects your 1Password data in a very important way. But, it can't protect you when an attacker is attempting to unlock data they've already accessed. If they have access to your device – the only place they'd be accessing your app with data present – 2FA isn't going to help. We wanted to reflect this reality in how 1Password functions. Encryption and authentication are tough concepts. I don't think I even have a perfect understanding of them despite getting to work with some insanely smart security people every day. By reflecting the reality of what 2FA prevents and what it doesn't in the user experience, rather than relying on documenting that distinction, our hope is that customers will be better able to understand exactly what attack scenarios it protects from and make better security decisions as a result. :chuffed:

  • That makes perfect sense, and matches right up with my understanding of 2FA. I have always used 1password from Linux, and got used to having the 2FA only when adding a new device, then not seeing it again very often since I was typically doing things in the browser. That caused me to forget that the linux client had synced locally, and that it was prompting me for accessing the remote data to sync.

    I have had 2FA on my account for quite some time, and in this case, I had entered it the first few times thus allowing it to sync. It just threw me off seeing I could get to stuff without it.

    Thank you for the response, it makes perfect sense!

  • bundtkatebundtkate

    Team Member

    It's no trouble at all, @haplo! And my apologies for neglecting that known issue in the Linux desktop app. It is currently prompting for 2FA on every unlock (even though it shouldn't) so I was wrong in my guess as to why you were seeing it. I'm normally a Windows gal so my head is full of Windows issues and hasn't quite absorbed the Linux troubles yet. I guess that means technically you were right that it's not yet working fully as intended. :wink: Anyway, data showing is expected, but those numerous prompts aren't. I can certainly see how that would make things all the more confusing. Sorry about that. I'm glad you were able to make sense of things despite my oversight. :chuffed:

  • @bundtkate No worries at all! I'm impressed with the speed of your response, as well as the depth! You answered my primary question, which was "should I be seeing my data even when not entering my 2FA?" right off the bat, and cleared up that seeing the 2FA prompt so often is not expected (but easy to deal with!). Even better that as a self proclaimed "Windows gal", you were happy to jump in on a Linux question! I love it when people jump on problems regardless of what they view as their primary strengths! Learning and absorbing new things is the best! \o/

  • bundtkatebundtkate

    Team Member

    Aw, you're too kind, @haplo. I always enjoy stretching my limits a bit and even went so far as to install Linux Mint on my family's old media PC a year or so back. It didn't work out for me and I've since learned NVidia drivers were probably the cause of my struggles, but it was an interesting adventure all the same. I hope our forging on deeper into Linux-land will give me all the more opportunities to dabble and who knows? Maybe I'll be one of y'all before I know it. :wink:

    Thanks again for your kind words and your efforts testing out the Linux preview! Y'all are the real MVPs here and we are nothing short of thrilled to see you putting 1Password for Linux through its paces. I hope it continues to delight and whenever it doesn't, well, we'll be here. :chuffed:

  • MitchMitch

    Team Member

    It didn't work out for me and I've since learned NVidia drivers were probably the cause of my struggles

    @bundtkate: You should try Pop!_OS. :chuffed:

  • Sounds like this is a known issue, but I thought I'd add my 2c: I'm also using Ubuntu 20.04, but with GNOME. The 2FA window popped up after entering my password, but it really didn't have any effect. The vault was opened by the time I entered my password and I could access anything. I could simply ignore the 2FA window and focus on the main 1pw window (it even went to the background). After closing the 1pw window, the 2FA window remained open. I entered "asdasd" into the field and clicked submit. There was no effect, apart from closing the 2FA window.

  • MitchMitch

    Team Member

    Hey @tamas12,

    We can do a much better job of presenting this information in the app, but 2FA is working as intended in the scenario you described.

    2FA protects your account from signing in and syncing. It doesn't prevent you from unlocking the app and seeing the data you already have, offline, on your computer.

    Kate did a great job above of explaining why the feature works this way.

  • Thanks for the answer @Mitch. Indeed that's a good summary, and now I understand the distinction between the authentication and encryption. However, I still don't think this is working as intended, and not only on the presentation level.

    • I didn't just add 2FA to my account but I had previously authenticated this device (this repeated 2FA challenge seems to be the known issue described here)
    • Entering "asdasd" as the answer to the 2FA challenge (repeated or not) should have an effect other than closing the window.

    After I entered "asdasd" I don't even know what happened. Did it sync? (I hope not). I think the desired effect would be an error that tells the user that the 2FA failed and a prompt to try again.

  • MikeTMikeT Agile Samurai

    Team Member
    edited August 12

    Hi @tamas12,

    Thanks for taking the time to write that.

    That is currently expected for the current developer preview builds of 1Password on Linux. To put it shortly, there's no full error handling nor storage of 2FA authenticated tokens implemented yet.

    So, if you enter an incorrect 2FA code, it doesn't tell you anything, it just goes and try it. If it is incorrect, it won't sync and will not retry until you try to sync again (you can do that by pressing the Alt key and go to the Account Menu > Sync Now). 1Password currently can't let you know if it cannot sync as it doesn't have that UX implemented yet.

    And since there is no on-device storage for the 2FA token, what 1Password currently does is keep it in memory until the application terminates, which will result into it asking for a new 2FA code next time you start the app.

    This will be improved over time as we continue to build up the app and share our work with you at the same time.

  • Thanks, looking forward to that! It's pretty useful already to have the Linux client as it is, so big thanks to the 1pw team for focusing on Linux!

  • MikeTMikeT Agile Samurai

    Team Member

    On behalf of the team, you're welcome but stay tuned. We have so much planned for this and are very excited to show it off.

  • Hey @tamas12, I wanted to give you an update: we've just finished work on a 2FA token storage mechanism, and it should be out in the next release. This means you won't have to re-do 2FA when syncing or unlocking. Thank you for your feedback on this issue!

  • Thanks @Jackson_Lewis! Looking forward to the next release.

  • MikeTMikeT Agile Samurai

    Team Member

    On behalf of the team, you're welcome.

  • MikeTMikeT Agile Samurai

    Team Member

    @tamas12, just an update on this: we caught an issue during our testings and had to remove the support for the 2FA token storage in the next update.

    🤞Hopefully, it won't be too long of a wait.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file