Can use 1Password without having to enter two factor Key with YubiKey
I have a Yubikey 5 NFC that I have configured with turning on 2 Factor authentication with 1Password account. On my phone it only ask once for the two factor in order to access. On my mac desktop it is asking for it, however, opens anyways with full use. So it appears although 2 factor is enabled plus setup that it simply isn't forcing 2 Factor before giving access to 1Password which renders 2 Factor useless.
1Password Version: 7.6
Extension Version: Not Provided
OS Version: OS Cataliina 10.15.6
Sync Type: iCloud
Comments
-
Clarify on iPhone it asked only once, and from then on it never asked again. Mac it ask for it, but I simply can move the two-factor request screen to the side, and use 1Password as if it didn't require the authentification.
0 -
Hi @mshepard75
I can appreciate the concern, however it sounds as though this is working as designed. Please allow me to explain. 2FA serves a different role with 1Password than it does with traditional authentication based services, because 1Password's security is encryption based.
Authentication and encryption in the 1Password security model
The function of 2FA with 1Password membership accounts is to help protect the device authorization process. Once a device is authorized 2FA is no longer required, unless the device is subsequently deauthorized through the web app, or the browser/app's locally cached copy of the secret is cleared. Essentially 2FA helps prevent a replay attack from authorizing a device. It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline). This is what you're seeing when you say "Mac it ask for it, but I simply can move the two-factor request screen to the side, and use 1Password as if it didn't require the authentification." — You're accessing the offline cache. Without authenticating with 2FA you're not able to download changes from the server, but you can access what has already been downloaded.
Changing this so as to require the 2FA authentication to happen on every unlock would require giving up offline access, which is one of the core functions of 1Password and part of our foundational design. And then there is some question as to the actual protection that these sorts of change would provide compared with the perception of protection, i.e. "security theater."
The Security Key is your best protection against someone who doesn't have access to one of your devices, and your Master Password is your best protection against someone who does.
I hope that helps. Should you have any other questions or concerns, please feel free to ask.
Ben
0