1Password for Linux 2FA FAQ

ag_Christianag_Christian

Team Member
edited September 2020 in Linux Beta

Keychain issues

In order for us to store your two-factor authentication token, we need to access the system keychain. On Gnome, this is Gnome Keyring and on KDE, this is KWallet. Since different Linux distributions vary in their desktop environments, there may be cases where 1Password can’t access this system keychain. For example, if you have your account to login with biometrics, Gnome Keyring will not automatically unlock your system keychain.

If 1Password tries to interact with the system keychain and finds that it is locked, a system prompt will appear, asking you to unlock the keychain. If you dismiss the prompt, 1Password will only be able to hold onto the 2FA token until the app locks.

If your keychain service isn’t running or has problems, 1Password will fallback to a prompt for 2FA. If you find this happening to you, double check that you have a keychain service installed, and the keychain service is running.

If you have multiple accounts with the same password, 1Password will try to unlock both of them. If both of these accounts have 2FA enabled, and if the keychain isn’t currently available or unlocked, then TOTP prompts for both accounts will appear side by side. Our designs do not yet show which account each prompt is for, so the application can get stuck with a 2FA prompt that cannot be closed. To avoid this, please make sure the system keychain is already unlocked, or unlock it when first prompted to do so after unlocking your account(s).

If you run into any issues around 2FA, please leave a comment on this post so we can help out, or contact support.

Snap Issues / Extra setup:

In order for 1Password to store an accounts 2FA token when installed via Snap, an extra permission must be enabled first. This permission allows 1Password for Linux to access the desktop environment’s keychain (Gnome Keyring and KWallet, for example). A reboot may be required after enabling the permission. To do this, please follow the steps below:

Step 1. Open the Snap store and search for 1Password

Step 2. Click on the Permissions button

Step 3. Enable the “Read, add, change, or remove saved passwords” permission. 1Password only interacts with the 2FA tokens that we store in the keychain.

Comments

  • Hi there,
    I am trying out 1Password beta on openSUSE Tumbleweed with KDE (5.20.5), and I cannot get 2FA to work properly - it seems that 1Password is not registering with KWallet, as it does not appear in the list of authorized/connected applications.

    Using the Snap version, even with the password-manager-service permission enabled, 1Password keeps asking for 2FA codes after each restart.

    Using the AppImage version, 1Password rejects all 2FA codes and login is not possible.

    I'm happy to provide additional information if needed. Thanks in advance :-)

  • Dayton_agDayton_ag

    Team Member

    Hey there @starfox, welcome to the 1Password Community! :smile:

    Thanks so much for writing in with this error - we're able to reproduce it on our end and are digging into it now. We'll make sure to update the thread with our findings. :+1:

  • Thanks for the reply @Dayton_ag !
    I have been encountering the same issue with another snap (standard-notes) and it seems to be a common one for KDE/KWallet users. I have started a thread on the snapcraft forum, feel free to comment and relay your findings over there as well :-)

  • Dayton_agDayton_ag

    Team Member

    @starfox Not a problem! Thanks so much for the additional information, it's very helpful. :smile:

  • ag_Christianag_Christian

    Team Member

    Hi, @starfox,

    Thank you again for letting us know that KWallet wasn't working as intended. The ability to use KWallet in pure KDE environments should now be available and fixed in the latest release, 0.9.10. Please let us know if you run into any new issues or if something still isn't working as intended :smile:

  • I’m on 8.0.30 and can’t figure out how to connect 1Password with KWallet. Is there a tutorial how to do that?

  • Dayton_agDayton_ag

    Team Member

    Hey there @matija_suklje, welcome to the 1Password Support Community! 🎉

    No problem, I can definitely help out there! When you've entered your two-factor authentication code, 1Password should automatically call Kwallet to create a new wallet to store that 2FA token. Once Kwallet opens, create a new wallet (you'll be asked to choose between blowfish and GPG encryption), and 1Password will automatically store the token within the new wallet.

    Give that a shot, and if you hit any snags I'll be happy to help you through them. :smile:

  • Ah, got it, thanks @Dayton_ag . I haven’t enabled 2FA (yet), but may do so in the coming days.

    What benefits does it bring to use KWallet (or GNOME equivalent, for that matter) as 2FA, if it’s running on the same machine? Does the desktop keyring/wallet keep 1Password session alive, or what?

  • Dayton_agDayton_ag

    Team Member

    @matija_suklje:

    KWallet works along with your two-factor authentication method (such as your authenticator app or security key) to store the 2FA token securely on the system. When you provide the 1Password app with your authentication token (the 6-digit code generated by your authenticator app), it uses that token to prove to the server that you are authorized to access your data, and sync can take place. By storing that token in KWallet, 1Password can continually reference it to prove to the server that it's been authorized, without requiring you to input a 6-digit code each time sync needs to occur.

  • @Dayton_ag , so if I understand correctly – and I apologise for a nobbie question –, if I use 2FA in practical terms, I have two options:

    1) let’s say the second authentication method of 2FA is FreeOTP+ on my mobile phone. So then whenever I need to enter the master password, I am also asked for the 6-digit code generated by FreeOTP+? Or just when it syncs new data?

    2) if I use KWallet (or similar), it stores the 6-digit code for the whole time the KWallet wallet is open, and does not ask me to re-generate the code e.g. by using FreeOTP+ on my phone (as often).

  • Dayton_agDayton_ag

    Team Member

    @matija_suklje No problem, I'm always happy to help! :smile:

    1) let’s say the second authentication method of 2FA is FreeOTP+ on my mobile phone. So then whenever I need to enter the master password, I am also asked for the 6-digit code generated by FreeOTP+? Or just when it syncs new data?

    By using this method, you'll be required to enter the 6-digit code from FreeOTP+ each time you unlock 1Password. 1Password can continue to sync data to the server for as long as that session is authenticated, but will require the code again the next time 1Password is fully quit and re-launched (thus ending the authenticated session).

    2) if I use KWallet (or similar), it stores the 6-digit code for the whole time the KWallet wallet is open, and does not ask me to re-generate the code e.g. by using FreeOTP+ on my phone (as often).

    Yep! With the key difference that KWallet doesn't store the 6-digit code itself, but stores the authentication token that proves to the server you authenticated successfully. As long as that token is stored in KWallet, 1Password will not require you to enter a the code from FreeOTP+ for the desktop app on that device. This is true even after the authenticated session ends - as long as 1Password can pull that token from the keyring, you won't be required to re-authenticate.

  • edited March 31

    OK, I think I got it now, thanks, @Dayton_ag

    But by using KWallet to store the token, I would still need to enter the master password whenever I want to have a password filled into e.g. a website’s login page?

    Are there any extra steps needed for the KWallet 2FA working with 1Password in Firefox?

  • Dayton_agDayton_ag

    Team Member

    @matija_suklje

    Yes, your Master Password will still be required in order to unlock 1Password - you can then continue to fill credentials from 1Password as long as 1Password is unlocked.

    Are there any extra steps needed for the KWallet 2FA working with 1Password in Firefox?

    Nope! KWallet is not required to store the token for 1Password in your browser.

  • OK, I think I am well equipped with knowledge now. Thank you so much for bearing with me, @Dayton_ag :)

  • Dayton_agDayton_ag

    Team Member

    @matija_suklje Any time, it's my pleasure! :smile::+1:

  • ag_Christianag_Christian

    Team Member
    edited June 3

    Hey there, @ryan_i_hate_1pwd_co,

    I tried this out for myself with Fedora 33 Workstation and wasn't able to encounter the same issue. My Login keyring was automatically created. This should be getting created by a combination of gnome-keyring and pam on your system. Would you mind trying out one of the steps the GNOME project recommends for checking if this feature is present and supported? You can find them over here. This is the command of interest from the page: grep -rq pam_gnome_keyring.so /etc/pam.* && echo "Have PAM Support".

    However, I did find that you can manually "regenerate" this login keyring and make GNOME think that its the original one created. Here are the steps I followed, after manually deleting the login keyring that was created automatically for me:

    1. Open up Seahorse and create a new keyring with the exact name of login
    2. Give it the same password that your Linux user account has.
    3. Right click on the keyring in Seahorse and click Set as Default.

    While I have a working gnome-keyring and pam setup on my machine, this regenerated login keyring worked just like the original one and the prompt messaging around it was the same. It even unlocks automatically when you sign into your computer, identical to the keyring that should be automatically generated.

    Please let me know how this goes for you and if I can help more,
    Regards

    EDIT: Your last comment didn't load for me, so I apologize for the seeming re-hash of the "Set as Default" steps. I hope the rest is somewhat useful as well :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file