Two-factor authentication on 1Password family account

I recently reviewed all my disaster recovery plans including the one for my 1Password family account.

I had followed the recommendations in the 1Password support article. I was happy that I could recover the account even in the worst possible scenario.

  1. Since then I enabled two-factor authentication on my account with Authy as described in this support article. This made me question how I (or another family member) might recover Authy in the event that I or my phone was no longer around. Can anyone else share the precautions they have taken in this regard?

  2. Is two-factor authentication on 1Password accounts overkill anyway given the need for a secret key and a master password?

I’m probably not thinking straight about all this, but hopefully you sage people will get me on the right track.

Comments

  • Hi @Penelope Pitstop

    Can anyone else share the precautions they have taken in this regard?

    I recommend printing a copy of the TOTP secret (QR code / string) and attaching that to your printed Emergency Kit. This would have to be done at the time you setup TOTP, though. If you've already set it up and would like to do this, you can disable it and re-enable it. You would need to re-setup your authenticator app (e.g. Authy) if you decide to do that.

    Additionally the 1Password account recovery process turns off 2FA for the account being recovered. If there is another organizer on your membership that can help you in such an event that would be a good backup.

    Is two-factor authentication on 1Password accounts overkill anyway given the need for a secret key and a master password?

    I generally do not use 2FA for 1Password accounts. It does add some level of protection to the device authorization process, but that tends to be outweighed by the inconvenience for me personally.

    Ben

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    Hi Ben

    Thank you so much for your helpful reply.

    Additionally the 1Password account recovery process turns off 2FA for the account being recovered. If there is another organizer on your membership that can help you in such an event that would be a good backup.

    That’s good to know. I wasn’t aware of that.

    I generally do not use 2FA for 1Password accounts. It does add some level of protection to the device authorization process, but that tends to be outweighed by the inconvenience for me personally.

    Mmmm, I see where you are coming from. I was following NCSC advice when I enabled it, and I’m still inclined to follow that. I think augmenting my emergency kit with the TOTP code as you suggest will probably strike the right balance for me.

    Thanks again.

    PP

  • The NCSC advice does not account for systems like 1Password where the primary protection for your account/data is encryption, rather than authentication. But, to be fair, their advice is generally solid. They can't and probably shouldn't account for every edge case, and "use 2FA" is likely much better advice than "use 2FA, except..."

    I think augmenting my emergency kit with the TOTP code as you suggest will probably strike the right balance for me.

    Indeed. :)

    Thank you so much for your helpful reply.

    You're welcome. Happy to help.

    Ben

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    The NCSC advice does not account for systems like 1Password where the primary protection for your account/data is encryption, rather than authentication. But, to be fair, their advice is generally solid. They can't and probably shouldn't account for every edge case, and "use 2FA" is likely much better advice than "use 2FA, except..."

    Another great point well made.

  • :+1: :)

    Ben

This discussion has been closed.