Feature Request: Backup codes

I would love a cleaner way to store backup codes. As of now, I would either have to paste the whole string of codes into one text field or paste them individually into separate fields.

Since most backup codes are separated by tabs or line-breaks, I would imagine it would be fairly easy for 1Password to detect tabs and line-breaks and automatically create individual fields for each backup code after pasted. Maybe there could even be a new "backup code" option in the field-type drop-down that handles it that way AND only shows one code at a time to keep it clean.

For example:

backup code
1234abcd (0 of 6 used)

Thoughts?


1Password Version: 7.7.1.BETA-4
Extension Version: Not Provided
OS Version: macOS Catalina 10.15.7
Sync Type: Not Provided
Referrer: forum-search:Backup codes

Comments

  • ag_anaag_ana

    Team Member

    Hi @claytv! Welcome to the forum!

    Thank you very much for taking time out of your day to to share this feedback! We appreciate every idea that could make 1Password even better.

    I can see how this could be useful to you, so while I cannot make any promises, I can tell you that I have shared your feedback internally :)

    Once again, thank you and have a wonderful day!

    ref: dev/projects/customer-feature-requests#212

  • +1 vote from me. ;)

    Actually I paste all of my backup codes into the notes field of the login entries. A better way of managing them would be appreciated. :+1:

  • What's a backup code?

  • XIIIXIII
    edited January 27

    Backup codes are a number of one-time codes a website might generate for you when you enable 2FA.

    You need these backup codes in case you want to login to that website but cannot access your one-time code generator App (1Password, Authy, Google Authenticator, or similar).

  • XIIIXIII
    edited January 27

    PS: this feature request pops up now and then (I posted one myself back in April 2019)

  • Thanks, don't use 2FA much so haven't run into them...yet.

  • ag_tommyag_tommy

    Team Member

    Backup codes are vital to the safety of any accounts that have 2FA enabled. Personally, I use it on every account that I can to increase my security.

  • Personally, I use it on every account that I can to increase my security.

    Me too, Tommy. :+1:

  • ag_anaag_ana

    Team Member

    I think a lot of us do :+1:

  • Currently my backup codes, due to my own laziness, are pasted into the note fields of each item. It doesn't seem like a save method as they are always displayed when I open up a login item. What's the safest way to store the backup codes? Some options I could think of are to store them separately and keep them in a separate vault and keep that vault from being displayed or even staying in travel mode and have that vault not accessible. I'm curious to hear what you guys think.

  • Hi @MONKi1P!

    Currently my backup codes, due to my own laziness, are pasted into the note fields of each item.

    That's the same way I'm doing this, too.

    to store them separately and keep them in a separate vault and keep that vault from being displayed or even staying in travel mode and have that vault not accessible

    Sounds like a good solution... Maybe I should think about this way. Thanks. :)

  • You could store backup codes as custom fields and configure them to be a password (hidden by default).

  • DenalBDenalB
    edited February 9

    But to copy all backup codes in one field and set this field as password field is not a working solution. All codes will be handled as one password entry.

    So you are not able to copy one backup code only.

    A working solution could be to use one password field for one backup code. But if you have more than one backup codes it is also not a good solution. :(

  • Unless 1Password adds a field that can accommodate backup codes and such, the password field solutions as @DenalB said, are not really a workable solution. Too cumbersome, too many custom fields, and human nature will get in the way of being really good about taking the time to set it up for every account and manually copy & past codes into each field separately. Plus, most general purpose users need something that works out of the box for them without adding too much complexity while keeping their information secure. The notes field is the most convenient but it doesn't seem save to keep the codes out in the open.

    The only other way right now that I can think of, would be to attach screenshots of backup codes but the downside would be that you can't copy it and it would be harder to keep track of which ones you have used.

    Let's hope we get some update that makes this easier for everyone.

  • I indeed store each backup code in an individual field.

    (that's why I requested a template quite some time ago and support this newer request)

  • @MONKi1P I keep backup codes, recovery codes, manual entry 2FA secrets, security questions and anything else which can be used to bypass 2FA in a separate Keepass database. This also serves as a way in for my family in the event of my death and a safe place to store my 1Password Secret Key. The Keepass Master Password is shared with my family via 1Password and there's a key file which remains local.

  • Very nice idea @missingbits. I will think of such a way to save these codes. :+1:

  • @missingbits hmmm good idea to keep them in a separate place. What about creating a local vault with 1Password and keep that stuff in there? Two issues I can think of that make this inferior to using a different tool: (1) If there is a problem with 1Password and (2) The Master Password of the local vault is the same as of 1Password which doesn't add much extra security except if that file is kept separate and generally disconnected and if someone needs it they can import that local vault.

    @XIII templates! I'd have so many use cases for that. This might be my top feature request.

  • MONKi1PMONKi1P
    edited February 10

    Okay so I was wrong, the Master Password from 1password.com is needed to create a local vault but that can be changed following the instructions here https://support.1password.com/change-master-password/

    Thoughts on using local vaults as an extra security layer and keep the .opvault file disconnected unless needed. This could also be used to backup 1Password by copying all items to a local vault.

  • Update: Now my 1Password X & my.1password.com have the original Master-Password but the 1Password macOS app needs to be unlocked with the new Master-Password used with the local Vault. It will revert back to the 1password.com Master-Password if the local vaults are removed.

    So that means that this is a nice way with Safari & macOS to use a separate Master-Password to unlock it on my device then the original Master-Password used with with the online accounts. If the local vaults are removed but the .opvault is backed up to let's say a USB stick, it could then be reimported with the Master-Password set for it later.

  • @MONKi1P I had the same thought and set-up a local vault. It worked OK and I was able to back it up to a cloud provider. However, it would have required my family to have knowledge of 1Password local vaults to access it, I wasn't totally confident they would be able to access it when required and I wanted to cover the risk of 1Password disappearing. This is unlikely I know, but 1Password do seem to be moving away from local vaults.
    Another factor was that I wanted somewhere independent of 1Password to backup my email credentials as, even if you make someone else a Family Organiser, you need access to your email account to confirm account recovery. I could have shared my email credentials with my family, but I preferred to keep them private until my untimely demise. So they are in my 1Password Private vault and Keepass.

  • I doubt 1Password is going anywhere and even if they do, I trust the team to release an end-of-life guide if it comes to that. But @missingbits it is always better safe than sorry with security!

    I was thinking of switching the Email I use with 1Password to a separate account that I don't use on every device to make the Master Password resetting more secure. Like a Google account that has Advanced Protection enabled, no device is logged in with it actively unless it is needed for some recovery purpose. A ProtonMail or Tutanota account would probably provide more privacy but one concern to keep in mind is always if they will be around in decades to come.

  • Hi @ag_tommy
    Why do you say "Backup codes are vital to the safety of any accounts that have 2FA enabled." ?
    Aren't these static codes just another shared secret and so another way (for someone else) to get into your account?
    These codes can be of very low entropy, much lower than the 2FA seed that you're effectively bypassing.
    For example Google's back up codes are 8 numeric digit length.
    I suppose if the recovery codes are of equal strength to the 2FA seed then I guess that's fine.

    Also storing one's 2FA seed (or equivalent) credentials in the same database as the primary password is less secure than storing them elsewhere.

    Thanks

  • ag_tommyag_tommy

    Team Member

    @1pwuser31547

    Backup codes are vital as in the ability to access the account should you lose access. Without the backup code, you'll have no way to get back into the account. Well, maybe the better term is survivability or emergency access under less than ideal circumstances. True, backup codes are not something such as a password (long and having high entropy) and are static with little to no entropy. I was thinking more of the user feeling safe in that they have everything needed to access their account, which is how the conversation started about storing those codes within 1Password. I read the OP's comment as they wanted to feel safe in that they had an excellent system for having the codes stored to their liking.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file