Prompt for 2FA at login?
Hello, I signed up recently for 1password and learning its features. I enabled 2fa, configuring a TOTP authenticator and a U2F yubikey.
However, on subsequent logins, I am not prompted for either.
I expect the 1-password to prompt me for master password and the U2F token at every login. What do I have to configure?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:u2f
Comments
-
TLDR: Your database is protected on 1Password's servers by your Master Password, your Secret Key, Secure Remote Password and, optionally, 2FA. Your database is protected on your devices by your Master Password and your device security.
1Password only asks for 2FA when authorising a new device. Once you've authorised the device then a copy of your password database is kept on the device. This is protected by encryption which is based on your Master Password.
So even if the 1Password app was to ask for 2FA, an attacker with access to your device who knows your Master Password could bypass the 2FA by using their own decryption software. In any case, YubiKeys aren't a great defence against a local attacker, as someone with access to your device may well have access to your YubiKey.
It’s your Master Password and device security that provide the real protection from a local attacker. For maximum protection choose a good Master Password and secure your device with a strong password and storage encryption.
0 -
Thank you!
0 -
We couldn't have explained it any better ourselves, @missingbits 💙
0 -
@missingbits can I ask how long should the master password be? I assume that the symbols and text generated within 1 Password is enough,
0 -
@bear67512 the longer the better, although it needs to be something you can type easily without getting lost. What really matters is not the length, but the entropy or randomness. So if you're using something that looks like a random assortment of letters, numbers and symbols then 20 characters should be enough. If you're stringing together a bunch of dictionary words to make a passphrase then better go for 30 characters or more.
0 -
@missingbits thank you!
0 -
Thank you again for the support :)
And let us know if there is anything we can do to help @bear67512 :+1:
0