Emergency Kit with 2FA information

majortom

My initial post from 2019 was closed :(

Since I still think it's important, here's a new post:
The emergency kit should also include the QR code + key of 2-factor authentication.
This way, all important information to access your account in case of an emergency is in one place.

I've seen it many times with friends and colleagues that when they lose or reset their smartphone, they don't have a backup of their OTP codes.
With 1Password this would be a disaster.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

DenalB

Hi @majortom!

I've seen it many times with friends and colleagues that when they lose or reset their smartphone, they don't have a backup of their OTP codes.

Indeed, it could be a problem when losing my iPhone and the TOTP is gone. To prevent this I'm using the Authenticator App which only holds the TOTP for 1Password on the iPhone of my wife, too. Furthermore, my Authenticator App is backing up data into my iCloud account and in case I have to reset my iPhone or I have to reinstall a new iPhone I just have to install the app again and restore the backup from my iCloud account. I think this is a good way for me... But you are right, it could be a problem for other people.

The emergency kit should also include the QR code + key of 2-factor authentication.

Maybe it would also help to enable using backup codes. As I remember when activating 2FA there were no backup codes which I was able to save or write down. They could help recover the account when losing the TOTP code.

+1 from me! :+1:

[Deleted User]

I use Authy which allows you to share TOTP tokens across multiple devices. I have also saved a copy of the manual set-up code, so I could set-up another authenticator app if required.

DenalB

Also a good solution @missingbits. :+1:

Lars

@majortom - just so you know, it's nothing personal with regard to your previous thread from 2018. Old threads with no replies in them for a while usually get closed because the older they get, the more likely the suggestions they contain are to be outdated, and it can cause confusion if people find a specific thread through a Google search and start trying to act on instructions or advice that may not be correct for recent updates of either OS, 1Password or browsers.

We don't have a formal recommendation on which authenticator app to use, other than to suggest a well-known one such as Google Authenticator, Microsoft Authenticator, Authy, etc. We are still considering a change like what you've requested, but one of the issues with it is that the loss/theft of an Emergency Kit is one of the few circumstances where having 2FA enabled on your 1password.com account could be instrumental in protecting against account compromise.

Think about it: 2FA protects you from someone authenticating to the 1password.com server when they already have your Master Password and your Secret Key, but not a copy of your encrypted data. They're trying to access your data on our servers because they don't have a copy of it already. If they had your Secret Key and your Master Password from your Emergency Kit, the only thing that would stand between them and being able to download and decrypt your data might be your 2FA code. So, if we print the 2FA secret on the Emergency Kit as well, then every Emergency Kit would be literally an all-access pass to the 1password.com account it's associated with. You can of course choose to write your 2FA secret onto a printed copy of your Emergency Kit if the concern about being locked out of your account seems more serious or likely to you than the possibility of an attacker gaining access to the Emergency Kit.

Lars

@missingbits - if you're interested in reading a previous post from our Chief Defender Against the Dark Arts (AKA: Security Team lead, jpgoldberg) regarding why we chose not to offer backup codes for 1password.com's 2FA, that link is a good summary of his/our thinking.

DenalB

@Lars:

Thanks for the detailed explanation and the link to the post regarding 2FA backup codes. :+1:

Lars

@DenalB :) :+1:

[Deleted User]

@Lars Thanks for the link to jpgoldberg's previous post. It makes total sense. I like the clarity of thinking that you guys bring to password security.

Lars

@missingbits - you're quite welcome, glad to help! :)