Best practice for securing 1PW account with 2FA

3rdparty
3rdparty
Community Member

Hi,

I recently got a YubiKey. In order to use it I have to set up 2FA on my 1PW account. I see in your documentation you recommend against using 1PW to generate the 2FA code for your 1PW account, as that is like "keeping the keys to the safe inside the safe", however elsewhere on Reddit someone on your team advised this is safe to do as long as you have 1 device logged into 1PW, you can always retrieve a 2FA code to log in and/or turn off 2FA if necessary.

I'd prefer not to use an external authenticator (such as Google Authenticator, in case my phone gets lost/damaged). Is there ever a risk that all my 1PW devices could be logged out at the same time and I would be unable to get back in due to not having a 2FA code available anywhere? In that case would 1PW support be able to help me regain access to my account?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    There is no point keeping the 1Password 2FA in 1Password because whenever you need it you'll be using a device which isn't yet logged-in to 1Password and doesn't yet have a copy of your 1Password database.
    If you're logged-in to 1Password on another device you can use that to generate the time based one time passcode, but you could also use that same device to turn-off 2FA. If you're not logged-in to 1Password on another device then you will need to contact 1Password support for help, but you'll need access to the email account you used to set-up 1Password.
    If you're concerned about losing access to your Google Authenticator device, you can always print-out the manual entry 2FA secret so that you can set-up another authenticator app in the future.
    I use Authy to share my 2FA tokens across devices, including the one to access 1Password. It saves an encrypted backup of your tokens and it is this which is shared across devices. Anyone who's able to gain access to your Authy database would need your "backups password" to decrypt it and you can minimise the chances of this happening by disabling "multi-device" after adding all your devices.

  • [Deleted User]
    [Deleted User]
    Community Member

    It doesn't make sense to store your 1Password 2FA token in your 1Password vault as when you need it you'll be using a device which doesn't yet have a copy of your vault. If you have another device to hand which is logged in to 1Password then you can use that to generate the timed based on time passcode, but you could also use it to turn-off 2FA.
    If you're concerned about losing access to your Google Authenticator device, you can always print-out the manual entry 2FA secret so that you can set-up other authenticator app in the future. The 1Password team should be able to help you recover from losing your 2FA device, but remember that you'll require access to the email account used to set-up your 1Password account.
    I use Authy to share all my 2FA tokens across my devices, including the one required to access 1Password. To maximise security, turn-off "multi-device" after adding all your devices and set a strong "backups password". It's the "backups password" that is used to encrypt your 2FA tokens before backing up to the cloud and sharing across devices.

  • jmjm
    jmjm
    Community Member
    edited February 2021

    but remember that you'll require access to the email account used to set-up your 1Password account.

    Sorry in advance for maybe taking this thread a bit off track. My question is a bit more general. I do wonder what are the implications if, w/o warning one loses complete and permanent access to the email address/account used to set-up one's 1P account. Is it simply a matter of signing in, using one's MP, and then changing the email address on "file" to another active one? (No confirmation email is sent to the prior now non existent address?)

  • [Deleted User]
    [Deleted User]
    Community Member

    As long as you have access to 1Password and know your Master Password then it seems you just need access to the new email address:

    https://support.1password.com/change-profile-1password-com/

  • jmjm
    jmjm
    Community Member

    Thanks @missingbits...perfect link.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you everyone for the discussion :+1: Let us know if you have any questions @3rdparty.

This discussion has been closed.