Keeping 1password’s two factor within 1password

Is it a good idea or should I use another app for 1password’s one-time password?

Comments

  • @Kaoru Its not a good idea. When you need the TOTP for your 1Password account it will be because there's no 1Password database on the device you're using. You could use another device where you've already installed 1Password to generate the TOTP, but you could use that same device to turn-off 2FA if required. Better to use a separate authenticator app.
    If you use Google Authenticator then print-out a copy of the manual entry 2FA secret. If you use Authy then it saves a backup in the cloud which you can use to sync your 2FA tokens across all your devices. Be sure to turn-off "multi-device" after adding all your devices and set a strong "backups password" as this is used to encrypt your 2FA tokens before uploading them to the cloud.

  • ag_anaag_ana

    Team Member

    Hi @Kaoru!

    If you are also curious to see why this would be a good idea, you might find this discussion on the forum useful: even our security team commented there ;)

  • @ag_ana I got the impression that @Kaoru was asking about saving in 1Password the TOTP token used to access 1Password. This is best saved elsewhere.

  • ag_anaag_ana

    Team Member

    You might be right @missingbits :+1:

  • @ag_ana either way that's a really interesting discussion you linked to, thanks

  • ag_anaag_ana

    Team Member

    You are welcome, anytime! :+1:

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Even more important than your 1Password 2FA "factor", take the opportunity to think about where you have your 1Password Secret Key backed up. If you lose your device or computer needs to be completely reformatted, do you have your Secret Key in a place that will allow you to set up 1Password on a new device if you can't get into 1Password?

    With your TOTP secret, we are capable of resetting that after making you jump through some hoops to help verify that you are who you say you are. It is annoying, slow, and not particularly pleasant for anyone, but it is doable. But losing your Secret Key is like forgetting your Master Password: We cannot reset either your Master Password or your Secret Key. There is no way to decrypt your data without both of those.

    Sorry (not sorry) for hijacking this discussion, but we do see cases where people's computers have died badly and it was the only place they had their Secret Key. Cases like that (and they do happen) are heartbreaking for us and devastating to user, so I am going to take every opportunity to remind people to make a copy of their Emergency Kit in a place that will be available to them in an emergency.

    Thank you. Now back to your regularly scheduled 1Password Community discussion,

  • Thank you for the comments! I will use Authy for my 1password 2FA.
    @jpgoldberg I use 1password for my Secret Key because I can’t think of a good place to keep a paper version of the emergency kit.
    It’s probably not ideal but I do have 1password on 2 devices.

  • @Kaooru If you only have 1Password on two devices and have not backed-up your Secret Key then you're more likely to lock yourself out than get hacked! Remember that your Master Password protects you from a local attacker and your Secret Key protects you from a remote hacker.
    If you're not comfortable printing it out, have you thought about saving your Secret Key on a USB flash drive or CD-ROM? You could save it as a PDF amongst some other documents or as a JPG file amongst your photos. You could even overlay it onto an existing photo so that its not obvious from the thumbnail.

  • LarsLars Junior Member

    Team Member

    @Kaoru - there are multiple different ways to save/protect your Secret Key -- and thanks to missingbits for mentioning two of them -- but it's indisputable that you should have a copy somewhere outside of 1Password itself. It's a bit like locking your keys inside your car for safekeeping. Safe? Yes, probably...but there are other problems. ;)

    You need your Secret Key every time you use 1Password on a device or app on which you have not previously used it. Especially if you use 1Password on just a couple of devices, the possibility that you might lose access to all of them simultaneously (natural disaster, theft of a travel bag containing both of them, etc) would be more of a risk than having the Secret Key printed out or stored somewhere on USB flash drive or (as missingbits suggests) even something like a CD-ROM. Another idea we've seen some people use is a trusted attorney or even estate manager (in the case of your untimely incapacitation or demise, so loved ones can access necessary information for you within 1Password). They are bound by attorney-client privilege and will typically store your documents securely and for a reasonable fee. That's just a suggestion; different methods will work better for different people's individual situations, but definitely consider saving your Secret Key somewhere other than within 1Password itself.

  • dancodanco Senior Member Community Moderator

    You could always also obfuscate the secret key by a simple alphabetic substitution.

  • I saved an encrypted emergency kit pdf on iCloud! I think it’s pretty safe there?

  • @Kaoru, and where do you save the encryption password...?

  • @williakz ...
    It’s pretty short so I hope I’ll remember

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited February 24

    Thank you all. And I hope that others will keep posting tips.

    The security requirements on the Secret Key are unusual. And what works for one person may not be the best for another. It does make it very hard for us to provide some sort of one-size-fits all advice, though.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file