Keeping 1password’s two factor within 1password

Kaoru
Kaoru
Community Member

Is it a good idea or should I use another app for 1password’s one-time password?

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    @Kaoru Its not a good idea. When you need the TOTP for your 1Password account it will be because there's no 1Password database on the device you're using. You could use another device where you've already installed 1Password to generate the TOTP, but you could use that same device to turn-off 2FA if required. Better to use a separate authenticator app.
    If you use Google Authenticator then print-out a copy of the manual entry 2FA secret. If you use Authy then it saves a backup in the cloud which you can use to sync your 2FA tokens across all your devices. Be sure to turn-off "multi-device" after adding all your devices and set a strong "backups password" as this is used to encrypt your 2FA tokens before uploading them to the cloud.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Kaoru!

    If you are also curious to see why this would be a good idea, you might find this discussion on the forum useful: even our security team commented there ;)

  • [Deleted User]
    [Deleted User]
    Community Member

    @ag_ana I got the impression that @Kaoru was asking about saving in 1Password the TOTP token used to access 1Password. This is best saved elsewhere.

  • ag_ana
    ag_ana
    1Password Alumni

    You might be right @missingbits :+1:

  • [Deleted User]
    [Deleted User]
    Community Member

    @ag_ana either way that's a really interesting discussion you linked to, thanks

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome, anytime! :+1:

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Even more important than your 1Password 2FA "factor", take the opportunity to think about where you have your 1Password Secret Key backed up. If you lose your device or computer needs to be completely reformatted, do you have your Secret Key in a place that will allow you to set up 1Password on a new device if you can't get into 1Password?

    With your TOTP secret, we are capable of resetting that after making you jump through some hoops to help verify that you are who you say you are. It is annoying, slow, and not particularly pleasant for anyone, but it is doable. But losing your Secret Key is like forgetting your Master Password: We cannot reset either your Master Password or your Secret Key. There is no way to decrypt your data without both of those.

    Sorry (not sorry) for hijacking this discussion, but we do see cases where people's computers have died badly and it was the only place they had their Secret Key. Cases like that (and they do happen) are heartbreaking for us and devastating to user, so I am going to take every opportunity to remind people to make a copy of their Emergency Kit in a place that will be available to them in an emergency.

    Thank you. Now back to your regularly scheduled 1Password Community discussion,

  • Kaoru
    Kaoru
    Community Member

    Thank you for the comments! I will use Authy for my 1password 2FA.
    @jpgoldberg I use 1password for my Secret Key because I can’t think of a good place to keep a paper version of the emergency kit.
    It’s probably not ideal but I do have 1password on 2 devices.

  • [Deleted User]
    [Deleted User]
    Community Member

    @Kaooru If you only have 1Password on two devices and have not backed-up your Secret Key then you're more likely to lock yourself out than get hacked! Remember that your Master Password protects you from a local attacker and your Secret Key protects you from a remote hacker.
    If you're not comfortable printing it out, have you thought about saving your Secret Key on a USB flash drive or CD-ROM? You could save it as a PDF amongst some other documents or as a JPG file amongst your photos. You could even overlay it onto an existing photo so that its not obvious from the thumbnail.

  • Lars
    Lars
    1Password Alumni

    @Kaoru - there are multiple different ways to save/protect your Secret Key -- and thanks to missingbits for mentioning two of them -- but it's indisputable that you should have a copy somewhere outside of 1Password itself. It's a bit like locking your keys inside your car for safekeeping. Safe? Yes, probably...but there are other problems. ;)

    You need your Secret Key every time you use 1Password on a device or app on which you have not previously used it. Especially if you use 1Password on just a couple of devices, the possibility that you might lose access to all of them simultaneously (natural disaster, theft of a travel bag containing both of them, etc) would be more of a risk than having the Secret Key printed out or stored somewhere on USB flash drive or (as missingbits suggests) even something like a CD-ROM. Another idea we've seen some people use is a trusted attorney or even estate manager (in the case of your untimely incapacitation or demise, so loved ones can access necessary information for you within 1Password). They are bound by attorney-client privilege and will typically store your documents securely and for a reasonable fee. That's just a suggestion; different methods will work better for different people's individual situations, but definitely consider saving your Secret Key somewhere other than within 1Password itself.

  • danco
    danco
    Volunteer Moderator

    You could always also obfuscate the secret key by a simple alphabetic substitution.

  • Kaoru
    Kaoru
    Community Member

    I saved an encrypted emergency kit pdf on iCloud! I think it’s pretty safe there?

  • williakz
    williakz
    Community Member

    @Kaoru, and where do you save the encryption password...?

  • Kaoru
    Kaoru
    Community Member

    @williakz ...
    It’s pretty short so I hope I’ll remember

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited February 2021

    Thank you all. And I hope that others will keep posting tips.

    The security requirements on the Secret Key are unusual. And what works for one person may not be the best for another. It does make it very hard for us to provide some sort of one-size-fits all advice, though.

  • kram5819
    kram5819
    Community Member
    edited April 2021

    I have a notepad on my Android device & Chromebook, it's secured with a 25 character password and this notepad that I have from the play store has AES 256 Encryption.

    So if I had to go out and get a new Chromebook or a new Android phone I would simply download that notepad again which is encrypted and backed up, and it would have my secret key (my note I put in) I would be able to reinstall 1- password because that notepad would have my information.

    I would look at that Notepad and copy and paste the secret key.

    ** I've also memorized the last five letters of the secret key and I didn't put those in the notepad in case somebody ever where to find it, they wouldn't have the complete key and therefore, they wouldn't be able to get in.**

    I've also written my secret key down not labeling what it is just a bunch of numbers and I left off the last five because I've memorized the last 5, and I put it in my safe.

    For my own curiosity, can you explain to me how it works when I first get a laptop and my Android device and I set it up how the secret key is remembered. I run the following about how it works.

    Have peace of mind if you lose a device. Encrypted copies of your Secret Key are >>>>stored in your device backups << that's what I wanted to know.

    It would be nice to know how that works I don't quite understand what you mean by stored in your device backups

  • kram5819
    kram5819
    Community Member

    I'm currently working on how to leave a family member my password and my secret key and all my information they're very trustworthy I just don't want to ever have them lose it

    I'm working on a way that that could be done successfully.

    I wonder if it's possible to put another account on my 1password and have the master password for that and give that to my family member so that if something were to happen to me, they would have instructions and be able to get in.I'm secure enough to know that if I told them not to get in there unless something happened to me that they wouldn't.

    That might be a good option I wonder what you think?

    I do not have something to hide I just don't want anybody to have access the bank accounts in very important things because I'm very security conscious.

    The fewer people that have information and how to get into my information the better Anything Could Happen

  • kram5819
    kram5819
    Community Member
    edited April 2021

    I use a product from the play store called color note it has ASE 256 encryption you can store a lot of notes, addresses, & all kinds of things color notes even has a calendar.

    It's handy I've been using that for about 3 years.

    You can back up your notes with a master password as well as sync them to your mobile device and your computer so they automatically back up every day (password protected) so that you'll always know what your most current notes / passwords are

    I've added a note about 1password & I put in my note my encryption key & my master password so that if I were to ever change devices I would be able to re-download ColorNote and then the 1password manager extension on my Chromebook then start over and of course I'd be able to get in because I would have my encryption key and my master password handy.

    One thing I did for my own safety is I MEMORIZED THE LAST 5 OF MY ENCRYPTION KEY and of course my entire master password is memorized.

    I did NOT put the last 5 of my master password or my encryption key in my color note.

    If somebody were to get into my color notes and see my encryption key and my master password they still wouldn't be able to get in because it's missing the last five characters.

    The other thing I did as I wrote down the last 5 characters and I put them in the safe so if I were to forget the last five for some reason I would be able to get in my safe and be able to figure out the entire encryption key and my entire password.

    Unless I start getting dementia I don't think I'll forget those last five.

  • kram5819
    kram5819
    Community Member

    It is AES 256 Encryption. not ASE (sometimes autocorrect doesn't autocorrect)

  • ag_ana
    ag_ana
    1Password Alumni

    @kram5819:

    I wonder if it's possible to put another account on my 1password and have the master password for that and give that to my family member so that if something were to happen to me, they would have instructions and be able to get in.

    Can you please elaborate? What do you mean by "put another account on my 1password", and how would you share this information with your family members in this case?

  • kram5819
    kram5819
    Community Member

    ag_ana,
    looks like you have the capability to do that anyway I'm just going to make another Vault and put all that stuff in the vault and give that person a password but if I do that they might as well just have access to my complete all the companies that I totally trust

  • ag_ana
    ag_ana
    1Password Alumni

    @kram5819:

    Perhaps you might have considered this already, but if you want to give access to just a single vault, you could use a guest account for this person:

    Share with guests in 1Password Families

  • kram5819
    kram5819
    Community Member

    yep I thought of that and that's a great idea

  • ag_ana
    ag_ana
    1Password Alumni

    :+1: :)

This discussion has been closed.