Ability to disable authenticator apps when using security key(s)

Hi,

In order to make acces to 1Password more secure I would like to disable authenticator apps and only allow acces using security keys. At this moment it’s not possible because an message is shown that prevents this.

Users could save their OTP in a password manager that contains all valid credentials. By only allowing security keys 1Password becomes much more secure.

Comments

  • Hi @martinvandiemen,

    I'll be happy to help explain the reasoning behind the message you're seeing. Right now, only the 1Password.com web interface, 1Password for iOS, and 1Password for Android support U2F security keys, so it isn't currently possible to solely rely on this method when it comes to two-factor authentication for a 1Password account. To avoid getting locked out of the 1Password for Mac and 1Password for Windows applications, it will be necessary to set up and maintain traditional two-factor authentication with a third-party authenticator app.

    Our development team would like to explore the option of allowing the setup you've brought up, though that will have to wait until a future release adds support for our other client applications. It's important to note that, unlike most other services, the 1Password security model primarily relies on encryption, not authentication. Your Master Password and Secret Key work together to protect your data. This helps ensure that only you are able to decrypt your data.

    I hope this helps. Keep me posted if there is anything else I can do to assist.

  • martinvandiemen
    martinvandiemen
    Community Member

    Hi @ag_max,

    Thanks for the response. I get that but this could be solved by generating a one time app password (for macOS and Windows apps) from the 1Password web interface. As long you allow users to save all information in one place 1Password is less secure.

    I find the information misleading that setting up up a Security Key adds "another level of security on top of your Master Password." since it can only be configured with an OTP. I can just ignore the Security Key during logging and fall back on the OTP.

    By now I would have hoped for more Business improvements from 1Password since the announcement of investment in 2019.

  • ag_ana
    ag_ana
    1Password Alumni

    @martinvandiemen:

    Agreed, once every 1Password client will support security keys, you will get the full advantage of using this method instead of an OTP :+1:

This discussion has been closed.