Why is authenticator app required for 2fa?

mvsjes2
mvsjes2
Community Member

I'm fairly new to PMs in general and 2fa in particular. I bought a couple of security keys and am trying out various PM providers. I was wondering why 1password insists on using an authenticator app before allowing physical keys to be added. To me, having the keys separate from your phone provides more protection for apps residing on your phone. If the password to access an account is being displayed on the same device that your account is on, it's not much protection for that particular device. So I'd like to have just a couple of key fobs and no authenticator app, but I can't seem to do that on 1password.

I also found adding the fobs very confusing. I didn't see an option for fobs on my family plan, just the authenticator app, so upgraded to the group plan, and still didn't see the fob option. So I finally found out you had to add the authenticator first. I may have upgraded unnecessarily.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • plttn
    plttn
    Community Member
    edited March 2021

    Currently, not all clients support authenticating with U2F (Security Key), so OTP is necessary for those devices that can't use U2F.

    The catch with 2FA in 1Password, is that it's exactly what it says on the tin. It is only for authentication, one time when first signing into your 1Password account on a given device (given that you haven't clicked "require 2FA on next sign in" in the web settings for that device). The security behind your vault being secure is the encryption strength provided by your Master Password, and your Secret Key. The 2FA, be it U2F or OTP is not involved in the decryption of the vault, merely authenticating that you are who you say you are to 1Password to authenticate a new client.

    To clarify the above, you may see other password managers offer 2FA on every unlock, or allowing for a security key to unlock your vault instead of a password. Barring a hacky workaround, that is not currently available with 1Password (nor do I expect it to ever be).

  • [Deleted User]
    [Deleted User]
    Community Member
    edited March 2021

    @mvsjes2 If you use a security key whenever it is available then also having an authenticator app set-up for that account doesn't degrade your overall security. The main advantage of security keys over authenticator apps is that they protect you from "man in the middle" attacks. In the case of 1Password, the Secure Remote Password protocol already protects you from the "man in the middle", so the main advantage is nulified and it comes down to your risk model.
    If you think that someone may have remote access to your device then a security key would seem better, but at that point your whole system is compromised. If you think that someone may have local access to your device then you should assume they also have access to your security key and a password protected authenticator app may be a better option.
    As @plttn points out, you need both if you want to use all of 1Password's apps and you only need them when setting up an app on a new device. So you could store the TOTP manual entry long term secret somewhere safe and, after setting up your devices, delete the authenticator app from your phone. If you lose the secret you can always turn-off two factor authentication from one of your authorised devices.
    If you are using YubiKeys then another option is to save the TOTP tokens on them using Yubico Authenticator. This requires a password to access the TOTP tokens and the secrets cannot be extracted.

  • ag_ana
    ag_ana
    1Password Alumni

    @mvsjes2:

    plttn and missingbits covered everything in their replies :) Let us know if you have any questions :+1:

  • mvsjes2
    mvsjes2
    Community Member

    Thanks both for the clarification. That makes more sense. I also came across another article late last night about how 2fa does not add much to an encryption protection scheme, compared to an authentication scheme. In some ways I feel less secure depending so much more on the single master password vs password + separate device combined.

    I find the subject of security rather like disappearing down an Alice in Wonderland rabbit hole - you have to understand a vast and complicated number of disparate factors and how they all hang together for your overall security solution. And even then it's only ever going to be a partial solution.

  • ag_ana
    ag_ana
    1Password Alumni

    @mvsjes2:

    I also came across another article late last night about how 2fa does not add much to an encryption protection scheme, compared to an authentication scheme.

    That is exactly the case. I suspect this might have been the article you are referring to :)

    Authentication and encryption in the 1Password security model

    I am leaving the link here in case someone else stumbles upon this discussion in the future.

This discussion has been closed.