1Password assistance with poor 2FA implementations such as SMS and Email
I love the 2FA OTP integration in 1Password and use it on every site that supports OTP.
Unfortunately, several of the sites I use have significantly less secure and more annoying 2FA implementations.
Most of them send a text message to my phone with a code that I have to enter on a screen.
A few of them send an e-mail to me with the code.
I really wish there was a way 1Password could help with these annoyances. The text message option is the more annoying one because it requires getting my phone out, unlocking it, opening the text message, and then transcribing the code onto the computer.
I am wondering if it would be possible to add a feature along the following:
1. In the 2FA section for a 1Password login entry that would let you specify the caller ID number that company uses to send you codes (looking at my message history, it is always a unique number for a particular company such as my bank, and the number is always the same for each message from them).
2. Give the 1Password mobile app permission to view text messages
3a. When a login is used/accessed that has a mobile 2FA configured, instruct any mobile 1Password clients to begin monitoring for a text message from that Caller ID for the next hour.
3b. If the more restricted option above isn't feasible, then the mobile client could always monitor text messages. It would work fine, it is just more invasive.
4. If a text message comes in from a number that is configured for 2FA, extract the code and record it in the login item
4a. A nice to have stretch goal would be to set an expiration for the code which would remove it from the login item after some time period (30 minutes?)
5. Force synchronize the item so that other 1Password installations can take advantage of the new code
5a. Optionally, raise some sort of notification on any 1Password client that recently accessed that particular item so the user knows the new code is available
6. When the user attempts to fill for the site, if the 1Password client detects the 2FA field, it enters the new code.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @deinspanjer!
Thank you for sharing your thoughts about this. I have sent your message to our security team :+1:
0 -
As promised, I forwarded your message to our security team, and they asked me to thank you for the suggestion! And thank you very much for taking time out of your day to to share this feedback :) We appreciate every idea that could make 1Password even better.
0 -
8-)
0 -
:)
0