How to use 2FA with Apple devices?

Mr. Laser Beam
Mr. Laser Beam
Community Member
edited March 2021 in Lounge

If I understand this correctly, to use 2FA with the macOS 1Password app, one uses an authenticator app (such as Authy) on an iOS device, like an iPhone or iPad.

So am I correct in assuming that to use 2FA with the iOS 1Password app, one would use the same authenticator app - but on the Mac itself?

(Forgive me but it would not seem to make a ton of sense to use an authenticator app on the same device where you're trying to sign into 1P...)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    @Mr. Laser Beam The authenticator app can be on the same or a different device.
    Most of the security of a Time-based One Time Password based authenticator app comes from the fact that the long term secret is long, random and chosen by the website, it is stored where it cannot be accessed and the codes which prove ownership of it change every 30 seconds. It should be stored on a device you control and it helps if this is a separate device, but its not a requirement.
    Its easy to get hung up on the latter because people talk a lot about a second factor being something you own, but the thing you're owning is really the long term secret issued by the website.

  • ag_ana
    ag_ana
    1Password Alumni

    @Mr. Laser Beam:

    If I understand this correctly, to use 2FA with the macOS 1Password app, one uses an authenticator app (such as Authy) on an iOS device, like an iPhone or iPad.

    In addition to what missingbits said, you also can use an Android device for this, it does not need to be an Apple device.

  • Mr. Laser Beam
    Mr. Laser Beam
    Community Member
    edited March 2021

    @missingbits - I don't understand. How can you authenticate on the same device where you're trying to log into 1P?

    I mean, if somebody steals my iPhone or iPad, and the authenticator app is also on that same device, what's to prevent them from logging right into my account (assuming they have some way of bypassing Face ID and/or the master password)?

    And what is a "long term secret"?

  • ag_ana
    ag_ana
    1Password Alumni

    @Mr. Laser Beam:

    How can you authenticate on the same device where you're trying to log into 1P?

    You can switch to your authenticator app anytime to get the 2FA code. Have you tried the process already? Are you getting stuck at a specific step?

  • XIII
    XIII
    Community Member

    And what is a "long term secret"?

    The secret code shared between the server and your authenticator App during 2FA set up.

    Usually this secret is converted to a QR code that you can scan using your authenticator App.

  • Mr. Laser Beam
    Mr. Laser Beam
    Community Member

    @ag_ana - I haven't actually turned on 2FA. I'm just curious about it.

    By "how" I meant this: if somebody gets ahold of one of my devices, and can sign in (via 2FA) and authenticate on the same device, how could that possibly be secure? If an attacker can authenticate on the same device they've just stolen from me, wouldn't that kind of defeat the whole purpose of 2FA?

  • ag_ana
    ag_ana
    1Password Alumni

    @Mr. Laser Beam:

    Thank you for the clarification, I see. This is the old "all the eggs in one basket topic" then :) You might find this discussion on the forum interesting:

    Why is it a good idea to store 2FA tokens in 1Password? — 1Password Forum

  • [Deleted User]
    [Deleted User]
    Community Member
    edited March 2021

    @Mr. Laser Beam If you turn-on 2FA for your 1Password account then you will only be required to enter the 2FA code when signing-in on a new device. Once you have entered the 2FA code, the 1Password database will be downloaded to that device. So an attacker who has access to your device and knows your master password will be able to open your 1Password database.
    If the 1Password app were to ask for the 2FA code at every sign-in then the attacker could just get around that by using their own decryption software. So only the legitimate user would be inconvenienced.
    2FA doesn't check that you have access to two of your trusted devices, it checks that you have access to one of them or at least access to a secret stored on one of them. It doesn't matter where that code is generated as long as its secure. Different apps cannot access each other's storage, so it is not necessary to use a separate device.
    2FA is a good defence against a remote attacker who does not have access to your devices. It is not a good defence against a device being stolen because once you have entered a 2FA code and chosen to trust a device, most websites and services don't require you to enter one again. That device becomes one of your trusted devices for that website or service for months or until revoked.
    For the best security use a strong master password, set a strong device password and turn-on storage encryption where it is an option. If using an authenticator app then use an app password/PIN. Where available, enable biometrics to unlock so that you can use a long password/PIN without making it too cumbersome.

This discussion has been closed.