2fa on 1Password start

I did a search, but couldn't find anything related to this.

I switched from LastPass a few months back. I discovered the 1Password podcast a while back - I follow Jack Moore over at eSet and he was a guest - and it sounded like a great company. I've become more and more disillusioned with LP over the last couple of years and I finally decided to make the move...

Anyway, the one thing I miss from LP is the 2FA authentication. Yes, I have an Authenticator app and my Yubikeys registered as 2FA, and, logging onto a new device, I have to provide 2FA to enable the account. What I've not found in the settings is the option to force 2FA when the app or the browser add-in is restarted - E.g. boot PC in the morning and unlock 1Password with 2fa, then, for the rest of the day, just the password to re-unlock. The same for the browser.

For my home PC and my private smartphone, just a password is fine. But I'd prefer the option to force 2FA every start on my work laptop, which is often left in the office over night. There is an option to allow Windows hello, for example to unlock, but no option under security to require 2FA.

Note: This could be a request for 2FA on new start or a 2FA request every 12/24 hours, for example.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_anaag_ana

    Team Member

    Hi @wright_is! Welcome to the forum!

    1Password will require 2FA only the first time you add a new device to your account. Afterwards, you are not prompted for 2FA because it would not help very much you since 1Password data is encrypted by your Master Password and Secret Key, not by your 2FA codes.

    You can read some more details about this here, if you are curious:

    Authentication and encryption in the 1Password security model

  • edited April 21

    @wright_is I moved over from LastPass laste year and I'm glad I made the move.

    1Password 2FA protects against the case where an attacker knows your master password and secret key, but doesn't yet have a copy of your database. If they have access to an authorised device then they have a copy of your database and 2FA has no benefit.

    When you authorise a device, a copy of your 1Password database is downloaded to that device. If an attacker has access to your device and knows your master password then they can use their own decryption software to unlock your 1Password database.

    They would not be using the 1Password app and wouldn't be affected by any additional 2FA steps added to the app. So turning-on 2FA for already authorised devices would increase inconvenience for the legitimate user without increasing security.

    For more background, you might be interested in the following piece:

    https://support.1password.com/authentication-encryption/

  • wright_iswright_is
    edited April 21

    Okay, thanks for clearing that up. Makes sense. I guess I was just used to how LP worked.

    And thanks for the quick answers!

  • ag_anaag_ana

    Team Member

    You are welcome @wright_is! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file