Chrome Extension not asking for Two Factor Authentication
I added two factor authentication but it doesn't ask for it when I use the Chrome extension. How do I enable it so it asks every time I logon? I checked my account at 1password and it asked for it once but not again.
1Password Version: Chrome
Extension Version: 1.24.1
OS Version: Windows 10
Sync Type: Browser
Referrer: forum-search:two factor
Comments
-
Hey @chris95008 ,
2FA is used to authorize a device once. After you successfully authorized a device, there is no added security in asking for 2FA every time you log in - the data is already stored locally on the device alongside your Secret Key, so from a security perspective, it makes zero sense to ask for 2FA on every login aside for making things more cumbersome for users.
Your Master Password is needed to unlock and decrypt your data every time you want to use 1Password, and that is your main line of defense. Have a strong Master Password and keep your device clean and secure - that is the way to keep your data safe :)
0 -
My computer is used by other people so having it ask each time would make me feel better. I guess I could de-authorize the computer each time.
0 -
If I also used a yubikey, would it be asked for each time or only once?
0 -
@chris95008 The same 2FA process applies whether using an authenticator app or YubiKey.
1Password 2FA protects against the case where an attacker knows your master password and secret key, but doesn't yet have a copy of your database. If they have access to an authorised device then they have a copy of your database and 2FA has no benefit.
When you authorise a device, a copy of your 1Password database is downloaded to that device. If an attacker has access to your device and knows your master password then they can use their own decryption software to unlock your 1Password database.
They would not be using the 1Password app and wouldn't be affected by any additional 2FA steps added to the app. So turning-on 2FA for already authorised devices would increase inconvenience for the legitimate user without increasing security.
If other people are using your computer then make sure you have your own user account. If this is not possible and you are concerned that one of the other users may try to crack your 1Password master password then you should consider whether you really want to put your 1Password database on there.
0 -
As missingbits wrote, having a separate account would be useful in your scenario, so please consider that, if possible.
You might also find this article useful, if you are curious about some details:
Authentication and encryption in the 1Password security model
0