1Password as an authenticator: Isn’t this a bad idea?

omzazomzaz
edited May 3 in Memberships

I see I can use 1Password as an authenticator for sites that have two-factor authentication.

I thought the idea with two-factor authentication is to have an authentication factor that’s additional to the standard password.

If I put both the password and additional factor (one-time password) in the same password manager doesn’t it remove the benefit? Isn’t it better to use a separate app for generating the one-time passwords?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BlakeBlake

    Team Member
    edited May 3

    Short answer: I would recommend keeping your 2FA codes within 1Password. Then focus on keeping your 1Password account secure (i.e. don't share your Master Password with anyone or anything). To that end, if you're feeling fancy, you can enable two-factor authentication on your 1Password account, keeping the convenience of having your 2FA codes autofilled by 1Password and restoring the true two-factorness.

    Slightly longer answer: The most important part of securing your online accounts is using strong, unique passwords for each sites (for which 1Password is perfect). The next most important part is code-based 2FA, which brings two main advantages:

    • "One-timeness" - a password is the same every time you use it, meaning if it's compromised in transit (like if you're on a non-HTTPS site and an unsecured WiFi network), it's useful to a potential attacker until you change it. The one-time passwords of 2FA change every 30 seconds following a pattern only you and your authenticator app know, so a potential attacker intercepting your network traffic now has an extremely limited window of usefulness on the captured information.

    • "Second factor" - If you keep a password for an account on one of your devices, and only sign in to that account on that device, while your 2FA codes are stored on a separate device, you have a true second factor. A potential attacker would need both devices to access your account, hence the two of two-factor authentication.

    TL;DR? Keeping your 2FA codes with your passwords in 1Password removes the true second factor aspect of 2FA. But it retains the one-timeness, which makes the theoretical "weak link" your 1Password vault. Which is a pretty sweet weak link, if you ask me. 😉

    If you're up for a more in-depth read on this particular topic, our very own Head of Security, @jpgoldberg covers this pretty well over on this blog post.

  • omzazomzaz

    Thanks for the detailed response. All that information is very helpful. I appreciate the argument that it may be better to focus entirely on the security of my 1Password account and store one-time passwords within my 1Password account. I suppose the simplicity may outweigh any gains from using a dedicated authenticator app for 2FA with other accounts.

    At the moment I am using a separate authenticator app. I have this installed on my phone but not elsewhere. I also have 1Password installed on my phone. 1Password and the authenticator app using different passwords. They are both setup for biometric login.

    To help further my understanding, could you please comment on my statements below. Are they valid?

    1. From the perspective of accessing accounts from my phone I don't have true 2FA (because both 1Password and my authenticator app are installed on my phone).

    2. From the perspective of accessing accounts from my other devices (e.g. PCs and tablet on which I have 1Password installed) I do have true 2FA (because the authenticator app is not installed on these devices).

    3. Although I don't have true 2FA on my phone there is marginal gain from using a dedicated authenticator app because it is protected by a different password to my 1Password account.

    Thanks

  • @omzaz Two factor authentication is often referred to as "something you know" and "something you have". We get hung up on the second part, but it is not essential to getting the security benefit of a TOTP-based authenticator app, as jpgoldberg points out in the following discussion:

    https://1password.community/discussion/101714

    I think it more useful to think of 2FA as building a chain of trusted devices. You use a device under your control to tell a website that it can trust a new device, that device gets added to the chain and you agree to keep it under your control. This protects your account from the vast majority of devices on the internet which are not part of this chain of trust. Taking your questions in turn:

    1. You have true 2FA because the phone is "something you have" and it is not available to a remote attacker. Using it to store your password doesn't change the fact that it is a device under your control and doesn't make it available to a remote attacker.
    2. You have true 2FA because the phone is "something you have" and it is not available to a remote attacker. Clicking the "Trust this device" when logging into a website so that you don't need to complete 2FA again doesn't mean you no longer have 2FA. It just adds the PC or tablet to the "chain of trust" for your account on that website.
    3. If the password manager and authenticator app are equally secure then storing passwords and TOTP secrets separately using different passwords reduces the risk of compromise. If this set-up is made convenient for the user and doesn't reduce the number of sites where they turn-on 2FA then it should help their overall security.
  • omzazomzaz

    Thank you, that helps.

    Regarding 1 - I assume by remote attacker you’re referring to someone who doesn’t have remote access to my phone but is attacking something else without access to the phone (e.g. online account). Would comment be different if attacker had gained access to my phone (either physical or remote)?

  • @omzaz All of this assumes that the devices have not been compromised by malware, for example, operating system exploits or supply chain attacks.
    2FA is a very powerful way to protect your account on a website's server. However, it doesn't provide any protection against someone with access to your device, either a local attacker with physical access or a remote attacker who has installed malware.
    Someone with access to your device doesn't need to use your website passwords or 2FA. They can steal your session cookies or access tokens and use these to authenticate directly with the websites. This is why we also need to secure our devices with a PIN, passcode, password and/or biometrics, turn on device encryption where it is available, keep our device software up-to-date, use anti-virus software, avoid clicking on links, etc.

  • I like @Blake 's answer! I feel the way 2FA was promoted initially in its ideal way of implementation, people fail to see the inconvenience that it brings. Keeping 2FA in 1password solves that one timeness problem while keeping it secure. If one feels extra adventurous they could activate 2FA of 1password itself with a physical device!

  • ag_tommyag_tommy

    Team Member

    Thanks for sharing iCloud. :chuffed:

  • I feel like it needs to be mentioned here that storing 2FA codes outside 1Password gives you protection against 1Password itself.

    Of course, we trust 1P / Agile Bits enough to hold our password data, but let's say that their end to end encryption has a backdoor in it, or their software deployment chain gets compromised somehow and an attacker manages to put malware in the apps, suddenly the 2FA codes become yet another "something you know" for the attacker.

    Trusting a separate tool or system with your 2FA codes means that in order to compromise your account, both systems would need to be compromised somehow.

    There's definitely a convenience factor in it, but you are absolutely giving up security and placing a a lot of trust in 1Password, and as good as they appear to be (I'm a long time user so don't take this as anything negative toward 1P), the exact workings of 1Password are opaque to customers, and it's likely that they aren't infallible.

  • Is it possible to use a hardware token like the Duo Fob with 1Password?

  • ag_anaag_ana

    Team Member

    @philpalmiero:

    If you are referring to a hardware token to unlock your 1Password account, you can use a Yubikey for that:

    Use your U2F security key as a second factor for your 1Password account

  • I agree with spronkey and others that storing OTP codes inside 1Password is a bad idea. Security is often a tradeoff vs convenience. I use a yubikey to do the OTP rather than 1Password, its much more secure as even with access to the device the OTP secret cannot be extracted and also cannot be used at all without a separate pin and physical touch on the sensor.

  • ag_anaag_ana

    Team Member

    Thank you for sharing your view on this @m4rkw!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file