1Password as an authenticator: Isn’t this a bad idea?

omzazomzaz
edited May 3 in Memberships

I see I can use 1Password as an authenticator for sites that have two-factor authentication.

I thought the idea with two-factor authentication is to have an authentication factor that’s additional to the standard password.

If I put both the password and additional factor (one-time password) in the same password manager doesn’t it remove the benefit? Isn’t it better to use a separate app for generating the one-time passwords?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BlakeBlake

    Team Member
    edited May 3

    Short answer: I would recommend keeping your 2FA codes within 1Password. Then focus on keeping your 1Password account secure (i.e. don't share your Master Password with anyone or anything). To that end, if you're feeling fancy, you can enable two-factor authentication on your 1Password account, keeping the convenience of having your 2FA codes autofilled by 1Password and restoring the true two-factorness.

    Slightly longer answer: The most important part of securing your online accounts is using strong, unique passwords for each sites (for which 1Password is perfect). The next most important part is code-based 2FA, which brings two main advantages:

    • "One-timeness" - a password is the same every time you use it, meaning if it's compromised in transit (like if you're on a non-HTTPS site and an unsecured WiFi network), it's useful to a potential attacker until you change it. The one-time passwords of 2FA change every 30 seconds following a pattern only you and your authenticator app know, so a potential attacker intercepting your network traffic now has an extremely limited window of usefulness on the captured information.

    • "Second factor" - If you keep a password for an account on one of your devices, and only sign in to that account on that device, while your 2FA codes are stored on a separate device, you have a true second factor. A potential attacker would need both devices to access your account, hence the two of two-factor authentication.

    TL;DR? Keeping your 2FA codes with your passwords in 1Password removes the true second factor aspect of 2FA. But it retains the one-timeness, which makes the theoretical "weak link" your 1Password vault. Which is a pretty sweet weak link, if you ask me. 😉

    If you're up for a more in-depth read on this particular topic, our very own Head of Security, @jpgoldberg covers this pretty well over on this blog post.

  • omzazomzaz

    Thanks for the detailed response. All that information is very helpful. I appreciate the argument that it may be better to focus entirely on the security of my 1Password account and store one-time passwords within my 1Password account. I suppose the simplicity may outweigh any gains from using a dedicated authenticator app for 2FA with other accounts.

    At the moment I am using a separate authenticator app. I have this installed on my phone but not elsewhere. I also have 1Password installed on my phone. 1Password and the authenticator app using different passwords. They are both setup for biometric login.

    To help further my understanding, could you please comment on my statements below. Are they valid?

    1. From the perspective of accessing accounts from my phone I don't have true 2FA (because both 1Password and my authenticator app are installed on my phone).

    2. From the perspective of accessing accounts from my other devices (e.g. PCs and tablet on which I have 1Password installed) I do have true 2FA (because the authenticator app is not installed on these devices).

    3. Although I don't have true 2FA on my phone there is marginal gain from using a dedicated authenticator app because it is protected by a different password to my 1Password account.

    Thanks

  • @omzaz Two factor authentication is often referred to as "something you know" and "something you have". We get hung up on the second part, but it is not essential to getting the security benefit of a TOTP-based authenticator app, as jpgoldberg points out in the following discussion:

    https://1password.community/discussion/101714

    I think it more useful to think of 2FA as building a chain of trusted devices. You use a device under your control to tell a website that it can trust a new device, that device gets added to the chain and you agree to keep it under your control. This protects your account from the vast majority of devices on the internet which are not part of this chain of trust. Taking your questions in turn:

    1. You have true 2FA because the phone is "something you have" and it is not available to a remote attacker. Using it to store your password doesn't change the fact that it is a device under your control and doesn't make it available to a remote attacker.
    2. You have true 2FA because the phone is "something you have" and it is not available to a remote attacker. Clicking the "Trust this device" when logging into a website so that you don't need to complete 2FA again doesn't mean you no longer have 2FA. It just adds the PC or tablet to the "chain of trust" for your account on that website.
    3. If the password manager and authenticator app are equally secure then storing passwords and TOTP secrets separately using different passwords reduces the risk of compromise. If this set-up is made convenient for the user and doesn't reduce the number of sites where they turn-on 2FA then it should help their overall security.
  • omzazomzaz

    Thank you, that helps.

    Regarding 1 - I assume by remote attacker you’re referring to someone who doesn’t have remote access to my phone but is attacking something else without access to the phone (e.g. online account). Would comment be different if attacker had gained access to my phone (either physical or remote)?

  • @omzaz All of this assumes that the devices have not been compromised by malware, for example, operating system exploits or supply chain attacks.
    2FA is a very powerful way to protect your account on a website's server. However, it doesn't provide any protection against someone with access to your device, either a local attacker with physical access or a remote attacker who has installed malware.
    Someone with access to your device doesn't need to use your website passwords or 2FA. They can steal your session cookies or access tokens and use these to authenticate directly with the websites. This is why we also need to secure our devices with a PIN, passcode, password and/or biometrics, turn on device encryption where it is available, keep our device software up-to-date, use anti-virus software, avoid clicking on links, etc.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file