Best practice on 2FA

edited May 4 in Lounge

Hi,

I was wondering what is the best practice view on 2FA? Right now, I only use 2FA from a few websites for say financials. As my view right now is since the password generator makes the passwords for me. I always use random and the max limit. I would say in a way that is 2FA as only the password generator made the password, then I erase it after saving. As 2FA with a phone number, just has never seemed super secure to me, even though it's used so much. It seems impossible for someone to ever know the password without getting it from the info in 1Password. Would you agree? What's everyone's opinions on 2FA?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_anaag_ana

    Team Member

    Hi @tomatoshadow2!

    It seems impossible for someone to ever know the password without getting it from the info in 1Password.

    2FA is important for your online accounts, even if you use secure passwords. There are unfortunately regular breaches of websites online, so your credentials can be exposed even if they are not taken out of 1Password. Should that happen, of course you should change your passwords, but 2FA would give you an additional layer of protection.

    As 2FA with a phone number, just has never seemed super secure to me, even though it's used so much.

    2FA with a phone number is not secure, but 2FA with an authenticator app is a different matter, it's more secure :+1:

  • @tomatoshadow2 The security threat is contiuously evolving and, as @ag_ana says, websites are regularly being breached. So I always use the strongest 2FA that is available.
    If SMS text is the only option then I use that, as long as the website doesn't allow password reset by SMS text. If an authenticator app is an option then I use that and remove my phone number. If YubiKeys are supported then I use them and keep the authenticator app as a backup.

  • edited May 4

    @ag_ana Yes good point, it's always the worry of a website. Yes, that's been another thing, even with a strong generated password, websites still send out about regular changing. I don't understand that, as I know from many of you at 1Password, that's not really a best practice anymore, but companies still enforce it haha. Right, it's a shame some 2FA apps have little acceptance, to me it shouldn't matter the 2fA it should just work.

    @missingbits Right, that's what's frustrating, not all websites offer it, I can name a few popular ones that don't and that's just mind blowing to me in today's age. Good on removing your phone number where it's not needed. You see so many people give away their phone number to services, without knowing what it's going to be used for. For me also, I guess when the info is out there from a breach, it's practically impossible to clean it up.

  • ag_anaag_ana

    Team Member

    @tomatoshadow2:

    I don't understand that, as I know from many of you at 1Password, that's not really a best practice anymore, but companies still enforce it haha.

    When it comes to passwords, my experience is that it takes a while for websites and standards to update based on best practices I am afraid. As an example, just look at how many websites have weird password requirements which do not improve security at all. Password changes is another example, as you said.

  • @ag_ana Right, I bet for you there are so many times, where you you just shake your head on what practices websites use. Yes for example Bank A, only lets you have an eight character password, Bank B, let's you have a max of a 40 character one, wth haha. Yes, by using 1Password and having all my passwords randomly generated for me, I've never understood the mandatory change, I imagine more for the people, who are missing out on the great benefits of 1Password and or a password manager in general.

  • ag_anaag_ana

    Team Member
    edited May 10

    @tomatoshadow2:

    I imagine more for the people, who are missing out on the great benefits of 1Password and or a password manager in general.

    That would be part of it for sure. If you create passwords manually, it's possible that those are not very good. But if you start with a long random password right away, it really doesn't make a lot of sense to keep changing them with other long random passwords, unless you know they have been compromised somehow, so they really need to be changed.

  • @ag_ana Yes this is a great point, I think especially when people are missing out on 1Password, they get lazy creating passwords, so I think having to be prompted to change them so much, will make people only edit them a bit so they can remember.

  • ag_anaag_ana

    Team Member

    will make people only edit them a bit so they can remember.

    Exactly this @tomatoshadow2 :+1:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file