1Password's View of 2FA in a multi-device world.

My family has 2 computers, 2 iPads, and 2 iPhones. My 1Password account handles the 136 logins very effectively. Google's announcement that soon, Google will activate 2SV (their terminology) that sends a message to an iPhone to verify login to all Google accounts, a straightforward 2FA process in a one computer, one device world. I don't live in such a world. Most of my senior friends find the prospect of the new, more complicated login procedure daunting. Designing a personal process in my world is further complicated by the fact that there are several different 2FA models employed by my 136 different vendors.

Installing 1 Password allowed me to create complex, unique passwords for each of my vendors while simultaneously reducing my login keystrokes by a large percent every day. It was a good trade-off. The change I see now is a move toward adding back daily login keystrokes I worked hard to remove while simultaneously doubling the number of devices needed to use a computer from one to two.

I look to 1Password as my expert in the field of personal account credential security. Have you written a position paper with your recommendations regarding how your customers like me should plan for and execute the migrations from the account/password model of identification to the newer account/password/(multi-model 2FA/multi-model PIN) world? If you have not, will you?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2fa

Comments

  • ag_anaag_ana

    Team Member

    Hi @dgraves!

    I am not a Google expert, but I believe you can receive these notifications on multiple devices if you wish (or at least choose which one you want to receive it to). In any case, since this only appears to impact Google, I don't believe we had plans to write a position paper, but it is certainly an interesting idea to consider, maybe as an additional blog post.

    Multi-Factor Authentication in 1Password - 1Password Blog

    In the meantime, if you prefer to use a more typical 2FA experience, you can use 1Password for that too (including for Google logins):

    Use 1Password as an authenticator for sites with two-factor authentication

  • Hi. I wrote a response to this message on my iPad. However, when I tried to send it my iPad froze. Did you receive a message from me or do I need to re-write it.?

  • ag_anaag_ana

    Team Member

    @dgraves:

    I have checked our spam queue to make sure it did not end up there, and I cannot see a message from you. Unfortunately it looks like your iPad froze at a bad moment, so you would have to type it again :(

  • Thank you for looking for the previous message, I spent a lot of time on it. However, here is the replacement message (Computer based rather than iPad.)

    My view of the movement to require 2FA is different from yours. In the past three months, out of my 139 logins, two of my healthcare accounts have activated required 2FA, both using vendor push SMS/automated phone call of a required code that must be copied from a mobile phone into a computer. The difference for Goole is they support a one-button reply to the SMS message as the 2FA rather than a copy of a code into the computer. Of my accounts, only 1Password and Microsoft support end-user (me) generation of the code using either an authenticator app or a security key. For those, I use my Yubikey. I thank the ratio of end-user-generated codes that I now have (2/139) is about right when you look at 2fa.org. Most finance listing and most healthcare listing work that way. I don't expect them to change methodology when they move from optional to the required use of 2FA. There is a lot of pressure to move to required 2FA.

    I also have two other experiences that I share for your use. I am a professional (retired) in the design of back-office processes including security. I purchase high-end disposable diabetic supplies from a diabetic pharmacy let's give it a fictitious name "SensorCorp", I think that SensorCorp's diabetic customer base has a higher age distribution than the general population.
    SensorCorp modified their web-access process to require 2FA SMS/Autophone push of a code for rekeying into a computer. Immediately after the changes, it became very difficult to contact them, system response slowed down and the company was unable to resolve what heretofore had been normal business matters. I called and go through to the Web support techs. They told me that the average wait time to get to a tech had increased from 2 minutes to 30 minutes. Techs had been put on a 16 hour six day a week schedule to deal with the login issues. I was unable to get the average call length or the call abandon rate. After sixty days, SensorCorp removed the 2FA requirement. Thirty days later, SensorCorp reinstalled the 2FA requirement with redesign login pages that attempted to explain the process in more detail. I do not know what happened, I have moved my business to a different diabetic pharmacy. SensorCorp is a subsidiary of a major corporation but diabetic pharmacy is a small business compared to Google.

    My personal digital array is 2 computers, two iPhones, and 2 iPads. As I said, I have 139 logins. After learning of Google's plan, I logged onto their site. I could not locate any documentation of the 2FA process that provides information allowing me to create a simple process to handle 2FA. My profile has only one mobile number which I assume is the one that will receive the messages. Google does not have phone or chat login support. They rely on customers researching the process sufficiently to figure out how to use it.

    Everybody has a tech-advisor friend. For my group of retiree types, I am that person. A large percentage of my buddies do not have the technical skills to adapt to the new world of vendor push 2FA to a phone. Further, my friends in underserved communities have one phone and one computer per family. Proximity of one to the other is not guaranteed.

    I agree with the decision to migrate to a more secure world than account/password can provide. However, I see a rocky migration with many problems. That is why I am coming to 1Password for assistance through the change. When account/password management was required, you stepped up with a well-designed and executed solution. The number of companies offering password managers is expanding. My expectation is that the one that provides the best 2FA capabilities to its base solution will be the most successful. I hope we can work together to create it.

    David

  • ag_anaag_ana

    Team Member

    @dgraves:

    Thank you for your thoughts!

    After learning of Google's plan, I logged onto their site. I could not locate any documentation of the 2FA process that provides information allowing me to create a simple process to handle 2FA.

    Perhaps this might help:

    Google 2-Step Verification - google.com

  • Thank you for the Google information. As usual, the media stories reporting Google's plan were simplistic and inaccurate because of the details that were omitted. My reading of the documentation is that Google supports SMS/Autocall push of 2FA codes, end-user generated authentication (see Authenticator), security keys, and trusted device registration. I think that I can work out processes for Google using those technologies. Microsoft provides the same support. (I use it.)

    I am still concerned about the myriads of companies that only support SMS/Autocall push. (See SensorCorp above.) I have 137 in that situation.

    Thinking about it, 1Password hads software with common coding on all of my devices. I suggest creating a trusted device mimic. Using 1Password, trap the SMS message with the code, push it through the 1Password communications to 1Password on the computer. On the Webpage waiting for the code, load the code and send it to the vendor. From the vendor's point of view, it works like push 2FA, from the user it works like 1Password but only in the event of a trusted device. The technology automates the process to move the code from a mobile device to a computer. SensorCorp et. al. should be copacetic.

    All the best,

    David

  • XIIIXIII

    While the user experience might be better the weakest link remains: SMS.

  • brentybrenty 1Password Alumni

    Indeed, and it really depends on the context as far as whether or not it's a better experience. I don't think it would be a good idea to do what's being suggested here, as anything that goes wrong with it -- up to and including Google changing things again in such a way that breaks whatever hacks we might use to fit into their system, which is not open to 3rd party developers -- could result in people getting locked out of their accounts. That's really anathema to 1Password.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file