Feature Request - 2FA on known devices and system auto-timeout
Long time LastPass user becoming familiar with 1Passwords feature set, authentication, and encryption. It would be great to have the option to enable 2FA for each time the Master Password is required to unlock the vault upon existing per-authenticated devices (previously logged in with the Master Password and Secret Key unlocking the data). This simply adds another layer of security to user authentication when unlocking the vault on an already known device. If the Master PW were to become compromised (for whatever reason; shared, credential theft, etc.) the 2FA would still be needed to authenticate and afford another layer of security on a known device once the user logs out of 1Password. Financial institutions allow this as an option, I would think access to a password vault would allow even more security regarding authentication.
The above feature in conjunction with a true auto-timeout option would be a great security addition to the existing inactivity auto-timeout feature. Unfortunately, setting the existing inactivity auto-timeout feature to 1 minute as a work-around, as has been suggested in other posts, does not solve the concern. With the existing inactivity auto-timeout set to 1 minute a user can work for several hours without auto-lock occurring. If a user were able to select say 10 minutes with a true auto-lock feature, then they would know, regardless of how busy or distracted they are or simply forgetting to logout of 1Password, they WILL be logged out after the initial 10 minutes regardless of their activity level. The use case is for the computer that is used by more than one person during a single session, being remotely accessed by others including IT support staff, and relying on a human to logout. Maybe simply piece of mind.
Great product please keep these additional layered security features in mind.
1Password Version: 7.6.797
Extension Version: 1.24.2
OS Version: Windows 10 20H2
Sync Type: Not Provided
Referrer: forum-search:request a feature
Comments
-
@je221 I used LastPass for many years and was happy with it until I started to look into the security model and decided to move to 1Password. I think this is one area where other password managers are playing security theatre. 2FA is a great way to protect your account on a server exposed to the internet, it doesn't add anything to the security of your data on your device.
If a local attacker has physical access to your device or a remote attacker has installed malware then no app running on that device can secure your data. An attacker who knows your master password can copy your password database and secret key to a device they control and use their own decryption software to open it. They don't need to use the 1Password app, so adding 2FA to the 1Password app will just inconvenience the legitmate user.
If you are concerned about the security of your 1Password data on a trusted device then be sure to choose a strong master password and look at improving device security. For example, separate user accounts for all users with strong passwords, automatic log-out when leaving device unattended, storage encryption where available, etc.
0 -
As @missingbits wrote, 2FA is great for authentication when connecting to a remote server, but it adds no security or value at all if you are trying to access data on your local device, as the data is already found on that device and can be compromised without having to go through the original app's main window to get to the data.
I think the main issue you are concerned about here is that 1Password doesn't lock up for as long as you use your device, which is true. I personally utilize a keyboard shortcut to lock it. I set CTRL+SHIFT+L In the browser extension's settings to lock the extension and made it a global shortcut so that it would lock even if I'm not currently in an active browser window. That locks up the extension on the spot, and when I want to lock it, for example, when I get up from the computer for a moment, I'd press CTRL+SHIFT+L to lock 1Password, then Windows key + L to lock Windows.
This is a workflow that I've gotten very used to and is quite natural for me at this point, but I'll definitely forward your feedback here regarding a "true lock timer" that will lock up even if the computer is not idle during that time.
0 -
Thanks for a bit more clarity @missingbits, I was thinking of the authentication process of when my password database syncs with the 1Password server to update. But at that point the server recognizes my password and the existence of my secret key on that device, if not it would ask for the secret key as it does on a new device since the master password and secret key are both needed to decrypt the password database. So bottom line is (as you stated) if the password is known (for whatever reason), the attacker can simply carve out the secret key and password database on that device and decrypt it with their own tools. Makes sense, thanks again!
Thanks @ag_yaron for the shortcut suggestion, I see it is already set that way as default in the browser extension.
0 -
That's great :chuffed: :+1:
0