Suggested 2FA support improvements
Hi
First off, I'm really enjoying the app - it's working well for me so far. I have a few suggestions that would be the icing on the cake for the 1Password experience for me, and hope that they're not too contentious and that you'll consider adding them...
My set up is to have a primary account and separate a guest account for "work" that has access to a Work password vault. I use two Yubikeys used as security keys where possible, otherwise all other 2FA is done using the Yubikey 2FA app.
I take the 2FA outside of 1Pwd not for trust reasons, but to avoid the "all your eggs in 1 basket" scenario. I love the convenience of 1Pwd filling in the forms and having everything in one place, but would like to protect myself as much as possible against someone gaining access to my 1Pwd account and getting straight into my online accounts..
Here are the suggestions; apologies if my terminology isn't exactly correct, but I hope you'll understand what I'm trying to say:
In the 2FA token (from the 3d code) received from 1Password, the username is always the same (my.1password.com), but the tokens are stored using the token username as the identifier. This is the same across all 2FA apps that I have used (Authy, Microsoft Authenticator, Yubikey authenticator) and means that we can't have multiple 1Password accounts registered to the same 2FA key / app because previously registered entries are overwritten. Can the username part of the token include the a unique identifier (e.g. the 1Password username), in the same way that MIcrosoft, Google and most other providers do?
In Watchtower there is a "Two Factor Authentication" section that highlights logins that support 2FA but don't have the TOTP tokens registered in 1Password. Can you add a flag to indicate that 2FA is enabled outside of 1Pwd? I would like to be able to see which accounts support 2FA but don't have it configured, and which have - but with support for 2FA outside of 1Pwd.
I have multiple Yubikeys registered in 1Password. It would be nice not to have to have an app configured in the 1Password 2FA setup when I have multiple security keys registered. I understand from previous posts that this is to support some older versions / integrations, but would be happy with a prompt along the lines of "If you remove the 2FA App it may break versions before x.y.z - do you want to continue?", particularly as it can be added back in again later if needed.
Finally, related to suggestion 2, some providers don't have 2FA app support, but have implemented a 2FA using mobile text or email. It would be nice if these could appear in the watchtower list to prompt users to set up the additional security, even though it isn't as secure as using an authenticator / security key.
Many thanks,
David
1Password Version: 7.7.810
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided
Comments
-
Hi @daveclayton!
Thank you for the feedback!
In the 2FA token (from the 3d code) received from 1Password, the username is always the same (my.1password.com), but the tokens are stored using the token username as the identifier.
Can you please clarify what you mean with "3d code"?
In Watchtower there is a "Two Factor Authentication" section that highlights logins that support 2FA but don't have the TOTP tokens registered in 1Password. Can you add a flag to indicate that 2FA is enabled outside of 1Pwd?
Yes, for this you can add the 2fa tag to those items, and 1Password will hide that warning ;)
I have multiple Yubikeys registered in 1Password. It would be nice not to have to have an app configured in the 1Password 2FA setup when I have multiple security keys registered. I understand from previous posts that this is to support some older versions / integrations, but would be happy with a prompt along the lines of "If you remove the 2FA App it may break versions before x.y.z - do you want to continue?", particularly as it can be added back in again later if needed.
Indeed, the reason is that some 1Password clients still do not support Yubikeys, so if you remove the authenticator app, you would not be able to use 1Password on some of your devices at all. In other words, it's not just a matter of using older versions of the 1Password apps, but that you would not be able to use 1Password on certain platforms at all.
Finally, related to suggestion 2, some providers don't have 2FA app support, but have implemented a 2FA using mobile text or email. It would be nice if these could appear in the watchtower list to prompt users to set up the additional security, even though it isn't as secure as using an authenticator / security key.
1Password looks at 2fa.directory to understand which websites support a soft token (which are also the ones that 1Password supports), so for now that's where Watchtower focuses. I am not sure if we can add some manual warnings as well at this point in time, but we can certainly keep an eye out for similar requests for the future :)
0