With what platforms is 1Pasword 2-step verification compatible

At least one site indicated that the only Authenticator that was compatible was the Google Authenticator. Hence, as I understand it, the Google Authenticator and the Microsoft Authenticator are not compatible and probably generate different passwords after scanning the same QR-code.

How do I know if the 1Password feature (single use password) is compatible with the specific site/server requesting the 2-step verification?

Is it sufficient that after scanning the QR-code, the generated single use password is filled in and checked?

For instance, I have a NAS and I can switch on 2-step verification. This NAS says both the Microsoft Authenticator and one from Google can be used. But it doesn't say the 1Password function can be used.
How sure are we that it will work compared to the Microsoft Authenticator or the Google Authenticator? If I am changing the Administrator account to require this and I would get locked out because after some time there is a difference...


1Password Version: 7.8.6
Extension Version: Not Provided
OS Version: OS X 11.4
Sync Type: AgileBits

Comments

  • ag_tommyag_tommy

    Team Member

    @HalfBekend

    Google and Microsoft are examples in all likely hood. You would need to determine if the NAS is using a time based protocol or something proprietary. If the protocol is Time based, then 1Password can save and fill the TOTP.

    1Password Support - Use 1Password as an authenticator for sites with two-factor authentication

    Personally, I always save a copy of the QR code that is shown during TOTP setup, within 1Password, so that if I ever need to regenerate it again I can.

    The principal reason a 2FA code doesn't work is that your computer's time is slightly off. 2FA codes are generated by your device using the current time, and they change about every thirty seconds. If your computer clock drifts/differs from the server, a wrong code will be generated. Another way to put it is with the clocks on your computer, and the server differs, and a mismatch in the 2FA codes occurs, resulting in an inability to log in.

    In such a situation I would check and make sure the time is set correctly on your device. Does it automatically update itself? If not, try enabling automatic updating. I like to use https://time.is to check my device time. Nowadays, most all devices set their time automatically. However, hiccups still happen. I have had to toggle my "Set time automatically" settings from On > Off > On. Also, giving your device a restart may help alleviate any transient issues.

  • @HalfBekend Microsoft Authenticator supports two different types of 2 step verification with two different types of QR code.
    Microsoft services will encourage you to use their proprietary system that supports push notifications and requires a different shared secret for each device. This is enabled by a custom QR code format that cannot be read by Google Authenticator or 1Password.
    But it also supports the industry standard OATH Time-based One Time Passcode protocol that is based on hashing a single shared secret with the current time. If a particular service claims to support Google Authenticator then this is the system that is being used and you can be confident that 1Password will be able to read the QR code.
    If for whatever reason it cannot read the QR code, you will not be able to provide the 6 digit passcode to the website and 2 step verification will not be enabled.

  • Thanks for both comments.
    So using 1Password would not suffice to let the host asking for the 2 step verification that it is one and the same password?
    Not sure if 1Password can scan multiple QR-codes in 1 record and generate 6 digit passcodes for each of them.

    By the way: 1Password being able to generate the right passcodes based on the QR-code would mean that Google and Microsoft have shared the algorithm. Probably this was necessary because the receiving side has to generate it as well to see if the passcode I would enter is correct, correct?

  • @HlafBekend I'm not sure I understand your first question. Are you asking whether 1Password supports passwordless login via push notification? If so, the answer is no.
    When 1Password scans a 2FA QR code the details are stored in the same login item as the related username and password. So when you tell 1Password to autofill the login details, it also fills the 6 digit passcode.
    All websites that support Google Authenticator use the same industry standard algorithm to hash the shared secret with the current time and generate the 6 digit passcode. Only the secret contained in the QR code needs to be kept confidential.

  • Dave_1PDave_1P

    Team Member

    @rootzero is correct, the QR code itself contains the secret. The TOTP standard (the "algorithm") is public and used by many different authenticator apps.

    @HalfBekend Let us know if @rootzero's reply answers your questions or if there is something that is still unclear. :)

  • Context: Currently I use Google Authenticator, Microsoft Authenticator and 1Password for generating 6 digit passcodes.

    That was one of the 3 answers I was looking for.
    I conclude that 1Password is completely compatible with Google Authenticator, which is what many sites and also my NAS requires. So I can abolish Google Authenticator... Less apps is simplification and 1Password nicely fills everything in. Left with 2 apps.

    Question 2: As I understand it, Microsoft Authenticator supports 2 different ways for 2-step verification, way A and way B.
    Is way A the same as the Google authenticator (so not similar to but exactly the same), with the same algorithm? This is just out of curiosity because of the answer to question 1.

    Question 3: Is way B, which requires a different secret key for each device which you use to log in, compatible with 1Password by simply storing 1 secret key in 1Password and then generating the 6 digit passcode for any device you use to log in? Or does it somehow actually check the device somehow?
    If not, is there another way to only use 1Password even for way 2 verification?

  • 1Password does TOTP. If an app / site uses a different standard 1Password cannot do that with the current features available.

  • Dave_1PDave_1P

    Team Member

    @HalfBekend

    You are correct that any two-factor authentication code that you are storing in Google Authenticator you can now store in 1Password.

    If you're storing TOTP two-factor authentication code in Microsoft Authenticator then you can store those in 1Password instead. I am aware that Microsoft Authenticator also has a feature that allows you login to your Microsoft account without needing your password: this feature you will not be able to duplicate using 1Password because it is proprietary so you'll need to keep using Microsoft Authenticator for that.

    Let me know if that helps. 🙂

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file