Is 2fa needed on 1password?
I am just getting started with 1PW and am confused by some of the entries here regarding 2fa. Most password managers advise using 2fa with an authenticator app or key device for every session with your password manager for extra layer of security. However, some of the comments here seem to imply that it is not really needed with 1PW.
1. Is there really a need for 2fa on 1password?
2. If one uses a key device for authentification, what happens if you loose the device?
3. If 2fa is used with 1PW, is it set up to necessitate authentification each time it is opened from a previously closed or locked state?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
@sl91911 1Password is different to other password managers because the secret key and secure remote password protocol protect you from a lot of the attacks that 2FA helps prevent. However, it is still useful.
1. Yes. 2FA protects against the case where an attacker knows your master password and secret key, but doesn't have a copy of your 1Password database.
2. If you want to use a hardware security key for 2FA then you will first need to setup an authenticator app because not all platforms support security keys. The authenticator app can act as your backup if you lose your key. Alternatively set-up multiple security keys and store them separately. As a fall-back you can disable 2FA from any previously authorised 1Password app.
3. No. 2FA is only required to authorise download of the 1Password database to a new device. Install the desktop app and the lock state will be synchronised between the desktop app and all instances of the browser extension.0 -
In addition to what roozero wrote, you might also find this documentation page useful:
Authentication and encryption in the 1Password security model
0 -
Thank you very much for the great reply. Tell me if I understand this correctly? Also, which Yubikey do you recommend?
1. I do not need 2fa every time I open a 1PW session (I understand your reasoning).
2. I only need 2fa when installing 1PW on another device and until then 2fa not needed.
3. I use Win 10 desktop and have iphone. Therefore, for installation of 1PW on another desktop I could use Yubikey and/or authenticator like Authy on iPhone. 1PW 2fa set up will allow setup for both types of authentication and if I loose the key I could use the authenticator on phone or another Yubikey if registered with 1PW during 2fa setup.0 -
@sl91911 Yes, you've captured all that correctly. The desktop app doesn't yet support security keys, so you will need the authenticator app to set-up the desktop app on a new PC.
The choice of YubiKey mainly comes down to the physical connection and the protocols it supports. Most websites only support U2F and FIDO2 which are supported by all of the YubiKeys. But if you want to store your TOTP 2FA secrets in your YubiKey using Yubico Authenticator then you'll need something like YubiKey 5 NFC.0