Why is 2FA on my 1Password account not required when using Smart Switch/moving to new phone?
I have a security key set up for 2FA on my 1Password account (authorising new devices etc) and it has been performing as expected up until now. For each new computer or device I've wanted to use 1Password on it has required me to also provide my Yubikey or Yubico Auth OTP.
However, I recently bought a new phone and used Samsung's Smart Switch to transfer data and settings from the old to the new phone. I was surprised that neither 1Password (nor Google) required me to use the Yubikey (Google account has the Advanced Protection Program) that I had set up for them.
I was hoping someone could explain to me why this is. Is it because I've essentially transferred something that treats the new phone as the old one?
The reason I'm concerned is that I see mobile device theft as being one of the most common ways to getting a copy of my vault and with biometric unlocking someone could open the app too. Whilst I was still asked to enter my master password on the new device, the absence of the 2FA requirement made me concerned for the possibility that someone be able to unlock my phone and transfer my account etc.
Very grateful for any comments or thoughts that the community may have on this and please do correct me if I have misunderstood how this should be behaving. I'd also be grateful for any tips on how to improve my security in this respect. Many thanks.
1Password Version: 7.7.7
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hi @rocklime:
What you're seeing with Smart Switch is similar to how iCloud Backups work for 1Password for iOS as well.
In short - we create a unique identifier when running 1Password for Android for the first time and we store that unique identifier on the device. Any transfer tool that copies the app along with its data is going to copy that unique identifier as well. Since 1Password on your new device sees an existing device identifier, it won't generate a new one. Because the server sees the same device identifier, it doesn't force 2FA authorization.
I hope this helps clarify why you saw this behavior.
Cheers!
0 -
Hi @jack.platten,
Thanks very much for your reply, this does explain the behaviour and at least I don't have to worry that I've set up something incorrectly.
Many thanks :)
0