Community and 1Password Product Team -
Could you reply to confirm you would like the more secure feature option of 2FA per session rather than just per device?
2FA (Two-factor Authentication) per session means prompting for the 2FA (Authenticator code or Hardware Security Key) every time the Master Password is prompted. Currently 1Password only offers Per Device which means that once you've entered your 2FA on that device, as far as I can tell, it is trusted forever. This does not protect against or slow down many types of attacks.
Having 2FA for the session is much more secure and it should be an option for 1Password that paying users for 1Password should be able to set.
Having 2FA for anytime a password is prefilled on the device (Session 2FA rather than just Device 2FA) would mean the difference between minutes versus hours in account compromise.
A malicious attacker who obtains the mobile device or computer session by stealing login credentials/pin or impersonating biometrics or stepping into an open session when user walks away would be able to instantly prefill passwords to login to sites when knowing the 1Password master password. However, with 2FA per session rather than per device the malicious person would be blocked for a much longer time to execute a 1Password downloaded database decryption attack which would just take longer than browser prefill. It doesn't matter that the 2FA is not used to decrypt the database, the point of the 2FA is to slow down the malicious attacker from getting the login credentials to protected sites any faster after they have stolen the user's device.
I disagree that 2FA per session would be cumbersome at all, a 2FA key held behind a mobile phone is much faster and easier for users even than entering a master password so 2FA per session would be something easy that I would very much welcome as an additional control against malicious persons who may get into my device.
The whole point of using a different password manager such as 1Password than the mobile phone default password manager keychain is to make the malicious attack harder (and slower) by providing additional factors to just the default password manager. Session 2FA would provide another factor to slow down attackers.
I'm very disappointed that 1Password has not provided the ability for user to set their security to hardened standards that require 2FA for session. I hope the product managers would listen to the customer user community and respond by providing an option to enable 2FA per session rather than just per device.
I've seen other threads on this topic, but it appears the responders are not understanding or acknowledging the superiority of 2FA per session every time one is prompted for 1Password master password. There are huge advantages in slowing down attackers to give users more time to change compromised passwords. Please do not ignore the communities request for better security with 2FA per session rather than only per device.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided