Please Provide Two-Factor Authentication (2FA) Per Session rather than only Per Device

Community and 1Password Product Team -

Could you reply to confirm you would like the more secure feature option of 2FA per session rather than just per device?

2FA (Two-factor Authentication) per session means prompting for the 2FA (Authenticator code or Hardware Security Key) every time the Master Password is prompted. Currently 1Password only offers Per Device which means that once you've entered your 2FA on that device, as far as I can tell, it is trusted forever. This does not protect against or slow down many types of attacks.

Having 2FA for the session is much more secure and it should be an option for 1Password that paying users for 1Password should be able to set.

Having 2FA for anytime a password is prefilled on the device (Session 2FA rather than just Device 2FA) would mean the difference between minutes versus hours in account compromise.

A malicious attacker who obtains the mobile device or computer session by stealing login credentials/pin or impersonating biometrics or stepping into an open session when user walks away would be able to instantly prefill passwords to login to sites when knowing the 1Password master password. However, with 2FA per session rather than per device the malicious person would be blocked for a much longer time to execute a 1Password downloaded database decryption attack which would just take longer than browser prefill. It doesn't matter that the 2FA is not used to decrypt the database, the point of the 2FA is to slow down the malicious attacker from getting the login credentials to protected sites any faster after they have stolen the user's device.

I disagree that 2FA per session would be cumbersome at all, a 2FA key held behind a mobile phone is much faster and easier for users even than entering a master password so 2FA per session would be something easy that I would very much welcome as an additional control against malicious persons who may get into my device.

The whole point of using a different password manager such as 1Password than the mobile phone default password manager keychain is to make the malicious attack harder (and slower) by providing additional factors to just the default password manager. Session 2FA would provide another factor to slow down attackers.

I'm very disappointed that 1Password has not provided the ability for user to set their security to hardened standards that require 2FA for session. I hope the product managers would listen to the customer user community and respond by providing an option to enable 2FA per session rather than just per device.

I've seen other threads on this topic, but it appears the responders are not understanding or acknowledging the superiority of 2FA per session every time one is prompted for 1Password master password. There are huge advantages in slowing down attackers to give users more time to change compromised passwords. Please do not ignore the communities request for better security with 2FA per session rather than only per device.
https://1password.community/discussion/comment/596551#Comment_596551

Thanks,
David


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Wouldn’t the initial login and every unlock after that be considered a single established session? The 1Password database is stored on the local computer after the initial logon and every unlock after that which would make confirmation of a 2FA code against a remote server useless.

    Prompting 2FA on every unlock would also make 1Password unusable offline, which would likely disappoint a lot of users.

  • jack.plattenjack.platten

    Team Member

    Hi @doliver3:

    As @Oddycm mentioned, to actually implement it in a way that provided actual security, not just security theater, it would come with significant usability downsides for relatively little benefit.

    Unlocking 1Password isn't authentication, it's decryption. Your password isn't proving who you are, it's providing a piece of the encryption puzzle. The 1Password apps authenticate to the server to download your data. However, all your encrypted data exists locally on your device. Unless the encrypted data was deleted every time 1Password was locked, an attacker could attack the encrypted data separately, instead of using 1Password to unlock it.

    Jack

  • @doliver3 2FA protects your data on 1Password's servers from an attacker who has already obtained your master password and secret key. It cannot and does not protect against a local attacker with access to your device.

    An attacker with access to your device will not be using the 1Password app. So any authentication steps added to it will inconvenience the legimate user without delaying the attacker. There are any number of ways in which an attacker with access to your device could leverage that access. For example, they could copy your 1Password database and secret key and install malware to stream your key presses, webcam, etc and capture your master password. They could then decrypt your 1Password database on their own machine at their leisure.

    If you are concerned about this risk then take a look at your device's physical security, use separate device user accounts with strong passcodes/passwords, set short locktimes and enable storage encryption where this is available.

  • BenBen AWS Team

    Team Member

    Good summary, @rootzero. Thank you.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file