Why is 2FA so frustrating in 1PW 8/ Family Membership?
I turned on 2FA through Cisco Duo app because I love security and keeping my data safe, but this is seriously hair-ripping.
Every time I log into any browser, it asks me for 2FA code. It feels like this stupid thing pops up at the most inconvenient times and multiple times making it a nuisance to be turned off.
What are the 'rules' of how 2FA is supposed to act? When is it supposed to ask me for a 2FA password for my 1PW family account? Once per browser right? And then?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Pardon my frustration above, but I really _want _ to keep 2FA on but it's just become so difficult. Isn't 1Password support to create cookie when 2FA is authenticated on a specific browser and not ask again until logging in from a different browser or unrecognized computer/device? Is there a time period expiring where the 2FA cookie expires? Am I misunderstanding all of this?
That's how other sites work.
- Unrecognized device.
- Product asks for 2FA code
- Cookie created
- Log in again to 1PW
- 1PW recognizes it's a known device and lets you in
- Log in from unrecognized device > asks for 2FA
0 -
@mia I have not experience of the Cisco Duo app, but TOTP authenticator apps and hardware security keys behave the way you would expect. That is, you should only have to provide your second factor once per device.
Are you inadvertently deleting cookies? Have you tried an alternative authenticator app?0 -
I tried logging again just now and it asked me for OTP again :-(
@rootzero I use Cookiebro for Chrome which was my first thought, but I've ruled that out for the following reasons:
1) I've whitelisted all of 1PW's cookies already
2) No "unwanted" or blocked cookies detected while logging into the 1PW site.
3) I believe I saw this on another computer without CookieBro.I haven't tried any other OTP. I tried Authy but it wouldn't let me sign up unfortunately/ "NOTICE: Multi-device disabled"
Questions:
Is there a 'timeout' for the OTP or is it a permanent per device until reset?
What other reliable OTP apps are there? Duo, Authy and 1PW are the only ones I know of. Google Authenticator is terrible, I wouldn't touch it.0 -
@mia I'm assuming you have the 1Password browser extension installed. I would try disabling all other extensions temporarily to see if that makes any difference.
Authy is my preferred authenticator app. That error message means that there is already an Authy account associated with the phone number you gave and that it is currently set to not allow new devices to be added. I'm not sure I would recommend it at this point, but you can recover access to that Authy account by following these instructions:There is no time-out for 1Password 2FA. It is permanent per device until the app is reset, a browser cookie is deleted, the device is deauthorized or the 2FA is reset in your 1Password profile.
Google Authenticator is not a safe option because losing or resetting your phone results in the loss of your 2FA tokens. I wouldn't use Microsoft Authenticator because someone with access to your Microsoft account can recover all your 2FA tokens. If you're on Android, Aegis is a good option. If not, do you have another phone number you could use to set-up Authy?0 -
You read my mind! I requested a security review of my Authy and asked for deletion. It’s crazy someone can do this with just your phone and email :-/ but I guess it’s there for people like me. Lol
I am going to take your advice about the browser extensions.
0 -
Still waiting for Authy. I'm on step 3 of 4 to get account reinstated.
0 -
Hi @mia, I'm sorry to hear of these troubles with 1Password and your 2FA. I understand you're still waiting on that Authy account process to complete, but if there's anything we can do to troubleshoot as you go forward, we're happy to. If you send a short email with a link to this discussion to support@1Password.com, we can connect you with some of our specialists who work on the more tricky 2FA issues. I hope this is helpful to you! 👍
0 -
@PeterG_1P I haven't heard back from Authy about the final stage of my Authy reset, but I will plan to re-do my 2FA with 1PW tonight and see if the issue keeps happening.
0 -
Resigned up with Authy. Issue is still happening. Confirmed Cookie Bro is not blocking any cookies while logging in and all of 1PW's domains have been whitelisted. I am going to try and find a pattern.
EDIT: I've narrowed this down. It's something in my (portable) chrome install. There's a setting somewhere that seems to be wiping passwords on exit. I downloaded a fresh portable copy and it doesn't do it.
Now to find the offending setting.
0 -
@PeterG_1P @rootzero
After lots of testing, I have discovered the root cause. 1Password.com does not save 2FA authentication as cookies. It saves them as localStorage files (or indexedDB). I wish the documentation was clear about this as the Chrome extension "Cookie Bro" wipes these files on every startup. There's a setting that controls it which will solve my problem, but now I have to compromise my privacy to get 1PW.com to work properly. :(EDIT: Guess they did mention here it but it says "Local Storage", instead of "Localstorage" which changes the meaning entirely.
https://support.1password.com/1password-browser-security/I've asked the dev of CookieBro if there's any way he can get a whitelisting system for local storage working for this.
0 -
Well, I don't want to sound rude, but if you break your system, you own the pieces. Such tools and such means are huge time wasters with questionable usefulness.
If you're afraid of cookies and local storage, use the incognito window of modern browsers. They trash all this data after you close them without plugin.
If you need 1Password in incognito mode, you can enable it to run even in incognito mode in the Chrome extension settings.0 -
Hi @mia, sorry for the complications and frustrations around this. On the other hand, it's great that you found the root of the issue!
It is necessary for 1Password to have some kind of local storage (in the general sense) in order for things to work properly. However, I do appreciate your point about
localstorage
, and why it would be helpful to document that so that folks who encounter similar situations to this one can figure out what's going askew. I'll put in a request on your behalf!0