Is multi-factor authentication really useful for a 1Password account?

captainslim
captainslim
Community Member

I use multi-factor authentication, preferably hardware security keys, wherever I can. But I’m having a hard time seeing what protection I’d get from it on my 1Password account, and adding it increases the chances that I’d lock myself out.

A I understand it, adding a security key to my 1Password login would protect me from an attacker who somehow has both my master password and my secret key but doesn’t have a copy of my encrypted password database. I have a strong master password, which exists only in my head and in my 1Password database. My secret key exists only in my 1Password database, on a piece of paper which I’ve safely stored, and in my iCloud Keychain.

In order for an attacker to access my iCloud Keychain, he’d need to have physical access to and be able to unlock one of my devices—in which case he’d already have a local copy of my encrypted database—or he’d need to be able to log in to my Apple account on a device of his own. To do that, he’d need my Apple ID password, he’d need to be able to receive SMS messages sent to my phone number (in my case a Google Voice number, so he’d need access to my Google account), and he’d need the passcode to one of my Apple devices to unlock my iCloud Keychain.

So it seems to me that adding multi-factor authentication to my 1Password account protects me from an attacker who has my master password and Apple ID password, can receive SMS messages sent to my phone number, and knows the passcode to one of my Apple devices. Do I have that right? Is there some other scenario I’m missing?

As I said, I’m generally a fan of MFA, but because of the way 1Password works I can’t imagine any remotely realistic attack that it protects me from. I can, however, imagine screwing up and locking myself out of my own account.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @captainslim!

    That is a very good summary. Because 1Password is based on encryption and not authentication, adding 2FA to it has less benefits than it would normally have for an authentication-based system. Our documentation also says so:

    The 1Password apps don’t need two-factor authentication. 1Password accounts use Two Secret Key Derivation (2SKD) to make sure no one can access your data without both your Master Password and your Secret Key.

    For completeness though, I should note that you can disable 2FA in case you need to:

    If you lose access to your authenticator app

  • danco
    danco
    Volunteer Moderator

    I have a strong master password, which exists only in my head and in my 1Password database.

    Please do consider the possibility of a personal disaster. Accidents, health issues, and the like, could prevent you recalling your password. I feel that the master password needs to be written down SOMEWHERE, perhaps kept in a safe deposit.

  • captainslim
    captainslim
    Community Member

    Because 1Password is based on encryption and not authentication, adding 2FA to it has less benefits than it would normally have for an authentication-based system.

    That puts it well. I was trying to put my finger on why 1Password was different from every other service that I do protect with 2FA, and it’s that the security of those services depends on making sure the person accessing them is really me, where the security of 1Password depends on the strength and secrecy of my keys. It really shouldn’t matter to me who you give my encrypted database to.

    Thanks!

  • You nailed it perfectly @captainslim! :smile:

This discussion has been closed.