I use multi-factor authentication, preferably hardware security keys, wherever I can. But I’m having a hard time seeing what protection I’d get from it on my 1Password account, and adding it increases the chances that I’d lock myself out.
A I understand it, adding a security key to my 1Password login would protect me from an attacker who somehow has both my master password and my secret key but doesn’t have a copy of my encrypted password database. I have a strong master password, which exists only in my head and in my 1Password database. My secret key exists only in my 1Password database, on a piece of paper which I’ve safely stored, and in my iCloud Keychain.
In order for an attacker to access my iCloud Keychain, he’d need to have physical access to and be able to unlock one of my devices—in which case he’d already have a local copy of my encrypted database—or he’d need to be able to log in to my Apple account on a device of his own. To do that, he’d need my Apple ID password, he’d need to be able to receive SMS messages sent to my phone number (in my case a Google Voice number, so he’d need access to my Google account), and he’d need the passcode to one of my Apple devices to unlock my iCloud Keychain.
So it seems to me that adding multi-factor authentication to my 1Password account protects me from an attacker who has my master password and Apple ID password, can receive SMS messages sent to my phone number, and knows the passcode to one of my Apple devices. Do I have that right? Is there some other scenario I’m missing?
As I said, I’m generally a fan of MFA, but because of the way 1Password works I can’t imagine any remotely realistic attack that it protects me from. I can, however, imagine screwing up and locking myself out of my own account.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided