Please help me understand 2FA for my 1Password account

Hi, I'd like to understand 2FA for my 1Password account (i.e. for the vault itself, not for the secrets managed inside of the vault).

Let's say I use Authy on my phone, but then I lose my phone. This is where my understanding of the process gets unclear and is based on assumptions.

Assumption #1: This is how I assume it works: I can recover my Authy accounts with the Authy backup phrase, but this phrase cannot be held inside my 1Password vault since I don't have access to my vault. So I need to store my Authy backup password outside my vault. Is this correct, or is Authy recovery not based on the backup password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • 1Password requests a 2fa token only, if you log in from a new machine with no cached vault. So if you lose your phone, you only lose the ability to log in from a new machine. If you logged on before on a different machine, your vaults are cached on that machine, and you can start 1Password on that machine and extract whatever you need to recover your phone. You only need your master password but no 2fa code if there is a cached vault on that machine.

  • ag_anaag_ana 1Password Alumni

    @emilesilvis:

    So I need to store my Authy backup password outside my vault. Is this correct, or is Authy recovery not based on the backup password?

    Whether Authy recovery is based on a backup password or not is a question better addressed to the Authy developers, so I will avoid taking guesses. However, as Tertius wrote, if you have access to a device that already has 1Password data on it, you would be able to unlock it and get the backup password from there:

    You only need your master password but no 2fa code if there is a cached vault on that machine.

    Should you not have any other devices, you can reach out to our security team and they can temporarily disable 2FA for you after answering some security questions :+1:

  • @emilesilvis In answer to your Authy question, you will always need your backups password when logging in to Authy on a new device.

    You can manage the risk of being locked out of Authy by installing it on more than one device and by keeping a paper record of your Authy backups password. Perhaps you could store it alongside your 1Password secret key?

  • @rootzero that makes sense, thanks for the suggestion.

  • ag_anaag_ana 1Password Alumni

    :+1::)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file