1Password Authenticator - Please increase the security
I've looked through these topics: this ; this; this and others, however 1Password team misses a big point which could have been additional security layer.
To say shortly, storing 2FA TOTP codes in same password manager IS NOT THE IDEAL approach and is inherently less safer, then storing it into another app (which has different login/pincode for access, let's say Authy or whatever). So, when we open 1Pass and access password there, we need to open another app (i.e. Authy or LastPass authenticator or whatever) with other Pincode to get TOTP code.
So, we can have 2 entry points (which the attacker needs to overcome) and it's much safer than having everything just in 1Pass. THIS is the reason till date I am using other app for 2-FA TOTP codes. However, there is solution, which will help many users to make final decision to move into 1Pass fully (including TOTP). The solution is the following:
- when we access that using our master-pw, and it opens our Vault, there should be an additional PIN-CODE (separate!) required to access 2-FA codes.
This will be a full imitation (and realistic) of a separate app and takes 1Pass 2-Fa functionality at higher level of security.
1Password Version: latest
Extension Version: latest
OS Version: win 10
Comments
-
Thanks for the question here. This is a bit of a complex topic. Ultimately, keeping your TOTPs within 1Password or in a separate application only really matters in certain, very specific scenarios. It should never be thought of as an "extra layer of security" to do so (very few of such "blanket" layers of security actually exist). And in fact, if you're looking for true two-factor authentication, you'd need to keep those TOTPs on an entirely separate device from the one on which you use your password manager. You could do that with a backup phone, but a security key, like a Yubikey, might be more realistic where it applies.
Your choice in this case will really come down to how you think your 1Password account may be compromised and what additional inconveniences you're willing to tolerate to mitigate that single risk. For instance, if you feel that your 1Password account password and your Secret Key may both be shared with someone else at once, and that they may log into your 1Password account just as you do, then using a separate application for TOTPs may spare you some pain, although it will depend on what else you keep in 1Password and how seriously those TOTPs are treated by the services that they belong to. On the other hand, if you feel that your 1Password data may be compromised by some form of malware on your device, then a separate application on that device is unlikely to provide any additional real benefit, but that scenario would depend on the form of malware that the device is infected with.
In any case, in a situation in which someone else learns of both of your secrets, or in one in which your device is infected with such a severe form of malware that it somehow compromises your data, I can't think of a way in which an additional password, even one used for additional, specific encryption of TOTPs, might help. Someone who is somehow able to get ahold of both your 1Password account password and your Secret Key would likely also be in possession of that additional password (depending on the way they were able to acquire the first two secrets) and a severe enough form of malware, in conjunction with the continued use of 1Password on an infected device, would eventually be able to read your TOTP data once you accessed them yourself.
If you have a specific scenario in mind that you're looking to mitigate using this method, feel free to go into some detail and I'll be able to comment on that further.
0