Authentication History on Personal Accounts

Oddycm

Are there any plans on providing a historical view of logins on the 1Password web portal for personal accounts?

Furthermore, would these authentication logs differentiate from a login using master password/secret key and the successful authentication of 2FA?

For example, if an attacker has access to a users email, master password, and secret key they may initiate a login. However, they would be stopped if 2FA is enabled. It would be good for the user to be aware that a successful login occurred, even if it was thwarted by 2FA, as this it would be advisable to change the master password and secret key.

I have no experience with the business accounts of 1Password, however, I assume such features already exist there.

Is there any plans to bring such features to personal accounts? After all, regular folks would benefit from having access to such logs as well.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Lars

@Oddycm - I know of no plans to institute a feature of that nature anytime soon. By definition an Individual account is intended to be used by one person only. You will always get near-immediate email notification of new device sign-ins (anytime a device that has not signed in successfully to your account does so for the first time), but that's it for now. You're correct that what (I think) you're talking about is present in 1Password Business accounts.

...if an attacker has access to a users email, master password, and secret key they may initiate a login. However, they would be stopped if 2FA is enabled.

Yes. That is the only scenario I can think of in which 2FA would be the instrumental factor in preventing malicious access from a new device to one's 1Password account. The question there would be: how did an attacker come into possession of all three of those credentials? The email address might be able to be guessed (most people have only one or two, and @gmail.com is a popular choice, etc.), but the Secret Key is only ever present on the account owner's devices on which they've already signed in (unless the account owner chooses to save it electronically or physically (written or printed) elsewhere). And the Master Password should live only in one's own head and not be shared with others. The exception to this would be the Emergency Kit, which should be saved in a locked location known only to the user such as a floor safe or safety deposit box.

With the exception of the email address, those credentials are also never sent to or stored by us; we don't know them, and therefore can't misuse them or have them stolen from us.

In 1Password Business accounts where there are anywhere from a few dozen to thousands of members of the account, there's both a greater likelihood given just the sheer numbers (versus only one in an individual account) that such a situation might happen to one of the members, and there is also typically a dedicated team of administrators who monitor such things regularly, and can act swiftly to contact anyone whose account was saved only by 2FA to change their Account Password and/or regenerate their Secret Key. In an individual account, that would be up to the sole owner to remember to check that frequently.

While it is theoretically possible for an attacker to gain all of the sign-in credentials, good, consistent security practice makes this a very remote possibility (pun intended). 2FA can prevent it. Keeping one's Account Password only in one's head prevents it. Though still not likely, you are much more apt to experience a compromise of a local device than someone with all your credentials attempting to sign in remotely and being thwarted by 2FA.

And finally, at the moment, if such a possibility seems plausible enough to defend against, there is of course always the option to sign up for a 1Password Business account, population: one, instead of an Individual account. Whether having the capability to check failed sign-in attempts is worth an additional $5/month for all of the features of 1Password Business (many of which will not be applicable to a single-user account), is a question each individual would need to assess based on their own threat model and level of comfort.