Is there any way to force 2FA?

Options
Choly22
Choly22
Community Member
in Lounge

I recently had a remote control hacking with Keyloger.
My security was compromised with just one browser click, and couldn't detect it in a paid vaccine.

All the properties using my single password were stolen.
I suffered nearly $200,000 in damage, and I got traumatized and became paranoid.

I want strong security, even if it's more inconvenient.

I use Windows Hello login by applying FIDO fingerprint recognition device.
I'm glad this part is compatible.

However, to access the first 1 password, must enter the master password. This is a single password.
When I checked with a simple Keylogger program, all the inputs were recorded.

To prepare for Keyloger, to provide an option where 2FA can be forcibly applied.

can force 2FA once on the website.
So I don't think it's a technical difficulty.

This is a separate option, so it doesn't make the user experience bad.

Please make this part.
Hackers always break through weak links and break in.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member
    Options

    @Choly22 I'm sorry to hear about what you've been through. I have only had individual website accounts hacked, but that was bad enough.

    1Password only asks for 2FA when initially authorising a new device. This is because 2FA is very powerful when protecting an account on a remote server or website. It is not very useful when protecting data on your own device.

    When you authorise a new 1Password device it stores a copy of your password database and your secret key. An attacker with access to your device only needs your account password and then they can use this together with your secret key to decrypt your database.

    1Password uses a variety of techniques to reduce the risk that your account password is captured by a keylogger. However, should an attacker capture the account password, there's nothing that can be done to prevent them using this to decrypt your database. Adding 2FA steps to your 1Password app wouldn't help as they would probably be decrypting the database on their own machine using their own software. So it would be more inconvenient for you, but it wouldn't delay an attacker.

    It is not possible to run a secure password manager on an insecure system. The risk is not just keyloggers. For example, an attacker can harvest your sessions cookies and access tokens, completely bypassing website passwords and 2FA. So I'm afraid the only answer is to double down on device security. Here's a list of things to check:

    1. Set-up individual device user accounts where possible and only use an admin account when necessary
    2. Only install software from trusted sources
    3. Keep all software up to date
    4. Use anti-virus software
    5. Don't click on links or open unexpected documents
    6. Minimise your use of browser extensions and only use ones from trusted sources
    7. Use a blank browser profile with just the 1Password extension to visit 1password.com, banks, etc
    8. Take care when clicking on search engine results, especially adverts at the top of the page
    9. Keep a complete set of bookmarks and navigate to websites via these whenever possible
  • Ben
    Ben
    Options

    I really don't think I could've said it better than @rootzero. Amazing content here! Thanks for bringing that to the table.

    Ben

  • jmjm
    jmjm
    Community Member
    Options

    @rootzero wrote:

    Use anti-virus software

    @Choly22 wrote:

    I recently had a remote control hacking with Keyloger.

    I too worry lots about the integrity of my devices on which I have installed 1P.

    Choly22 was the machine in question protected by up to date AV? If so do you know how did the infection was still able to happen?

This discussion has been closed.