2FA - General question
I am a new 1Password user and so far very satisfied.
However, I have one question. Do I understand correctly that I only have to enter the 2FA code once per device?
But I would like to use a 2FA every time I log in on the PC. Somehow I have a better feeling about that.
But I guess that's not possible?
Thank you and excuse my not so correct english.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Asking for 2fa while there is a cached copy of your vault on the device doesn't increase security, so it isn't used.
There is a long comprehensive reading about this somewhere on the 1Password website.The short answer is this:
2fa in general protects remote web logins.
If you login first time on a new device, you provide 2fa on the website and your encrypted vaults are copied (cached) from the cloud to the device.
It isn't possible to protect local data with 2fa, because 2fa only generates the information: "authentication succeeded" or "authentication failed". If you directly access the data files without the 1Password app, you're always allowed to access the data - in encrypted form.
So if an attacker wants to steal your data, he just can take the cached copy as file from your device, without 2fa, and try to hack it anyway. The master password protects that data, because it is used directly as key to decode the data.0 -
Hey @twisternet, thanks for your question!
As @Tertius3 explained, requesting 2FA every time you log onto your PC would not actually increase the security of your account.
Let's take a step back to a higher-level view. 1Password uses a couple key ingredients to protect your data:
Your account password - this is the one you type in to unlock the app. It protects you against attackers who might gain access to your device. If they don't have the password and can't crack it, they can't get in. This is why a strong password is important.
Your Secret Key - this protects you against attackers elsewhere. For example, if someone tried to access your 1Password.com account and used some kind of automated password-guessing software against our servers, it actually wouldn't matter if they successfully guessed your password. That's because we only unlock your data when your password is combined with your Secret Key, and guessing the combination of these things together is incredibly difficult to do. About your Secret Key.
With that in mind, 2FA is used to authorize a device once. After you've successfully authorized a device, there is no added security in asking for 2FA every time you log in - the data is already stored locally on the device alongside your Secret Key, so from a security perspective, it doesn't make much sense to ask for 2FA on every login aside for making things more cumbersome for users.
Essentially, 2FA protects against a case where an attacker knows your account password and Secret Key, but doesn't have a copy of your database. They would be unable to access your data on their own device. If an attacker gained illicit entry to an authorized device and had your credentials, then they would have a copy of your database and 2FA would not have any additional benefit.
You may find this article useful if you'd like some further details: Authentication and encryption in the 1Password security model
I hope that helps clarify some things. Let me know if you have any further questions. Thanks!
Ali
0 -
Ok, then I have understood that now. Many thanks to both of you for the detailed information.
0 -
You're most welcome @twisternet!
Ali
0
