No reminder to enable 2FA?
Hi,
After using 1Password for 4 years, I was surprised to find out today that it offers 2FA. I stumbled upon it while changing some settings in my profile.
I wish that I received some message from 1Password suggesting that I enable 2FA. Maybe consider implementing a reminder/nudge for users who haven't enabled 2FA?
Since a user's 1Password account is the gatekeeper to all their other accounts, users will get a massive security benefit if they use 2FA.
Thanks,
Kevin
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:asdf
Comments
-
@kvu917 The security of accounts on most websites is greatly increased by enabling 2FA because people re-use passwords and because a hash of the password is used as a long term secret. The rotating 6 digit passcodes from an authenticator app protect against password re-use and against replay attacks where the password or its hash have been captured. However, the password and 6 digit passcode can be intercepted by fake websites and re-used by an attacker in real-time. Or the long term secrets held by the server can be compromised and the details used to gain access at a later date.
1Password is different because, in addition to your account password, it uses a secret key and the secure remote password protocol. The secret key is randomly generated on your first 1Password device, it is used in the encryption of your data and it needs to be copied to each new device before login. The secure remote password protocol allows your device to check the server is genuine and the server to check you have the account password and secret key without any long term secrets or short term passcodes being passed in either direction. And the server doesn't have a copy of your account password or secret key, so they cannot be stolen from there.
So with 1Password, 2FA only helps in the case where an attacker has your account password and secret key, but does not yet have a copy of your 1Password database. An authentcator app doesn't protect against the case where you've been tricked into entering your details on a fake website, because an attacker can relay the 6 digit passcodes in real-tme. To protect against that case, only fill your 1Password details using the 1Password extension and/or use 2FA based on a hardware security key. For additional security, only fill your 1Password details in a browser with no other extensions installed.
0 -
@rootzero (and @Jack.P_1P), thank you for the detailed explanation!
I did not realize that the account password + secret key (APSK) protocol was so resilient against network and server-side attacks.
In general, how hard is it to steal an APSK?
If it is hard, then enabling TOTP 2FA would have little benefit because an attacker that got the APSK would have the skills to intercept and replay a TOTP.
Specifically, I am concerned about client-side attacks.
For example, Bob's computer was infected by keylogger malware. That malware could scan keystrokes for strings that resemble passwords and 1Pass secret keys and then try each combination. If you used a TOTP, the attacker would also have to find an unexpired TOTP. On the other hand, if you used a TOTP, that could be much worse because the keylogger could scan for 6-digit strings, use the previous 34 keystrokes as the SK, and then test previous keystrokes for the AP.
That may be an unlikely attack. I would like to learn more if you have more information on 1Password's threat model.
0 -
@kvu917 There's little we can do to help Bob once his computer has become compromised. Keyloggers are not the only threat and 2FA cannot defend against those threats. For example, successful completion of login to a website usually results in a session cookie or access token being saved to your device. This can be stolen by malware, completely bypassing 2FA.
2FA is a form of authentication. It protects your account on a server from a remote attacker who has acquired your other credentials. It cannot protect the data on your device as it normally plays no role in the encryption of data.
One of the things that makes the account password and secret key combination so powerful is that it is also used to encrypt your data before upload to 1Password's servers. However, the secret key is saved unencrypted in a mildly obscured form on your device, as it is requried to generate the encryption key which protects your data. So someone with access to your device should be assumed to have access to it and your 1Password database.
If you are concerned about malware then run good anti-virus software, try to avoid downloading software/files from unofficial sources, minimise your use of browser extensions, don't click on links, etc. If you are concerned about a local attacker then choose a strong account password, set-up separate password protected user accounts on your device, turn-on storage encryption where supported, etc.
0