Mac 8 App and Login Two-Factor Authentication
Hi, hoping someone can explain 1Password's approach to authentication when I log into the App.
I'm using Duo as the 2FA with 1Password Business.
It seems I still have unvetted access to my account after entering my password into the App but before Duo authentication is completed. This defeats the purpose of having 2FA on login to account.
Is this normal behaviour or a bug?
Thanks,
Todd.
1Password Version: 8.7.1
Extension Version: N/A
OS Version: 11.6.6
Comments
-
Hi @ToddHW,
Great question! Duo (and other forms of 2FA with 1Password accounts) help to secure your actual 1Password account. The 1Password apps are just a container that holds that account data and lets you manipulate it. Further, a local copy of your account data is also stored in the 1Password app, so you can access your data without an internet connection.
In this case, when Duo is asking you to re-authenticate your account, this re-authentication is for the 1Password app to access/sync with your account data on the server, not to unlock the 1Password app itself. You just need to enter your account password to unlock the app, and you can still access the local copy of your account data.
If this wasn't the case, you may get locked out of your data with no way to regain access without an internet connection, as Duo wouldn't be able to authenticate with the server until a connection is reestablished. It's important to note that in this state, you also would not receive any updated information from the server until you re-authenticate using Duo. Further, you would need to authenticate using Duo to add your 1Password data to any new devices still.
I hope that helps clear things up.
Alex
0 -
Hi @Alex.S_1P
Thank you for your response.
I can understand this philosophy for an individual user but not for protecting access to a Business Account where the unavailability of an Internet connection has significant ramifications for productivity anyway.
Personally I believe administrators of Business Accounts should have the option for applying 2FA to the Business Account as 2FA is intended (i.e. no 2FA, no access in any form).
On the basis that your client apps can access multiple 1Password accounts (e.g. a Family and a Business concurrently), giving Business administrators the ability to enforce no visibility without 2FA would be a good feature.
I also think your web site should make this clear. I've just finished migrating our password repository from a competitors product which has gone end of life and their "new" product is just far too expensive. I was attracted by your DUO integration and only turned it on after migrating the passwords. If I had realised account 2FA wasn't proper 2FA I wouldn't have chosen 1Password.
I find it security limiting that the user of an app can set "security" preferences (e.g. Auto-Lock) to whatever they want and that security preferences for a Business account can't be set and enforced centrally.
For what it's worth I think your "Business" offering falls well short. As a simple example just look at the so called "Activity Log". I'll bet your legal guys baulked at naming it an Audit Log.
Also, as others here have commented the lack of functionality in the Mac v8 app compared to previous versions is very disappointing.
On the whole I wish I had been more diligent in researching 1Password. I think I made a poor choice.
Thanks,
Todd0