How is it recommended to generate the OTP code needed for 2FA logons to the 1Password account_

fatso83fatso83
Community Member

1Password accounts can have an additional layer of security by enforcing a policy to enter a OTP on every new device. This is fine. The only issue I have with this is that I have gotten rid of Google Authenticator (and Microsoft's version) by moving all OTP generation to 1password. It feels a bit off to re-introduce them just to generate codes. And backup/lost device was always a thing with these. Could always resort to using Authy (which I learned about today from associated discussions), but I feel there must be a better way.

Could not 1Password supply SMS codes or something?

My current approach is actually to have all the account details, including OTP generation, stored in a vault in 1Password. So when logging onto a new computer, I need my phone with 1Password. And I have a copy of that in my work account's private vault and vice versa. This feels a bit hackish/fragile, so would be interesting to know how people do this.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Tertius3Tertius3
    Community Member
    edited June 16

    I still have every OTP generation duplicated in Microsoft Authenticator, in addition to the same within 1Password. I don't like it to put every egg into the same basket. If 1Password fails or is unavailable due to no logged in devices, I still have the codes in the external authenticator app. Lost passwords on websites can be reset by password recovery operations, but not having a OTP code means calling support. I need the Microsoft authenticator anyway for my Microsoft accounts.

    Thinking about it, it boils down to the fact that I trust Microsoft and Google authenticator more than 1Password, because these are very simple, much less complex apps, while 1Password is a big complex app that will probably fail with a higher probability than the authenticator apps.

    If every single device fails and I lost access to everything, I have the printed QR code for 1Password. I get a new smartphone and create a pristine new Google account for it, so I have a working device. The new account is required to break the chicken-egg problem, because I don't have the Google account credentials yet to login to my existing account. I install Google Authenticator and scan the printed QR code, then enter the printed secret key and master password to login to 1Password. Now I have all my passwords and OTP codes and can setup additional devices. After that, I factory reset the new smartphone and log in to my real Google account, using OTP+password from 1Password from one of the additional devices.

  • Jack.P_1PJack.P_1P

    Team Member

    Hey @fatso83:

    Generally speaking we recommend not storing the two-factor authentication secret for a 1Password account inside any 1Password account. While this isn't an official recommendation, I use Microsoft Authenticator for the two-factor authentication for my account.

    There's actually a few reasons why we don't offer SMS codes or backup codes for two-factor authentication for 1Password accounts the way other services do. Our Principal Security Architect, Jeffrey Goldberg, has laid out the reasons here: https://1password.community/discussion/comment/524761/#Comment_524761

    Great question! Let me know if that makes sense, or if you have any other questions.

    Jack

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file