Enabling 2FA for Biometrics
Hi there,
first things first: thank you 1Password team for doing such a great work making password managers both beautiful and simple enough so I can recommend it easily to my family. (Which I did and even my mom successfully uses 1P now =D)
But I have a little topic / idea I want to discuss regarding the security of ones 1Password installations. (Maybe you already thought about this internally and have good reason not implementing this)
Many will use biometric authentication (Face-ID / Touch-ID) in order to "skip" entering the 1Password master key – which also is secure in terms of infosec by not typing in the master password in a public space. Yet by having a compromised biometric auth (e.g. some of my friends have their girlfriend / wife added to Face-ID in order for them to being able changing a song while he is driving) some could log into the devices and after this also right into 1Password.
By having the choice to add an additional PIN-Code (so e.g. biometric + 6 digit pin) or for accounts with security-key (e.g. on a mac Touch-ID + security key — they are probably even positioned very close to each other) one could have the comforts of not having to type in their master password and yet isn't exclusively depending on this one factor that unlocks the devices / user-accounts and the password manager.
For the account itself – so if someone tried to login from a new browser (or device) – a second factor (or third if you count the secret password as a separate) is already possible to add. (totp / security-key)
I would love unlocking 1Password on my devices with the biometrics and one of two yubikeys. And it could remain optional so normal users won't be bothered by a hand full of crazy ones. ^^
How is the 1Password team and/or the community thinking about this idea / approach. Do I miss something very obvious why this would be a bad idea?
Greetings, thedaneu
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided