2fa and locking are not consistently working

delisol
delisol
Community Member

I am trying out 1password as an alternative to lastpass. Here are security problems I'm experiencing:
(1) The 1password extension is set to lock when I exit my browser (Firefox), or 10 minutes of inactivity have occurred. However, I close Firefox, wait a minute, re-open it and the extension is still unlocked. So, even if I have signed out of the 1password website, I can sign back in using the password supplied by the extension.
(2) I've set 2fa up with the Google authenticator. That works right after I've set it up. But if I do the steps in (1), 2fa does not kick in, even though it is still shown as active in the Firefox 1password app.
(3) In an unrelated problem, if I manually lock the extension using the default keystrokes (cntl+shift+L), then unlock it using the default keystrokes (. + L), new tabs open one after the other, each requesting my 1password password. I have to restart the computer (not just close Firefox) to stop this behavior and sign on.

With lastpass, the lastpass site and extension close when I close Firefox. (The 2fa is handled with a text to my phone.) This is not what I'm experiencing with 1pass. I'm looking for a reason to change, but if I can't resolve this security issue and bug I certainly won't. Thanks for any help.


1Password Version: 8.6.0
Extension Version: 2.3.7
OS Version: Windows 10
Browser:_ Firefox

Comments

  • Jack.P_1P
    edited August 2022

    Hi @delisol:

    1Password in your browser (the extension) is able to share a lock state with the 1Password desktop app. If you have the 1Password desktop app installed, then 1Password in Firefox will share a lock state and lock when the desktop app does and vice versa. If you're concerned about someone using your device to fill and access your items, your best bet would be to lock either 1Password or your computer.

    1Password uses two-factor authentication for authentication. Once you've added your account to the 1Password apps, you no longer need to use your two-factor authentication code or security key.

    We're investigating the cause of question 3 you're running into. In the meantime, disabling "Integrate with the 1Password app" in 1Password for Firefox (Right click the 1Password icon in Firefox's toolbar, choose Settings), restart Firefox, then sign in to my.1Password.com. If you haven't signed in with two-factor authentication in the 1Password app, locking and unlocking it will trigger two-factor authentication if necessary. After doing this, you can re-enable "Integrate with the 1Password app".

    Jack

    ref: dev/core/core#14622

  • delisol
    delisol
    Community Member

    I am following up. I had another much simpler question in to 1password support, so fielded this problem as well when I got an answer. I hate it when people ask 2 related sources for help, so apologies--but the answer appears to be to set the integration of the phone app the the Firefox extension "off". At least that resolved some of the problems. I will update this with new info and again, my apologies.

  • delisol
    delisol
    Community Member

    Hello Jack,
    Sorry again, newbie error--didn't see your comment until now. (Went to my gmail "promotions" tab--ugh.) So if I am understanding you correctly, you only do 2fa with the authenticator once? That is pretty neat. Thank you!

  • Hi @delisol:

    That's exactly right. Once you've added your 1Password account to the 1Password app, that app will no longer prompt you for two-factor authentication again (unless you choose "Require 2FA on Next Sign-in" in your profile on my.1Password.com for that device).

    I see that you've reached out to us via email as well, so my colleagues will be with you soon there. Keep an eye out!

    Jack

  • delisol
    delisol
    Community Member

    Thanks a lot for your help, all questions answered. I am pretty sold on the program.
    D

  • You're very welcome @delisol! Feel free to get in touch if there's anything else we can help you with.

    Jack

    ref: YEV-64544-794

This discussion has been closed.