Using 1password on a Mac via an app. How do I ensure that I have 2fa every time I sign in?
I am a new user
1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ app
Referrer: forum-search:Using 1password on a Mac via an app. How do I ensure that I have 2fa every time I sign in?
Comments
-
Hi there @ashokc1009
When you use two-factor authentication on your 1Password account, it works the same way as two-factor authentication does for many other websites, which is that you'll be prompted for it when you sign in to a new device for the first time. After that, the device is trusted, so you can unlock 1Password using your account password or an alternative unlock method, like Touch ID or an Apple Watch.
This means that you should expect to use two-factor authentication for your 1Password account only when signing in for the first time on a new device, not unlocking. If you sign out of 1Password on that device, you'll need two-factor authentication again when you sign back in.
Please let me know if you have any questions, or would like any further help. :)
— Grey
PS. I noticed in the footer of your post that you're using 1Password 7. That version is discontinued, and you should upgrade to 1Password 8 to make sure you're using a supported version: Upgrade to 1Password 8 for Mac.
0 -
Hi GreyM1P,
thank you very much for your quick response. I just moved from Lastpass where I was able to enforce the rule that the 2FA is required for each login. Vanguard also has this feature. You are right, most other websites uses the trusted device methodology; some require revalidation after a month. I am terrible paranoid nowadays and therefore was looking for some feature within 1Password which can be set up so that 2FA is required everytime. I use a Yubikey.By the way, when I I quit 1Password and even after restarting my Mac, 1Password still does not require me to use the Yubikey. Is there some setup I did wrong. 2FA is required if I use a new browser or laptop.
I am currently using "1Password for Mac 8.9.13". I assume that this is 1Password 8.
Thank you very much.
Ashok.0 -
When you unlock 1Password (using your account password or biometric unlock) your data is decrypted locally so a determined and well-equipped attacker with access to your device would be able to access your information since your vault data is already unlocked and decrypted. To require a "re-auth" using a YubiKey after your data is already decrypted locally using your account password would potentially, in this case, be an example of "security theatre" where a feature claims to offer more security on a surface level but in reality doesn't actually offer more protection.
What I personally do on my device is set the auto-lock time to a short duration so that 1Password locks after a short period of inactivity. I also have biometric unlock enabled so that I can quickly unlock 1Password without having to enter my account password: How to set 1Password to lock automatically
By the way, when I I quit 1Password and even after restarting my Mac, 1Password still does not require me to use the Yubikey.
This is expected behaviour. You'll only be prompted for your YubiKey the first time that you add your 1Password account to a new device or browser.
-Dave
0 -
Thank you Dave.
0 -
You're welcome. We'll be here if you need anything. :)
0 -
Hi Dave1P,
Maybe I was not clear with my concern. I had already setup my auto-lock to switch on after an extremely short duration of inactivity. My question is as follows:How do I setup 1Password to require 2FA every time I want to unlock? i.e. similar to many bank and investment accounts being set up to require a 2FA which is usually a 6 or 8 digit code being sent to the cell phone or by Yubikey. I do not believe that this is a an example of "security theatre".
Thanks
Ashok0 -
Two-factor authentication for your 1Password account is only used when signing in, so you'll be asked for your Yubikey (or other second factor) when signing in to 1Password on a new device or in a new browser.
When unlocking 1Password on a device where you've already signed in, you won't be asked for two-factor authentication.
Two-factor authentication for your 1Password account is to prevent someone unauthorised from obtaining your encrypted 1Password data in the first place. When you sign in to a device, using two-factor authentication in the process, it's done its job.
This is in line with two-factor authentication for most websites where the second factor is only required at new sign-ins, rather than at every sign-in.
Hope that clarifies two-factor authentication's role for your 1Password account. Please let me know if you have any questions, or would like any further help.
0