To protect your privacy: email us with billing or account questions instead of posting here.

Why does 1P say my Amazon acct needs 2FA set up when it is already set up??

MickT
MickT
Community Member

Watchtower says my Amazon login has 2FA available but I already have 2FA set up on the account. When I click on learn how it sends me to Amazon and tells me how to set up what is already set up????


1Password Version: 1Password for Windows 8.9.14 (80914009)
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Firefox
Referrer: forum-search:Why does 1P say my Amazon acct needs 2FA set up when it is already set up??

Comments

  • shhh
    shhh
    Community Member

    Unless you are storing the TOTP code using the One-Time Password field in the Login item, 1Password/Watchtower has no knowledge whether you are really using 2FA

  • @MickT

    Do you have a one-time password field saved in your Amazon item in 1Password? As @shhh points out, Watchtower is only looking to see if that's the case or not, so if you're using SMS-based two-factor authentication (for example), Watchtower wouldn't know.

    ℹ️ If you are using SMS-based two-factor authentication for any of your accounts, you should switch to using one-time passwords generated by 1Password wherever possible. SMS-based two-factor authentication is not considered secure.

    Let me know if you need any help in getting this working or if you have any questions. :)

    — Grey

  • MickT
    MickT
    Community Member

    So does 1P then become the authenticator app and supply the code? I guess I'd like a little more detail on how this will actually work. I've not used authenticator apps before and the main problem I have with some sites SMS 2FS is only allowing 1 phone number to receive the code, then if my wife is trying to sign in that site, she needs my phone (or visa versa) to receive and enter the code. Will this not be an issue if we use 1P for this?
    Thanks,
    Mick

  • @MickT

    Sharing the code would be done within 1Password. Yes, 1Password would become your authenticator. She would not need your phone number. 🎉 This is the same thing that drove the Mrs. and I to move all of our TOTP codes into 1Password. In my screenshot below you can see the code as it appears in 1Password. 1Password should be able to fill this code as part of the login process. If you share the login with her, then either of you can use the login and you'll always have the code.

    Personal suggestion:

    Create a few test accounts and learn how to generate the code and practice saving them within 1Password. You can also use our testing environment https://fill.dev

  • shhh
    shhh
    Community Member

    @MickT The jury is out on whether it is safe to store 2FA codes in a password manager.

    Another option to share 2FA OTP codes with a trusted person is to use a cloud-sync service like Twilio Authy, and install that on both your devices. Same concept really. When you add 2FA to any account, the provider requires you to scan a QR code which contains a secret seed string that is known to you and the service provider. This seed string can be used to generate the 6-digit one-time password using a known algorithm.

  • goyocafe
    goyocafe
    Community Member

    Shouldn’t the one time passcodes be generated on a separate device? I thought the whole purpose of 2FA was to create a logical and physical gap between the password and the one time code.
    If a bad actor gained access to my 1Password vault, they’d have everything they need to login to all of my accounts if the one time codes are embedded in each login item. If those codes were generated on a separate device, the bad actor would not have enough to log in to my accounts.
    Can someone tell me why having the passwords and one time passwords in the same place is a secure practice? It’s convenient for sure, but I must be missing something related to the overall security of this practice.

  • shhh
    shhh
    Community Member

    The link I embedded in my previous comment has some perspectives on this topic.

  • goyocafe
    goyocafe
    Community Member

    @shhh That’s a great debate in the link you provided. I wish I had read that first. I think the right balance is to have 2FA enabled for the 1Password database and then not have the source of the generated code anywhere near any device that has access to the database.

  • shhh
    shhh
    Community Member

    I'm not so sure. I came away with a different conclusion. Even if you were to store TOTP codes in Authy instead of 1Password, both apps are on the devices I use so if the device is breached and gets into the wrong hands, both approaches have the same risk.

    Can someone from 1Password weigh in here?

    Also, even after I add a OTP code to my 1Password login item, Watchtower still flags it on the Ignored alerts list for no apparent reason. Is this a bug or an I missing something?

  • goyocafe
    goyocafe
    Community Member
    edited February 2023

    I have the same concern about my phone. It has “everything” on it, I.e. 1P, Authenticator, and browser extension. My previous comment alluded to the idea that the Authenticator should be on a completely separate device. This way if you lose your phone with 1P on it, you can log into the 1P website and deauthorize the phone. This would then require whoever has the phone to now have your password and key to make use of the 1P service on the phone. And even if they got that far, they still won’t have the 2FA code required to complete the setup.

    I went looking for a hardware device that could substitute for an Authenticator, but they all seem more complicated than I imagine is necessary for this implementation.

    Maybe something like this:

    https://www.amazon.com/Token2-miniOTP-2-NFC-programmable-Two-Factor-Security/dp/B07RQPJNZH/ref=sr_1_1?crid=29F5OQMD3RFR0&keywords=Token+2&qid=1676551449&sprefix=token+2,aps,208&sr=8-1

    With 1P 2FA setup with a simple hardware token (and not on the phone), it seems to me you can quickly make the information in 1P very hard to access by deauthorizing the phone. Since 2FA only occurs once per device, if you happen to lose the hardware token, no big deal. Just log in to the 1P website from a previously authorized device and reconfigure 2FA with a new token.

    Someone correct me if I’m wrong here.

  • shhh
    shhh
    Community Member
    edited February 2023

    @jpgoldberg appreciate your thoughts here. I'm struggling with this too.

    Right now, my partner and I share our Authy account with the multi device feature. How would this work with a hardware token?

    The other thing to keep in mind is that all apps on your mobile device are protected by biometric authentication but if that's not available (e.g. mask, gloves, etc.) then it falls back to the PIN. A alphanumeric passcode would be more secure than a 4-digit PIN but most people have a 4-digit PIN so that becomes the weakest link in the chain.

  • shhh
    shhh
    Community Member

    My bad, I see that Jeffrey Goldberg has already shared his perspective on this topic.

  • goyocafe
    goyocafe
    Community Member

    @shhh Thanks for the additional article. Another good read. Cheers.

This discussion has been closed.