two factor authentication on shared vault accounts
Newbi questions regarding TFA.
- Is there a practical way (when a website supports) two factor authentication (other than by SMS message) to have this setup for accounts in a shared vault. For example, we have 1 Bank of America (BofA) account that we share with access to our checking savings and credit card accounts that is in a shared vault that we both have access to. BofA supports USB Security Keys that support FIDO. Conceptually, can we each have two or more USB keys (e.g. a Yubikey 5c Nano for our laptops and a Yubikey 5c NFC for our cell phones and other devices) that all provide TFA for this account?
- Conversely, we both have separate accounts to various medical websites (e.g. doctor's office, pharmacy etc). These separate accounts are in separate shared vaults that we again both have access to (for emergency's, billing etc). Do USB Security keys support duplicate sites for separate accounts?
- Is there a practical limit on how many websites or other places we can use TFA on?
Finally, is there a downside to this strategy of using TFA on shared accounts?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:two factor authentication on shared vault accounts
Comments
-
Hi there @73Bruin
I'll come to each point separately for clarity.
Is there a practical way (when a website supports) two factor authentication (other than by SMS message) to have this setup for accounts in a shared vault.
Yes. There's no difference between two-factor authentication on an item in your Private vault or in a shared vault – 1Password treats them all the same. So if you set up two-factor authentication for an item in your shared vault (using 1Password as the authenticator), it'll work for everyone who is allowed to see that item.
BofA supports USB Security Keys that support FIDO. Conceptually, can we each have two or more USB keys (e.g. a Yubikey 5c Nano for our laptops and a Yubikey 5c NFC for our cell phones and other devices) that all provide TFA for this account?
It depends, and to be honest, that's a question the bank will be able to answer more authoritatively than us. They might only allow one security key, or have some limit. If you're using hardware keys for two-factor authentication, 1Password won't be involved, so have a chat with the bank to find out more about that.
Conversely, we both have separate accounts to various medical websites (e.g. doctor's office, pharmacy etc). These separate accounts are in separate shared vaults that we again both have access to (for emergency's, billing etc). Do USB Security keys support duplicate sites for separate accounts?
Again, there might be limits imposed on this by the website in question. You might not be able to use the same security key for multiple accounts with the same website.
1Password supports TOTP (time-based one-time password) for two-factor authentication on your items. Using a hardware security key bypasses 1Password completely since the website communicates directly with the key, so we have no input in the process.
Is there a practical limit on how many websites or other places we can use TFA on?
All of them! Wherever you can use two-factor authentication, you should. Watchtower in 1Password will tell you if you're not using two-factor authentication on websites it knows supports it.
Finally, is there a downside to this strategy of using TFA on shared accounts?
Doesn't sound like it to me. The only thing I would be wary of is recovery options. If you're using only a hardware security key for two-factor authentication at a website, look into what happens if you lose that key or it stops working. If you can set up an authenticator app as well, 1Password can be that authenticator: Use 1Password as an authenticator for sites with two-factor authentication.
Please let me know if you have any questions, or would like any further help. :)
— Grey
0