Is there a way to set how often a security key is needed to unlock the app?
I was testing this out the other day for a family member that was about to go on a business trip, and I found the 2fa while on within their account. The app didn't ask for it. Is there a way to change this?
If there isn't a way to do it now, I would like to suggest this to be added.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hey @crua9 !
Actually, there is no possibility to set how often a security key is needed to unlock the app.
But if you want to limit the access when you're on a business trip or on vacation in another country, you could use Travel Mode to remove vaults from your devices when you travel.
For details, see here: https://support.1password.com/travel-mode/
0 -
The 1Password secret key is only used to sign into a new device. On your current devices, it is saved, so you don't have to re enter when you're using one of your current devices. In a way your account password and the secret are partially like 2FA, but technically it isn't 2FA.
0 -
First off for anyone reason, I'm talking about the 2fa security key/authenticator. Not the secrete key we get for our account.
Sorry if there is any confusion @Kakkoister2
@DenalB
Thanks for the heads up. Travel mode is nice in some situations. But it kind of makes 2fa pointless by having it a 1 time thing.To 1password since it looks like this isn't possible. This is my feature request:
Personally, it would be nice to have it whenever a phone/computer restarts it requires it. And in some situations it requires it each and every time we login. (for example if you don't trust a roommate or maybe your work requires it since keyloggers and RAT are a thing)For example, it would be nice if 1password add the ability where we could pick how often it is needed PER device.
It would also be nice to remotely force it. For example, if you lose your phone and not sure if someone stole it or if you know someone did. You can force it to require 2fa which doubles the security.For example:
My on all my devices I might require it every time it restarts.
For my phone I might require it every week or 2 since I always have that on me, but something could happen.
My desktop every month since it stays where it's at and it's unlikely someone will steal it.
For my laptop every single time/day since I only use it to control and update CNC and laser machines. And someone really could walk away with that without me noticing for a while.The setting IMO should be on the apps itself and on the site. So for example, the setting on the site only controls how often 2fa is used when logging into the site, the setting on the phone app controls only how often on the phone, and so on.
0 -
It would also be nice to remotely force it. For example, if you lose your phone and not sure if someone stole it or if you know someone did. You can force it to require 2fa which doubles the security.
It will not improve security, because the thief is free to disable network access and prevent the 1Password app learn that this device has been deauthorized. In this case, it operates in offline mode as long as he want and offers its items - as long as the thief knows the account password to decrypt the local database.
About device restart and longer time frames: consider a hacker creating his own 1Password client to decrypt the database. The hacker can copy the database from a stolen device any time, then work on it as long as he needs. He don't need to contact any 1Password service, he just operates on the local database that contains the encrypted cached vault content. Device restarts don't matter in this case. The only thing that's securing your passwords in this case is your account password, because this is what he needs to decrypt the database.
So the account password is the thing that actually needs to be secured. Because of this, there are settings when and how often 1Password will keep or forget the account password (lock itself).
The mfa code has one single use: it authorizes a new device, so the encrypted vault content is allowed to be downloaded from the cloud. As soon as the download is completed, the mfa code is of no use any more. It's just gatekeeper on the 1Password internet service that prevents or allows the initial data download. It cannot protect against unauthorized decryption of vault data. It just creates a flag on the servers: allowed to download yes/no. Already downloaded data cannot be protected this way.
0 -
It will not improve security, because the thief is free to disable network access and prevent the 1Password app learn that this device has been deauthorized. In this case, it operates in offline mode as long as he want and offers its items - as long as the thief knows the account password to decrypt the local database.
There could be a setting if offline require security key or whatever to get in. This would easily combat this issue.
I mean what I'm asking for could be done with travel mode. But because the device has a MAC address, the site can refuse access to the device and this prevents the problem person from getting in and turning off travel mode.
About device restart and longer time frames: consider a hacker creating his own 1Password client to decrypt the database.
It's possible a hacker could do this, but you're leaving out a ton of steps. Plus your average hacker won't have this type of knowledge. Plus average people that might grab your phone that might know your password most likely won't have that ability.
For example, if you have an ex that knew your password and they seen your phone or whatever laying around. They could do some real damage. Now in the between when it is require this could still happen. But you know the damage is limited up to a given point. Like you know after x amount of time they can't get back in.You're asking for a perfect solution to everything. There isn't any. In fact, 1password isn't a perfect solution to passwords. If say a lastpass thing happen and hackers got the database. While it is harder compared to any other password manager because of the secret key. It isn't impossible.
I mean by your logic you shouldn't use 1password because it can't be 100% perfect. Where my logic is, we can make it as secure as we can while understanding the limits.0 -
For example, if you have an ex that knew your password and they seen your phone or whatever laying around. They could do some real damage.
You have a point here. That's possible. You want to protect against low tech attacks.
A valid request, however it seriously impacts convenience if 1Password would ask for its mfa code on device restart. For the valid user, this is taking place when he definitely doesn't need it. And how could the mfa code be supplied? By another app installed on the phone, so your ex just opens that app and gets the code? At least this is how the majority of the users will have it. I guess people will not have 2 mobile devices, one regular and one for the mfa generator. Or if you use a mfa generator that requires authorization before you can access the codes?
This would drive me crazy. Consider I rebooted my phone. Some time later, I need to log in somewhere. 1st prompt for userid+password. 1Password starts, asking me for my account password (2nd password prompt). Then asking for the OTP code (3rd prompt). I start the authenticator (2nd app started in background), it's asking for authorization (4th input), I enter some pid or gave my fingerprint, then I get the OTP, copy to clipboard, change back to 1Password, paste the OTP, then ... er, well, what was it I was trying to do in the first place?
I would not use it - I would deactivate such functionality. My mental sanity is more important to me than that little bit of security that can be gained out of it.
0 -
And how could the mfa code be supplied?
Look up what a yubikey is. Also there is yubikey authenticator. Look that up.
Some phones have the ability to act as a security key. I only seen Google use this feature but it uses the Bluetooth. I never played with it myself.
This would drive me crazy.
Then don't opt into it.....
Note I'm asking for an opt in feature where you can select how often per app it will be required.
I would not use it
Good for you. Again, I'm asking for an opt in feature. I don't understand the freak out. Like I understand your other worries. But if you don't want it..... Don't opt into it....
Anyways, look up what a yubikey is and yubikey authenticator. (but a tldr for that is, it's a physical device you need for 2fa. The authenticator reads the key so you can get the 1 time code. The important bits is stored on the key, and can't be copied. Meaning you have to have the physical key to get in.)
0 -
@crua9
I apologize if I "freaked out". It wasn't my intention to be impolite. I just try to be direct on my point, and English isn't my primary language. I wanted to tell what the common user would probably see in this feature. The common user will never use a hardware key such as a Yubikey.0 -
On many other services if you have 2fa this is common. However, they don't give you much of a choice. Like it's a 30 day choice or none at all.
But to be honest, I have my doubts most users have their 2fa turned on at all.
0 -
Hello, I totally agree with Crua9: this would be a very nice feature to have an option to turn 2FA on for specific devices,when unlocking it (work computers, PCs shared with roomates,etc). I belive it would make a huge step forward making our accounts safer. @1password team: would it be difficult and/or time consumming to implement this?
0