Is it all possible to truly need 2FA on every sign-on on mobile?
I have 2FA enabled for my account. I know that 2FA is only used to protect transport of the vault from cloud<>device, that's fine. What I want is to actually NEED 2fa to access any vault data on my mobile. The data in the cloud is at least protected by secret key + passphrase, data on my mobile isn't as the secret key is already on it.
I know 1P keeps a local cache and as people have pointed out, just asking for 2fa to grant access would be security theater. So obviously the app would have to remove that local cache when logging out of 1P (or being logged out due to time-out/idle/lock). And yes I of course realize that would make offline use impossible :) That's a trade-off a user can then make for themselves. I consider mobiles at sufficient risk of loss/stolen that I prefer to enforce actual two-factor input to get to my passwords.
1Password Version: 8.10.6
Extension Version: Not Provided
OS Version: Android 11
Browser:_ Chrome
Referrer: forum-search:two factor
Comments
-
Hi @FransP, thanks for writing in.
I'd be happy to share your interest in this feature with the team for further consideration. You've laid out a clear use case here but it's always good to have personal insights in the feedback we file. So, if you can let me know any additional details as to why this feature would be helpful for you, I'll be able to pass that on to the Product team.
Currently there are a few manual options to re-prompt for 2FA but they weren't designed quite for what you mentioned here so I understand that they may not suite your needs. On 1Password.com from the "My Profile" page you can deauthorize a device or set it to require 2FA on next sign in (this applies to the following sign in only). You can also sign out of 1Password for Android from Manage Accounts... > your account > ⋮ > Sign Out.
Thanks again!
0 -
Hi @ag_timothy , thanks for responding!
Oh.. there is the logout option, that's well hidden! :) I did look for one, but only found the 'lock' option. Good to know what I want can be achieved, just a bit of a hassle to get there. Moving the logout option to the main account dropdown (the one you get when you click the face icon right-top) would help, but might confuse or hinder other users.
My use-case to have an 'always remove downloaded vault on lock' would be that I want 1Password on my mobile once locked to (truly) require two factors to access the vault. One being the 2FA (hardware yubikey in my case, yes I have two; -) and one being the passphrase. I suppose I was expecting 'lock' to do a 'logout'.
I use 1P primarily on my pc at home. On that system I'm fine with leaving the downloaded vault and thus not requiring 2FA (in lastpass terms that system was 'trusted' forever). Given my usage pattern I wouldn't want 2FA asking everytime I use 1P on pc :)
As I use 1P not a lot on mobile I want it to be as much locked/logged out when I don't use it. I sort of expect to lose my phone at some point. Which is also why I'm fine with entering 2FA/yubikey every time I need to use 1P on my mobile, because that's rare for me.
My banking app asks if I want to truly logout when I use 'back' to get out of that app. That would work well for me with 1P on mobile, but wouldn't work on iPhone.
0 -
Hi @FransP, thanks for following up with me and sharing this detailed use-case!
While I can't make any promises as to if or when this sort of feature would be added I've filed a feature request on your behalf with the Product team for further consideration. I've also shared your feedback regarding surfacing the "logout" option and/or providing other avenues to reach it such as the "truly logout" when exiting option you mentioned.
While I certainly hope your phone is never lost, we do have some recommendations for that unfortunate situation: If your device was lost or stolen, and it has your 1Password data on it
Let us know if you have any questions or there's anything we can help with!
ref: 33319490
0
