Recently I submitted a case on 2FA, obviously i was very green as far as that process, but now I hav

bried
bried
Community Member

Recently I submitted a case on 2FA, obviously i was very green as far as that process was concerned , but now I have a more specific question.
1. I am using a Software Authenticator
2. I set it up and used 1Password as the first entry
3. Got my QR from your 1Password.com
4. Added QR to the software successfully
5. Then later realized that 1Password App could ALSO receive the one-time password so I scanned the same QR code into the 1Password entry as a "one-time”password. And doing this step in another account activation of 2FA , I found out that IT completes the 2FA ALERT in WatchTower.

So my understating is that the Software Authenticator communicates with the appropriate website and receives the one-time code every 30 seconds. The software then stores it in a special keychain. 1Password 8 App just accesses this keychain and displays it. IF I were to delete the software Authenticator entry for 1Password it would break the chain?

Comments

  • bried
    bried
    Community Member

    One more question: it looks like I activated 2FA for my Sign-On only and not the whole FAMILY? Not sure how “shared” entries in Shared Vaults will behave?

  • ag_josephine
    ag_josephine
    1Password Alumni

    Hi @bried,

    Am I correct in my understanding that you had originally set up two-factor authentication (2FA) for your 1Password account using an authenticator but are now using 1Password as the authenticator for your 1Password account, or at least have set up 1Password to authenticate your 1Password account?

    For your second question, setting up 2FA will have no effect on the Shared vaults for your family member; 2FA is account specific and would not effect the accounts for your family members in any way if you have set it up for yourself.

  • bried
    bried
    Community Member

    I misunderstood the fact that I had to use 1Password as an Authenticator. So I am using both an independent software and 1Password. Based on what I learned, i will discontinue using the independent software to keep things simpler. (and ultimately convince my wife to use 1Pass Authenticator also)

  • ag_josephine
    ag_josephine
    1Password Alumni

    @bried,

    When using 2FA for your 1Password account, we do not recommend using 1Password as the authenticator and would instead recommend using a 3rd party authentication app such as Authy or Microsoft Authenticator; you can then use 1Password as the authenticator for any accounts and items stored within 1Password.

  • bried
    bried
    Community Member

    So my next question is. If you recommend using Authy (as an example) and you recommend it as a first choice, WHY do you (1Password) make 2FA available? I don’t understand.

  • Tertius3
    Tertius3
    Community Member

    If you use 1Password as sole app for storing the 1Password mfa code, you get into a circular dependency if you sign out from every device or lose access to all signed in devices. If you want to sign in from a new device, or from a device you signed out, you need the mfa code. But you don't have access to the code, if you don't have any other signed in device.
    In this case, to break that dependency, you need to have a standalone authenticator that provides you with the code for signing in to 1Password.

    Accidentally signing out can happen fast - it's just a mouse click on that function from the menu. Or you deinstall the app by accident from your phone - its data is gone then, you need to sign in again if you reinstall.

    Because of this, it's important you keep an external copy of the QR code you get at enabling mfa for 1Password. You can scan these QR codes as often as you want, they are not onetime. As well as the secret key you get in the emergency kit.

    Personally, I printed the emergency kit, added the account password, and added the mfa QR code. In case I lose access to every signed in device, I can pull that QR code, get some new phone, install some authenticator app (for example Google Authenticator), then scan the printed QR code. Now I'm ready to sign in to 1Password: with the 6-digit code I read from Google Authenticator. Only after signing in that I have again access to 1Password items and to the 1Password mfa code stored within 1Password.

  • bried
    bried
    Community Member

    I appreciate the detailed explanation. I know understand why. But I still have one question. When would I use 1Password as an “Authenticator”?

  • bried
    bried
    Community Member

    My Watchtower 2FA Alerts were all solved. Now that I switched it to “Authy” 2FA it is back. I think there should be some kind of identifier within a Login Item that I turned on 2FA and it is “Authy” AND thereby satisfying the Watchtower 2FA requirements.

  • bried
    bried
    Community Member

    Asking Tertius3, your detailed explanation are you describing ALL LOGINS or just the 1Password LOGIN? I think this is where I am going wrong.

  • Tertius3
    Tertius3
    Community Member
    edited June 2023

    I only discussed the 1Password login. All your regular login items you store in 1Password can ( and should, for convenience, in my opinion) have their mfa code exclusively stored within 1Password.

    Your 1Password code is the only mfa code you should additionally store in some extra authenticator app. Store it in 1Password itself and in some extra authenticator. And print its QR code as you did for the emergency kit, and store its screenshot along the emergency kit pdf.

  • bried
    bried
    Community Member

    Thank you very much. The pieces are falling into place . Thank you!

  • ag_josephine
    ag_josephine
    1Password Alumni

    @bried,
    You're welcome, don't hesitate to reach out if you have anymore questions.

This discussion has been closed.