Disable OTP codes for certain devices?

schveiguy

I read a recent horror story how someone had all their information stolen from their computer (using dashlane). Basically, the user had installed a trojan, which keylogged their master password, and then decrypted their vault etc, got everything.

I'm wondering, for 2fa OTP codes, since those are basically just stored in the vault it kinda defeats the purpose of having 2fa. Would it be possible to store only the OTP codes on certain devices? Like I don't mind pulling out my phone to get a code, and I know my phone is way less likely to be hacked, because the 1password app is in its own sandbox, and I only have approved apps installed. But my Mac, there is a much looser requirement (I do install apps sometimes that are not from the app store, or fully digitally signed, I'm a software dev).

If the phone is the only device that can store the OTP (maybe through a separate secret?), then at least if someone manages to trojan my mac, they can't get the OTP codes stored on my phone.

Is this something 1password might be able to implement?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Dave_1P

Hello @schveiguy! 👋

Thank you for the feedback! Before I respond to the TOTP suggestion I wanted to touch upon 1Password's security. 1Password has various protections to keep your data safe but, as you noted, it can't protect you from malware once it has already infiltrated your system and gained full access to your Mac. The following principles will help to keep your data safe:

1. Only download official versions of software from a developer's website or from a reputable app/web store.
2. Keep operating system protections against malware turned on. For example, on macOS make sure that Gatekeeper is set to only allow applications from the "App store and identified developers".
3. Keep your system updated and don't run old unsupported versions of software. This is especially important for browsers, operating systems, and 1Password itself.

It's also important to remember that 1Password's architecture differs from other password managers in that the account password is only part of the picture. Your data is also protected using your Secret Key and you can further protect your account by using two-factor authentication: Turn on two-factor authentication for your 1Password account

Regarding brute force attacks: our team is continually evaluating how we can better protect your data locally on your device. We recently increased PBKDF2 hashing to 650,000 which helps protect you from a brute force attack that tries to guess your account password. And we use the native security features of each platform, such as Secure Input on macOS, to further protect your data as much as possible from malware and keyloggers.

I'm wondering, for 2fa OTP codes, since those are basically just stored in the vault it kinda defeats the purpose of having 2fa. Would it be possible to store only the OTP codes on certain devices?

It seems to me that it would be very confusing for folks to remember two different passwords and keep track of two different Secret Keys which is what would be required to store TOTP codes completely separately. However I'll pass the idea along to our Product team for consideration. Have you considered using a security key, such as a YubiKey, as a second-factor for your accounts instead of TOTP? A security key would provide a true second-factor for your accounts.

Regarding the safety of storing TOTP codes in 1Password, we have a great blog article here: 1Password & 2FA: Is it Safe to Store Passwords and 2FA Codes Together?

-Dave

ref: 34605315

schveiguy

I didn't mean 2 different passwords, and not necessarily 2 different keys, but having 2 different keys is likely fine (except for the first day, I have not needed to put in my secret key). The idea is to only store the OTP on devices which are highly secure.

For example, on macOS make sure that Gatekeeper is set to only allow applications from the "App store and identified developers".

Yeah, see that's my problem. I'm a software developer, and I need to run applications that require this be turned off. So while I doubt I will get malware on my system, it's naturally less secure than my phone, which has everything stored in secure sandboxes, and only allows approved applications.

Essentially the environment 1Password is running in is vastly different on the 2 devices, and having an option to only store OTPs on certain devices would acknowledge that reality.

Dave_1P

@schveiguy

Thank you for the reply. If you're using 1Password Families then have you considered creating a new family member, or a guest account, and using that on the less secure device rather than your normal 1Password account? You can read more about guest accounts here:

Share with guests in 1Password Families

You could share only the items that you feel comfortable storing on the less secure device in a vault that is accessible to the guest account.

Alternatively, have you considered using security keys (such as a YubiKey) rather than TOTP for two-factor authentication? Security keys seems to fit your threat model a little better.

-Dave

schveiguy

I am on families, and I have thought of that. Can you create shared vaults that are only shared between 2 users?

Regarding the YubiKey I am aware of it, it might actually fit my needs better. I haven't looked at it in a long time, looks like they have solved the issue with phones (by using NFC).

So if I use a yubikey with 1password, does that mean that nobody can decrypt my vault without the yubikey? If so, that seems like a pretty straightforward way to fix this!

Dave_1P

@schveiguy

Yes, you can create a shared vault that is only accessible to some family members or guests but not everyone: Create and share vaults

So if I use a yubikey with 1password, does that mean that nobody can decrypt my vault without the yubikey? If so, that seems like a pretty straightforward way to fix this!

A second-factor such as a YubiKey plays a role in the authentication of your 1Password account but not in the encryption of the account. This means that an attacker would be unable to add or access your 1Password account on a new device since they would need your YubiKey to authenticate the account. However, if malware already had full access to your Mac then it would only need your account password to decrypt your vault locally on that Mac since your account is already authenticated there.

You can read more about authentication vs encryption here: Authentication and encryption in the 1Password security model

Using a YubiKey with your other accounts would provide a protection for the threat model that you described since a compromise of either your Mac or your phone would not give the attacker access to the second-factor needed to login to any of your accounts.

I hope that makes sense. 🙂

-Dave