Two Factor Authentication to login to 1Password - a good idea or overkill?

Angelchops
Angelchops
Community Member

I'm very much a newbie to 1Password and today decided it would probably be a really good idea to add Two Factor Authentication specifically for access to my 1Password vaults.

Having done so I'm now asking myself whether this is overkill. After all 1Password access on a completely new device already needs both the master password and a secret key so perhaps that's enough? I guess my worry now is that my phone which contains the third party authenticator app could be lost or stolen. There's a risk then I might get permanently locked out of 1Password.

The guidance says if you no longer have access the device containing the authenticator app you just need to log in to 1Password and turn off two factor authentication. However, that assumes you can now get into your account in order to do that. There's an obvious catch22 here.

I guess it's a case of balancing the risks. What do most users do?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Tertius3
    Tertius3
    Community Member

    @Angelchops I printed the mfa QR code for 1Password and took it to my important paper documents. In case I lose access to every signed in device, I'm able to install some standalone authenticator app on an arbitrary smartphone (for example Google Authenticator), scan that QR code, and have the 6 digit code for signing in to 1Password.

  • Angelchops
    Angelchops
    Community Member

    @Tertius3 That's interesting and a potential solution. I'm using Google Authenticator too. So just to check my understanding... If I simply generate a QR code as if I was about to migrate the app to a new device and take a screenshot of the code before cancelling the process, then the QR code would still work at some point in the future to set up authenticator on a new device?

  • Tertius3
    Tertius3
    Community Member
    edited August 2023

    @Angelchops You need to print the QR code you actually scanned and activated mfa with. I took a screenshot after I activated the code and verified it was actually working.

    If you're generating a new QR code but abort the process, that code doesn't become active and is invalid.

    If you skipped creating the screenshot, it's difficult to get it again. It's probably more easy to just generate a new QR code and actually activate it, replacing the previous one, and do the screenshot this time.

    A screenshot of a QR code that was actually activated and that has not been replaced with a new QR code can be scanned any time later and it's still valid. You can also scan the same QR code as many times you like with as many authenticator apps you like. You will see the 6 digit codes they generate will all be the same.

    If you scanned a QR code into 1Password, you can read the scanned secret by "Edit" that item, then click into the onetime password field where usually the 6 digit code is visible. In edit mode, you get a otpauth://... link instead that contains the secret as text. You can as well print that secret, however it's more difficult to enter again than a QR code. There are also apps/websites who can visualize that secret as QR code, but it's difficult to validate your code isn't maliciously sent to a eavesdropper, so I'm not recommending such an app.

  • Angelchops
    Angelchops
    Community Member

    @Tertius3 Thanks this is good stuff, I’m grateful for your help. I still have an old iPhone hanging around that I might set up again over the next couple of days just to test this out for my peace of mind and so I feel comfortable with it.

    I still wish, in a way, that 1Password would give the option for 2fa users to generate a set of emergency recovery codes to store securely somewhere. A bit like you can do for Gmail or apps like Zoom, it would be so much easier, but perhaps that’s why they don’t think it’s a good idea!

  • ag_josephine
    ag_josephine
    1Password Alumni

    @Angelchops,

    When using two-factor authentication (2FA) with a 1Password account, if you're able to do so, we would suggest using 1Password on more than a single device - as 2FA is only required when accessing 1Password via a new device, any other additional devices that have have your 1Password account added to them that are already authenticated would be able to disable 2FA in a case where your 2FA code is no longer working or you're unable to access the device containing your authentication app.

  • MerryBit
    MerryBit
    Community Member

    @Angelchops I don't know why no one has given you the link to the blog post about this exact question on 1Password's own blog yet, but here you go: https://blog.1password.com/should-protect-1password-with-2fa/

    TLDR; no, it's not necessary.

  • Angelchops
    Angelchops
    Community Member

    @MerryBit Thank you for this. It is indeed all I really wanted to know in the first place and answers my concerns.

  • ag_josephine
    ag_josephine
    1Password Alumni

    @MerryBit,
    Thank you for providing that helpful article.

This discussion has been closed.