Best Way to use 1Password along with other security mechanisms ?
Hello,
Fairly new to 1Password.
1Password itself is very strong for security passwords... but using same alongwith other security mechanisms (available for free) makes it more tighter, which is best part.
So far i came across/learnt about this
1.
Passkeys (as this is new and completely fails on my end, posted here
2.
Totp (2FA authentication) learned 1PWD allows to save 2fa codes and automatically helps fill in those upon prompt. Again how does this differs from login details items saved in 1Password.. if a user gets access to my 1PWD so does they gain access to rest of TOTP stuff. Securing totp in 1pwd is suggested or third party MS/Goggle etc. ?
3.
USB Security (not looking for same at the moment, as i have to switch between PC / laptop and 2 Android devices.
4.
Traditional SMS (is there a way 1PWD can read my SMS and enter code from same to the app (atleast on Android devices)
5.
Login with Google/MS/FB to any site (supported by 1PWD, those details can be saved in 1PWD, but again all details are saved in 1 place)
5.
Any other 1Password security mechasim/layer which I dont know or read about ? Pleas help me clarify my doubts on this and suggest what should be best ?
I will go ahead with SMS thing as well for most important sites (related to money) if supported/allowed by site, this will again be a leak on lost mobile temporarily..
Thanks.
Will appreciate feedback from members on same.. I am sure, we can have healthy discussion/brainstorming on this.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
The mechanisms you listed implement different concepts and serve different purposes. You also omit the most widespread and basic mechanism: username/password.
If it comes to SMS, which you seem to prefer: don't rely on it. It's insecure, especially for financial transactions. Try to migrate to some other mechanism, if the financial provider provides it. The more recent a mechanism was offered by some provider, the more secure it is in general. Change to the more recently offered mechanism. (security goes forward, not backwards in time)
SMS is not very secure, because there are real world scenarios (it happened!) where criminals ask the telco provider to send them on your behalf a "replacement" sim to their site, so they're able to receive the SMS. The SMS protocol itself isn't encrypted as well, so it's possible to siphon SMS communication from the internal telco equipment.
Login with Google/MS/FB is mostly for convenience. You have only 1 account and use its credentials elsewhere. It's as secure as your Google/MS/FB account. Google/MS/FB care for account security, so these are accounts with somewhat strong security, often better than the security of the service you're logging in if you don't use Google/MS/FB. The only downside is that you're dependent on an additional service for authentication: Google/MS/FB. If you lose your Google/MS/FB account, you lose every other account you use your Google/MS/FB account to login to. It lessens management, because instead of managing your whatever account, you only need to manage your Google/MS/FB account. Personally, I hate the dependency, so I never use "Login with Google/MS/FB". But that's only my personal preference. I don't know if using Google/MS/FB will provide better or worse security.
TOTP codes stored within 1Password: As far as I remember, studies have shown that the directive to use a separate authenticator app on your mobile is inconvenient for many users in a way that many users don't actually enable 2fa on their accounts to avoid this inconvenience. So they operate their accounts on less security for convenience. It was agreed that it's better to include TOTP generation into password managers (where the other factor is already stored: the password) to provide the missing convenience instead of letting users avoid TOTP completely. Studies have also shown that storing both factors in the same password managers don't actually reduce security much, because compromising this would require a successful attack on the password manager on a client, not only mass hacking website user databases.
So storing your TOTP codes in 1Password helps convenience and don't actually reduce security much. And actually, since I use that feature in 1Password myself, I actively strive to enable 2fa with TOTP on every account I own instead of reluctantly enable it if the website insists on it as in previous time, where I used a standalone authenticator app on my mobile.
1 -
Thanks for great explanation.. Appreciated.
You also omit the most widespread and basic mechanism: username/password.
This is of course the best mechanism when it comes with a Password Manager.
Thanks for SMS security issues explanation.
Again Pros/Cons of using MS/FB/G accounts for login to sites..
Quote from - https://blog.1password.com/passkeys-2fa-totp-differences/
If you want the protection of true 2FA, your one-time passwords need to come from a different device than the one that holds your account passwords.
TOTP according to you is still best, I find no difference in TOTP codes stored in 1PWD and/or using logins without TOTP. (when account is compromised)
But yes in case of website breach, TOTP is the last savior (biggest advantage is todays world)A.
Passkeys being the most recent, will wait for your inputs here as wellB.
I have at present all the backup/recovery codes for 2fa into there respective logins, any suggestions for this ?C.
I agree with this - https://blog.1password.com/why-trust-1password-cloud/
Which combination is more secure alongwith 1PWD ?
**1PWD + 2FA or 1PWD + Passkeys or both ? **
I want to implement the best which can be easily accessible on cross-platform. (Windows and Android at present) for few important sites.. rest can go with any.0
