OTP Integration

Hey there,
I've a great suggestion for the next release.

How about adding an OTP Option to 1Password? There are some otp authenticators around, like the google authenticator and some custom implementations of that.

As I don't trust google nor the other stuff around on the appstore, I would like to see the "OTP Implementation" implemented in 1 Password. ( http://en.wikipedia.org/wiki/Google_Authenticator ) It absolutly belongs in this product.

Even if I already have the pro version, I'm absolutely willing to pay for it as addon or inapp purchase.

What do you guys think about it? Have look at google authenticator, authy, etc.

It can be used for facebook, dropbox, ncsoft online games, etc.

Cheers

Comments

  • MrRooniMrRooni

    Team Member

    Thanks for the suggestion @XeroX‌ ! It's a cool idea and one that we've tossed around internally a bit. We can't comment on when or if 1Password will support this feature, but we appreciate you taking the time to let us know what you think would make our little app even better. Cheers!

  • While it would be great to have support in 1Password for this, none of these apps represent a security risk in their default configurations.

    To simplify, the site you are authenticating to generates a secret key that you enter into the authenticator app. This is then hashed in combination with the current time to generate the passcode that you enter. Some implementations include a device-specific component to this as well. This data is not required to be transmitted to the author of the app for this to work - it's all locally done on your phone - and presumably this data is NOT sent (i.e. the author has integrity and isn't shipping those keys to themselves for nefarious purposes). However, even if it were, it still would require your password (in a properly secured site) before the OTP is requested, so having the OTP key itself doesn't enable the app author to login as you - which, of course, is the whole point of TWO factor authentication. :) This is a long way to say that you would be putting the same level of trust in the AgileBits folks as you would be in Google or Authy.

    Authy, it should be noted, does permit syncing to and from your devices via their own servers. They say that this data is encrypted (presumably with your password, although exactly how it isn't stated as far as I know). Again, even if the OTP keys were directly emailed to them, they are not themselves useful, as your login name and password would not be known to Authy's authors.

    In this respect, you would need to trust AgileBits MORE - since they could conceivably obtain all of the elements necessary to login as you - since you presumably use 1Password to store your account login details. Obviously, AgileBits is a company that we trust (and we know how the data is protected, for the most part), but honesty in information security matters compels us to examine every possibility.

    • Joe
  • MikeTMikeT Agile Samurai

    Team Member

    Hi @joetomasone‌,

    In this respect, you would need to trust AgileBits MORE - since they could conceivably obtain all of the elements necessary to login as you - since you presumably use 1Password to store your account login details. Obviously, AgileBits is a company that we trust (and we know how the data is protected, for the most part), but honesty in information security matters compels us to examine every possibility.

    I'm glad you do trust us. :) We designed 1Password in a way that you don't need to put any trust onto us. The data format is accessible in a way that you can design your own app and only trust yourself.

    In addition, this is why OTP isn't yet in 1Password. It's not something we can just drop in without reviewing what exactly goes on. As MrRooni mentioned, we are talking about adding this for folks who just want to use 1Password for everything and not have to install other authenticators. There are other areas that we can improve for OTP/2FA sites, like how filling and auto-saving (desktop apps) would work with them.

This discussion has been closed.