OTP / TFA to unlock 1Password itself

Rob Raymond
Rob Raymond
Community Member
edited January 2015 in 1Password 4 for Windows

Hello,

I'm reading a lot about being able to add OTP entries in a vault (which is fantastic BTW), but no "recent" mentions of actually using them to unlock the 1Password application. Software / Hardware keyloggers make me nervous...

My apologies if this has been brought up before.

Thanks,

Rob

Comments

  • DBrown
    DBrown
    1Password Alumni

    Thanks for letting us know that would be useful to you, Rob!

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    TOTP and similar schemes makes sense when you are authenticating to a remote service, but it isn't really something that could be used coherently for decrypting local data.

    Authentication schemes are about convincing some gate keeper to "let you in". But there is no gate keeper who can grant or deny you the ability to unlock your 1Password data. Instead, your Master Password (indirectly) to transform your data from encrypted to readable. Whether that transformation succeeds or not is not up to some gate keeper, but is a direct consequence of the mathematics.

    This, on the whole, is why so-call Multi-factor Authentication doesn't really provide any additional security for password managers. And it is only relevant when there is some authentication in the first place.

    1Password works solely on encryption instead of authentication. An encryption-based systems means that there is no gate keeper than can be tricked or gone around. It means that we have no ability at all to get at your data. 2FA is designed to bolster an authentication process (as these tend to be a point of weakness). We've designed 1Password without authentication and so there is nothing to bolster.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited January 2015

    Hello again, @Rob Raymond‌!

    Let me add that adding some second factor to unlocking 1Password data would not protect against key loggers running on your own system.

    There is a scheme that would present some minor hurdles to an extremely limited range of attacks. But such a feature would be for creating the appearance of security, instead of adding to real security. For a more thorough discussion of what can (and can't) be done to defend against key loggers, please take a look at: Watch what you type: 1Password's defenses against keystroke loggers.

    I hope that this helps. And please let me know if you have further questions.

  • Rob Raymond
    Rob Raymond
    Community Member

    Thanks for the quick replies. Looks like I have some homework to do. :)

    Keep up the great work,

    Rob

  • DBrown
    DBrown
    1Password Alumni

    Thanks, Rob!

This discussion has been closed.