I think using TOTP inside 1P contradicts the 2FA idea
Dear 1P team,
On the one hand I like the new TOTP function inside 1P very much. I have a backup for this important "thing" and I can use it on all my systems. That's great!
On the other hand I think it contradicts the 2FA idea to have all passwords and TOTP keys also inside the same program. If somebody finds out my Master-Password (hopefully never), he knows everything.
But I have also the answers for security questions inside 1P as a note. So this is the same problem like TOTP. If somebody finds out my Master-Password he can reset accounts with this answers.
I thought about how to improve this and I have an (first) idea: Maybe can you add a PIN code function? So (if the user like) he needs two passwords:
The first password is the master-password to open the 1P safe
And for displaying the TOTP keys (and also for the answers of security questions => so I mean for some notes) you need a short PIN also. If the insert PIN is wrong (maybe five times) this function should be stopped working for this 1P client for a longer time.
Maybe this is a possibility to make 1P more secure?
Comments
-
Hi @Philipp,
You're quite correct, it doesn't offer 2FA when you do this, something our Jeffrey Goldberg wanted to cover in a blog post back in January, TOTP for 1Password users. In it he makes the distinction between true 2FA and something he calls 2-step verification and where 1Password is when you keep your TOTP codes in it. I think you'll find it interesting if you choose to give it a once over :smile:
0
