How to handle 1Password with TOTP codes when traveling
I would like to implement the following scenario:
a) Set up 4 individual 1password vaults to achieve the following
1) Primary Vault - hold all web based login details and passwords where the site has 2FA. This Vault will be stored on Dropbox
2) Second Vault - holds the 2FA one time password generators - This Vault will be stored on icloud
3) Third Vault - holds all the recovery code for instances where the mobile phone is lost
4) Forth vault - hold all other secure details that are not time sensitive - This would never be saved onto the cloud. being kept at at home.
Initially i thought 1Password would be the perfect tool for this, and after reading past the marketing claims, i realise that this would only be something a Mac user could do, not a Windows user. Has anyone found a way to do this in a windows environment?
The windows version of 1password can not sync to the apple icloud, and for some reason the iphone version can't be set up to have one Vault in icloud and one vault in dropbox without syncing failures.
Does anyone have suggestions or advice on how to use the excellent 1password features in an online cloud scenario, but keep the 2FA completely separate from the login details and passwords.
I realise i could create two dropbox accounts to achieve this, but the overly paranoid side of me would prefer to assume icloud and dropbox are not likely to be compromised at the same time when they inevitably do become publicly hacked.
The key goal here is:
1) Store the 1password Vault in the cloud, but not keeping all the elements of the login together.
2) Ideally i would not put the vault in the cloud, but in a work situation where i'd travel for several months, and the high risk of having the iphone and ipad stolen, getting the passwords stolen would create a major problems, especially without access to the syncing computer at home.
There are many workaround institution to this like using snapshots saved discretely somewhere or alternative 2FA solutions like Authy, but 1password would literally be the perfect solution if only i was on a Mac. Unfortunately that change is not possible, so anyone using windows version of 1passowrd, please help me if you have any brilliant ideas.
1Password Version: ios 5.4.2 & Win 4.5.0.575
Extension Version: not used in this scenario
OS Version: Win 8.1 Pro (fully patched)
Sync Type: icloud & dropbox
Comments
-
@ducati - You can set up as many separate vaults as you want in Dropbox. This is very easy to do in 1Password on a Windows PC. You can then sync any of these vaults to 1Password on your iPhone. I'm not sure why the need to have 1 of these vaults in iCloud - could you clarify this?
Another great advantage of Dropbox sync is that you can access your 1Password data in any browser on any computer -
Log into the Dropbox website: https://dropbox.com
Open the 1Password.html file inside the folder named 1Password.agilekeychain
Enter your Master Password to unlock 1PasswordAnywhere.0 -
Hi @Ducati,
What you're doing is what's called two-step verification, not 2-factor authentication.
The point of 2FA is that you have a physical secondary device to be used for separate and in-person authentication, and the said device must not have the original data either. When moving your data vault with 2FA onto the cloud service that's syncing the said data to all of your computers and devices, that eliminates the big advantage of 2FA codes because the hacker just needs to breach the cloud service and not have to have the actual physical device. In addition, you're not supposed to store both the 2FA codes and the actual Logins on the same device, as if that device is stolen, they’d have both as well. That's why using Authy with 1Password on the same device does not increase any security. It's also why we don't call it 2FA but rather TOTP.
To protect your data in the most secure way, you should use the Wi-Fi sync to push your 2FA vault to your iOS device as that doesn’t leave your local home network. Unfortunately, Wi-Fi sync along with multiple vaults is more difficult to pull off, so it is not easier to use compared to using Dropbox for everything. We are investigating the best way to pull this off that is also simple to use.
The windows version of 1password can not sync to the apple icloud
It’s not that we cannot sync to iCloud, it is simply that Apple does not have CloudKit API on any non-Apple platforms. We use Apple’s CloudKit APIs to power our iCloud sync, not iCloud Drive which is different.
If in the future Apple brings it over to Windows, 1Password will be able to sync with iCloud. We are seeing some hints that Apple is talking about this potential at their WWDC conference this week but it is going to take a while to figure out if it is enough for our use.
…and for some reason the iphone version can't be set up to have one Vault in icloud and one vault in dropbox without syncing failures.
That’s mainly because iCloud Sync and Dropbox Sync are two separate systems that doesn’t sync data the same way. The same reason on Mac, you can only use the primary vault to sync via iCloud but not the secondary vaults and you also can’t share vaults between two separate Apple accounts. It’s structured completely different and syncing between two separate databases are prone to problems and when it comes to your data, we must prioritize your data integrity above all others, so we eliminated this support a while ago.
Dropbox sync was built for cross-platform app sync, iCloud Drive and CloudKit APIs weren’t built for this, they’re meant to be used on Apple platforms only.
I realise i could create two dropbox accounts to achieve this, but the overly paranoid side of me would prefer to assume icloud and dropbox are not likely to be compromised at the same time when they inevitably do become publicly hacked.
Even they are compromised, that doesn't mean your 1Password data file is compromised. If someone breached either or both services, they still have to figure out your master password to unlock the data vault and that's much harder than breaching the service. Your 1Password data is always locally encrypted before it reaches any destination like to your cloud folders.
Not to mention, you can enable 2FA authentication for iCloud and Dropbox now.
The key goal here is: 1) Store the 1password Vault in the cloud, but not keeping all the elements of the login together.
As mentioned above, it's not about keeping them together that's the problem, it's keeping the code on a separate device that doesn’t hold the original data as well as syncing to the cloud. This is far more difficult and the main reason 2FA didn’t take off despite being around for more than a decade.
2) Ideally i would not put the vault in the cloud, but in a work situation where i'd travel for several months, and the high risk of having the iphone and ipad stolen, getting the passwords stolen would create a major problems, especially without access to the syncing computer at home.
We do appreciate the concern here. The good news is that your 1Password data is built to withstand situations like this, we encrypt your data before it even leaves your local drive to the cloud.
Secondly, even if your devices are stolen, I'm not sure how having data on two separate cloud service would help here. If the devices are set up to sync with both iCloud and Dropbox, the data would be there locally on both iOS devices. That's why it is important not to keep both 2FA and Logins vaults on the same devices.
Even if you have only the 2FA vault on the iPad while pushing the Logins vault on the iPhone, that would render the Logins pointless on the iPhone if only the iPhone was stolen. If the iPad was stolen as well, then effectively, it is the same as having no 2FA.
What you should do first is to ensure your iOS devices are locked more throughly with shorter auto-lock timer, protected with your iCloud account, so that you can issue remote wipe and/or help the local authorities find it via GPS, and so on.
I think for your situation, as long as you use a strong master password for your vaults both stored on Dropbox and a strong passcode for the iOS lock, you should be okay to go.
In addition, do not use any public computers, especially when using 1PasswordAnywhere. It is safer to buy a cheap computer to download your data via secure VPN and then decrypt it with 1Password apps, than to use 1PasswordAnywhere on Dropbox.com on a computer you don't have control over.
PS: Please be sure to keep that recovery key protected and backups are stored on external drives as well as offside (different location as in the event of fires or other disasters). If your iOS devices are stolen and your list of trusted devices is gone, you can't log back into your iCloud account without the recovery key.
0