Feature request: ability to not sync specific item details (such as TOTP)
Hi,
The idea with multi factor authentication is it's something that is physical that you can't access without having the item. I love that 1password now supports OTP/Auth Tokens, but it kind of defeats the physical security aspect of it if that token is then accessible via a single password remotely (if a computer I have 1password on is key logged/Trojan) they can access my site password and my OTP.
Just wondering if we can have an option added that will not sync OTPs for an entry/all entries, so that if I add them to my phone, you can only access it from the phone.
-Simon
1Password Version: 5.4.2 iOS, 5.3 OSX
Extension Version: 4.3.1
OS Version: 10.10.3
Sync Type: iCloud
Comments
-
Hi @scoggins,
Thanks for taking the time to contact us. You are correct that using 1Password to access your TOTP codes means they are not a second factor. They do still offer "one-timeness", though. We covered this in greater detail in our blog post:
TOTP for 1Password users
Specifically, the "One-timeness? Yes" and "Second factor? No" sections. From that same post (emphasis added):
If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.
Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.
Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.
It's an interesting suggestion to exclude a specific Login's TOTP codes from syncing to other devices. I think that it would be best to not store the TOTP secret together with the password on any device, though if "your aim is genuine two factor security".
0 -
Thanks @khad I'll check out the blog post. But yeah I can see having both the password and TOTP secret together is also bad. Wonder if it could be taken a step further so you can have a setting in 1pass so that MFA tokens can only be revealed via finger print scan, you can't access it via a password. Then you still have some physical barrier (your thumb) to access the one time password.
0 -
The trouble there is that Touch ID isn't foolproof. That's why Apple doesn't even use it as a second factor. It's essentially just a convenience. Remember that even when you have Touch ID enabled on your device, you can completely bypass Touch ID and just enter your device passcode to unlock your device. This is because fingerprint scanning is still not 100% accurate, so there needs to be a fallback.
It is great that you are thinking about these things, though! We love thinking about them as well. :)
For now, our recommendation remains the same as in our blog post. But we are always looking forward to what the future brings.
0 -
@acdha: Point taken. But I will say that the advent of System Integrity Protection in El Capitan means that it's virtually impossible for malware to get its hooks in at the system level...but of course you're right that OS X apps aren't sandboxed to the degree that iOS app are.
Regarding TOTP, though it might be trivial to 'fake' it, and simply not show the TOTP (even though the data is actually present in the vault), it would definitely require some big changes to add this level of complexity to how 1Password segments and syncs data. You're essentially giving 1Password your data, telling it to sync it, and then trying to exclude not individual items, but specific details within an item. Since it's a bit of a tall order, I'd like to understand the scenario better.
So I guess my question is this: why is 1Password unlocked in the first place? If it isn't, of course, someone needs your Master Password to get at your items, TOTP or otherwise. You may not think of it in the context of your TOTP concerns, but you probably have a lot of other data in 1Password that is just as sensitive.
Ultimately if you're leaving 1Password unlocked for extended periods of time where your data could be susceptible to compromise, a good first step is to review your security settings. Then we can talk about options for further securing specific data, either in theory (a nonexistent feature) or in practice (simply creating an item for the TOTP in a separate vault). If you have specific examples of this use case, I'd be interested to hear them! :)
0 -
@brenty: the benefit I had in mind was not having the TOTP seeds synced at all, rather than simply not displayed. I agree that the odds are high that a keychain compromise is going to be disastrous but was thinking that e.g. it'd offer a way to avoid someone getting Gmail credentials and locking the user out of the recovery mechanism for everything else. The best answer for that particular case, however, is probably switching to U2F.
I am puzzled, however, by the question about keeping 1Password unlocked for long periods of time since that's how 1Password Mini works so anyone who gets access to a desktop with that feature enabled would also get access to your TOTP codes without the master password if there's any flaw in the sandboxing. Maybe that's really saying that 1Password Mini should have a timeout option.
0 -
@acdha: Ah, thanks for clarifying! That certainly seems reasonable. I guess I'd be concerned about losing TOTP data in that case though. I don't know about you, but many people depend on all of their 1Password data syncing. For example, if you've got your "full" 1Password vault on your computer (including TOTP) and it dies...well, unless you've got an easily accessible, complete backup of that, you won't be able to get everything back by syncing or access it on another device.
Maybe that's really saying that 1Password Mini should have a timeout option.
I'm not sure what you mean. 1Password mini is 1Password. It's what you're locking and unlocking, whether you're using the browser extension or the main 1Password window. So if it isn't locking, it's because you've told it not to in your security preferences. Be sure to let me know if you have any other questions! :)
0