2-steps verification for 1PW

Options
Inno
Inno
Community Member

Why hasn't 1PW for Mac 2-steps verification? Now only the master password will do to get in.
I refer to the latests events at LastPass. Now that LastPass has been hacked there will be 2-steps verification coming soon.
I wonder why that shouldn't be necessary for 1PW as well.

Greetings
Inno


1Password Version: vs 5.3.2.
Extension Version: vs 4.3.1.
OS Version: OSX 10.10.3.
Sync Type: Dropbox

Comments

  • danco
    danco
    Volunteer Moderator
    Options

    Basically, because the 1PW data is always under your control, there's no need for two-step authentication, and the master password is safe.

    Now, if you choose to use a sync method such as Dropbox or iCloud, they could be breached but that would still not give access to your master password.

    And you can just keep your 1PW data on your own computer, so no risk of a breach unless someone can gain access to that.

    In between the two options (syncing in the cloud or keeping all data on your computer) are possibilities such as folder sync or wi-fi sync, which are local to you.

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    Options

    Hi @Inno,

    The first thing I would like to do is post the link for a security post made by our Mr Goldberg on Two Factor or not Two Factor. Although the post is a couple of years old nothing has changed.

    Part of it comes to the fact that you don't authenticate yourself with 1Password, when you supply your Master Password you are decrypting your vault and to try and highlight the difference I'm going to quickly mention OS X and FileVault. Say you don't use FileVault on your Mac but you do have a password to log into your account. When you supply that password you're performing authentication, you're proving to OS X that this is you. If I gain physical access to your Mac though I can bypass authentication and trample all over your user account. When you introduce FileVault though that first request for your password is a lot more than merely authentication, it's supply access to the encryption keys so that OS X can access the drive at all. With FileVault enabled physical access to the drive in its encrypted form is useless.

    So why do I mention this. Authentication, Two-Factor or not serves a very different purpose from encryption and it needs to done correctly in the right context. Could we add Two-Factor Authentication to 1Password? we could but the application is only on your machine along with your vault. If a person has access to the file representing your vault then given we use standard encryption algorithms there is no need for them to attack your vault via the 1Password application. In fact they would be much wiser to use another program designed use password lists etc. before resorting to brute force and all in an automated way. Doing this bypasses the authentication and if we lead you to believe that the authentication makes you more secure than you are we've done you a disservice in my mind.

    I'm also going to supply a link to a KB article of ours titled Authentication vs. Encryption, another page that might be of some interest.

    The crux of it is we've tried to place all the security in the encryption, made choices to hinder access to the contents when our program is bypassed. This, combined with a strong Master Password is how we aim to protect your data and thus you.

    You may have a few thoughts on everything I've written so please do post back if you do :smile:

This discussion has been closed.