wifi sync - security affected if enable TOTP feature?
Hi , I am a new user of 1Password having switched from another major competitor and am very impressed.
I switched to 1Password because of the wifi sync option, which I use across Mac, IOS and Android.
My own personal preference is to use the wifi sync option because none of my data is stored on the web - only on devices that are in my physical possession. I do not want to have to worry about hackers - however good and strong the security.
I have just setup and started using the TOTP feature. As someone with zero expertise in this area can someone at 1Password please confirm that by using this feature, as wifi sync only user, it will not have any implications on my security?
Apologies if I am not explaining my concerns clearly. I am really just trying to double check that by enabling the TOTP feature I have not made my data somehow less secure - I am now not strictly a wifi sync user but more like someone who stores part of their data on the web, as I have now linked my data to certain websites.
Whereas before unless I clicked on my 1Password to access a certain site my data was in a dormant state and not communicating with anyone, BUT now with TOTP enabled my 1Password is now communicating with the web, all the time, in the background. So from being a wifi sync user only, I am now in fact syncing with the web.
Hope this is somewhat clearer?!..........
Thanks!
Comments
-
Hi @cjcjcj,
I think there has been a little confusion here.
1Password doesn't have 2FA built into the defences of your vault but we do support 2FA for websites or services you use that support/require it, specifically we support TOTP or RFC 6238 which is the same as Google Authenticator. We support 2FA because our users really wanted to see this happen although technically you could argue it weakens the security a little given we all tend to store the 2FA in the same Login item as the other credentials. Still, because of the temporal nature of 2FA it does mean that should for some reason somebody has watched you log in and has managed to intercept your password, they still cannot gain access due to the one-time aspect of the 2FA used. Now TOTP doesn't require communication with the web site for the codes, at least not the one we use. What happens is a secret is generated and that is communicated at that point in time, usually through a URI or QR code. After that is stored though both you and the server have everything they need as the algorithm relies on a combination of time and the secret to generate the current code. So 1Password does not communicate with servers in this respect.
Now regarding the security of your vault. I think I would suggest our article, Authentication vs. Encryption as a primer. It talks about the differences between authentication and encryption and will give you an idea of why 2FA in 1Password doesn't make you more secure like we might think it would.
Please, if you have any questions at all regarding any of this do ask. If I've misunderstood at all please do correct me and we'll get on with answering your actual question :smile:
0 -
Thanks Littlebobbytables things are now clearer!
0 -
Glad we could help @cjcjcj :smile:
0
