2 Factor or Partial Password for 1Password

SLRist

I know it's been discussed at least a couple of times before, but I would like to make an additional request for 2 Factor auth for 1Password.

The addition of keyfob based 2 factor auth protection is the only way I can see of absolutely protecting yourself from a compromised OS. If someone is logging keystrokes (either on iPhone or Windows) and they manage to get your vault files, they have your data. Having a physical separate device would add a valuable additional level of security (and not to mention peace of mind) for the truly paranoid (like me). I would be quite willing to pay extra for a service like this.

Please add this to the queue of people (however short) requesting this feature.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

attrapereves

2FA has been discussed many times here. Since nothing is being authenticated, 2FA won't work for 1Password.

However, I would like to see YubiKey, or some other sort of key integration. KeePass (a similar, open-source alternative to 1P) offers using a key, plus password to decrypt the database.

MikeT

Hi guys,

As attrapereves correctly points out, 1Password is not using any authentication features, it is using encryption. It's not stored in the cloud by default either.

If you were syncing with Dropbox, you have the option to use Dropbox's 2FA system. If you don't use 2FA, to breach your data in Dropbox, you would have to breach both the Dropbox.com account credentials and then figure out the master password to the 1Password data file.

However, we are planning to bring 2FA to the upcoming 1Password for Teams service in addition to another major security feature we added to Teams, the Account Keys. You can find out more in our whitepaper here: https://teams.1password.com/security/ and our article on Accounts Key: https://support.1password.com/understanding-account-key/

@SLRist, two factor authentication is not an absolute fix to this problem and no, it does not in fact protect you from a compromised system. Please be careful with this type of thinking, there is absolutely no hackproof solution in the universe and anyone telling you otherwise is selling you something else. Anything human can make can be broken by humans as well. The only reasonable thing humankind can do to prevent breaches is to slow the process down enough that it wouldn't matter by the time the breach finally occurs. Basically, when a castle has been broken into, there is no people or gold to take because it took too long to get in.

In addition, two factor authentication has been bypassed a few times in various breaches throughout the past few years.

Look at this most recent one for an example as why two-factor authentication is not really the sole solution: http://seancassidy.me/lostpass.html

If you did not know in advance your system has been compromised and you see the request to enter your TOTP code, how do you honestly know this has not been compromised to get your code and sent to the adversary to be used locally? 30 seconds is extremely long in the world of computers. They only needs that single code to unlock and get the rest of the data out.

As for keyloggers, that's what the Unlock on Secure Desktop feature on WIndows can help with, it isolates the unlocking process from any other process, including keyloggers.

On iOS, it uses a secure enclave in the CPU to store your secrets, which has not yet been compromised in a single case. It's actually pretty difficult to get in there.

@attrapereves, in the upcoming Teams solution, it will be 2FA+account key+master password. 2FA hasn't been added yet but it is in the plans.