Why not use 2 factor authentication to secure my 1Password Vault?

1246

Comments

  • InTheRealWorld
    InTheRealWorld
    Community Member

    If credentials are exposed, accidentally or otherwise, or stumbled upon from some mishap or careless happenstance, 1PassWord has no backup catch. Someone with no skills at all, just lucky enough to gain the credentials, could gain access.

    Web access could allow management of the account without displaying credentials, one doesn't necessarily preclude the other. It would limit access to the native apps, and remove the store one more step for the public.

  • InTheRealWorld
    InTheRealWorld
    Community Member

    The bottom line is that there are situations where it would help; that is undeniable. So why ignore those situations just because it wouldn't help in EVERY situation? As nothing is TRULY secure, the best that can be done is to secure from as many angles as possible. That's what a password manager is for, and complex passwords, and a secret key... not because each is the final and irrefutable answer, but because in concert, they reduce the risk level incrementally to a point of acceptable risk.

  • What we want to avoid is creating a false sense of security. For example, if we were to implement such a solution, we wouldn't want folks to start feeling comfortable logging into their 1Password accounts from public computers "because MFA is protecting me."

    We're still looking into options here and we may eventually have a solution somewhere along the lines of what folks in this thread are asking for, but we want to be sure we pick a solution that 1) actually solves some problems vs just simply being "security theater" and 2) doesn't give a false sense of security (or at least provides documentation along with it that explains situations that are still not safe despite MFA).

    Thanks.

    Ben

  • prime
    prime
    Community Member

    Ben,

    What we want to avoid is creating a false sense of security. For example, if we were to implement such a solution, we wouldn't want folks to start feeling comfortable logging into their 1Password accounts from public computers "because MFA is protecting me."

    That's just it, false scene of security. I know too many people who also use weaker passwords because of MFA. Even with MFA, I will never log onto 1Password on a computer that I don't control. If I need the password THAT bad, I'll email the password to myself, log into my email, do what I need to do, and when I get to my computer, I change the password for those accounts.

    Might not be the safest way, but I rather have 1 account compromised then all of my accounts. Luckily I have yet to need to do this.

  • InTheRealWorld
    InTheRealWorld
    Community Member

    Right.... let's eliminate seatbelts and airbags because they give drivers a false sense of security and then they might drive crazy.

    They will all be safer with no seatbelts and airbags because they will all drive completely safe, and never have an accident again.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Right.... let's eliminate seatbelts and airbags because they give drivers a false sense of security and then they might drive crazy.

    @InTheRealWorld: That's a terrible analogy, but point taken. :)

    Eventually, it seems everyone else has given up because it’s like talking to a machine with an automated response, or a horse with side blinders.

    If you think these are "machine responses", I'm not sure I believe that you've read them. A machine could make the same points more succinctly. :tongue:

    Time-based and true “one time use” does have real and useful applications, which a good portion of the world sees, and which AgileBits keeps coming up with specific, narrow scenarios where it wouldn’t make a difference, and then throwing it all out the window because of the limited failure modes of the weakest 2-Factor you could implement.

    If you reread my previous replies (especially the last one, which was specifically addressed to your comments), you'll see that I agreed with you that one-time passwords in particular and multifactor authentication in general do have useful applications. You provided the specific scenarios, and I merely offered . We've been discussing the threat profiles for which it offers a security benefit, and those it does not. And rather than "throwing it all out the window", we've already had Duo support for quite a long time, to the point I can't recall when we added that initially.

    At this time, 1PassWord has ZERO protection if credentials are compromised, which to me is 1-factor, not even 1.5 factor.

    That's demonstrably false. You can sign up for a 1Password Teams Pro account and use Duo today, and you can always change your account credentials if needed; they aren't set in stone.

    I don’t see how it can be reasonably argued that 1-factor can be as secure as 2-Factor, which by definition ADDS a layer of security.

    Literally no one but you has said that. It isn't a position I'm willing to argue, even as a "devils advocate". :lol:

    I will test out the Teams version, as it sounds like it does what I am looking for, although paying more and having to use more complex software for a feature that almost every other password manager includes in the base program is a work around, IMO, not a solution.

    The software is the same, so it is not more complex. It just has additional features that you can choose to use, or not, as you see fit. If you want to use only the additional authentication and ignore the rest, you can do that. Ultimately you get what you pay for: with 1Password Teams, that means more flexibility, features, and priority support. And in the case of authentication, each factor is truly separate from the other credentials, rather than being derived from your password...which is not always the case with others. :unamused:

    The denial of any benefit of 2-Factor using these limited scenarios is why I say AgileBits is skirting the issue. It seems AgileBits just doesn't like it, and/or doesn't want to go to the trouble of development to implement a meaningful 2-Factor solution, and keeps trying to talk their way out of it. Meaningful 2-Factor solutions do exist, and can be implemented, and we see that it is worth the effort, regardless of the weak excuses that keep coming back to us.

    No one is making excuses, and I'm not sure where this "denial", "skirting", and "AgileBits doesn't like it or want to go to the trouble" stuff is coming from: you can use Duo today as many others do, which you've already acknowledged. But we're not going to release a beta feature to all users, or release a feature broadly at all unless it meets our standards for security and usability. Anyone non-techy who's had to use . We try to make sure things don't suck so that everyone can use them, not just the type of nerds who enjoy participating in security discussions on internet forums — and I'm including myself in that. ;)

    Web access could allow management of the account without displaying credentials, one doesn't necessarily preclude the other. It would limit access to the native apps, and remove the store one more step for the public.

    Yep. That's an interesting idea. :)

    The bottom line is that there are situations where it would help; that is undeniable.

    Agreed 100%.

    So why ignore those situations just because it wouldn't help in EVERY situation?

    We're not.
    Rick laid it all out better than I could already, and was very upfront about the fact that this is very much something that we're interested in...which is why we implemented Duo support in the first place. I sometimes get the impression that the only acceptable response to requests to add "2FA" to 1Password would be "Yes, it is available now for all users, even those using local vaults" (again, local vaults are the ostensible topic of this discussion, and authentication does not apply there, so I hope you'll keep that in mind). But not person or company will be happy with the same solution, so, as with everything, we have to start somewhere and find a good, usable solution that will help the greatest number of users. I think that's a good thing, rather than rolling out something unusable and insecure (which many others have done) only to fix it later. Security and usability cannot be an afterthought for 1Password, and if that means we're not first to market with some bullet points, that's okay. We're determined to get things right if we can help it, rather than shipping broken security and fixing it later.

    As nothing is TRULY secure, the best that can be done is to secure from as many angles as possible. That's what a password manager is for, and complex passwords, and a secret key... not because each is the final and irrefutable answer, but because in concert, they reduce the risk level incrementally to a point of acceptable risk.

    You've said it beautifully. We're really on the same page here, except that you're on the outside waiting for us to give you something you're looking for, and we've got this dang obsession for building things that are as delightful to use as possible, along with making them as secure as possible. If we only cared about one or the other, we'd probably be out of beta and releasing on time always...but caring about both means we're going to be a bit stubborn sometimes. But I think you'll like Duo, and I suspect you'll like some other things we'll be releasing in the future as well. ;)

  • jl6098224
    jl6098224
    Community Member

    Read all the comments where the 1password is just trying to be bullish about security practice and all.
    I think this is no issue at all if being looked at from customer-focus company's perspective.
    The customers want 2-factor authentication (customers satisfaction should be the focus here), why being difficult about whether secured or not?
    If you current architecture can't support 1-factor authentication for people that wants it, let us know and maybe try something else.

    It's a customer discussion forum but it's turning to technology forum. Customers want 2-factor authentication, now left to you to implement it or not.
    Thank you

  • AGAlumB
    AGAlumB
    1Password Alumni

    Read all the comments where the 1password is just trying to be bullish about security practice and all. I think this is no issue at all if being looked at from customer-focus company's perspective. The customers want 2-factor authentication (customers satisfaction should be the focus here), why being difficult about whether secured or not?

    @jl6098224: Security theater doesn't benefit anyone, and in fact harms. If you pay a company to monitor your home around the clock, that may make you feel more secure in the short term, but if you are broken into while you're on a long vacation (house is safe, right?) and nothing is done because no one was actually paying attention, you're actually worse off than if you'd known that you didn't have real security and planned accordingly. That's the kind of thing many easily-bypassed "2FA" solutions actually offer, so we're keen to learn from the mistakes of others if we're to do anything in this area.

    If you current architecture can't support 1-factor authentication for people that wants it, let us know and maybe try something else.

    I think you meant two-factor. The 1Password Teams Pro plan offers Duo authentication today, so people can choose to use that, or not, as they see fit.

    It's a customer discussion forum but it's turning to technology forum. Customers want 2-factor authentication, now left to you to implement it or not. Thank you

    As mentioned previously, this is very much something that we're interested in; we just can't comment on what (or when) we'll release in the future. We love having these kinds of discussions though, so thank you as well. :)

  • waterishail
    waterishail
    Community Member
    edited January 2018

    I would also like to echo what is being said here - I will not be upgrading to 1Password online until this feature is there.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @waterishail: Thanks for letting us know how important multifactor authentication is to you! However, as mentioned previously, Duo authentication is already available as a beta feature in the 1Password Teams Pro plan...so technically shouldn't you have already signed up to try it? ;)

  • waterishail
    waterishail
    Community Member

    Due to the cost I am not planning on looking at the teams solution plus it is overkill for what I need which is just the 1Password solution.

    Will I be able to downgrade to use the standalone vault option once the evaluation finishes?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Due to the cost I am not planning on looking at the teams solution plus it is overkill for what I need which is just the 1Password solution.

    @waterishail: That's fine. We don't have any promotions going right now, but I know some folks locked in lower rates when they were available. Just making it clear that what you're asking for is already available for those who want it, especially if that it the most important feature.

    Will I be able to downgrade to use the standalone vault option once the evaluation finishes?

    If you're not certain you're going to stick with it, I'd recommend not deleting your data, as then you wouldn't have to do any work to migrate back again. No harm in signing up for an account just to test it. You can play with it for 30 days without having to pay anything or even add a credit card. Cheers! :)

  • mkd
    mkd
    Community Member

    Dear Brenty

    As a normal consumer that doesn’t know too much about security. I don’t want you to lecture me about security. All I know is that almost every big company (Google, Microsoft, Apple) added 2FA to their services. And this feature adds extra layer of protection to my account.

    I appreciate you trying to lighten everyone about how 2FA is not as secure as everyone thinks. But you guys at 1password could offer this feature even if you don’t believe in it, just do it for marketing perspective and maybe add a note that 2FA is not secure or whatsoever.
    (Give me the choice, don’t choose for me)

    I’m sorry to say that I had to switch to LastPass due to the lack of 2FA.

    Please consider this feature as you can see a lot of 1password consumers are not happy with your decision not to add 2FA to your app.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Dear Brenty As a normal consumer that doesn’t know too much about security. I don’t want you to lecture me about security.

    @mkd: Welcome to the forum! Since you're new here, I'm not sure how I could have lectured you about anything, but I'll try not to not to. Just keep in mind that this is a public support forum, so we do need to consider everyone who may read this and try to be clear and thorough as possible. Please don't be offended if you read something that you already know, as it's probably not meant for you in that case. But there are a lot of people out there with different backgrounds to you, so I hope you'll take that into account before taking personal offense.

    To address your specific points:

    All I know is that almost every big company (Google, Microsoft, Apple) added 2FA to their services. And this feature adds extra layer of protection to my account. I appreciate you trying to lighten everyone about how 2FA is not as secure as everyone thinks. But you guys at 1password could offer this feature even if you don’t believe in it, just do it for marketing perspective and maybe add a note that 2FA is not secure or whatsoever.

    I'm sorry, but we're just not going to offer something we don't believe in, especially only for "marketing" to give people a false sense of security. We're not going to lie to our customers.

    (Give me the choice, don’t choose for me) I’m sorry to say that I had to switch to LastPass due to the lack of 2FA.

    You do have a choice, and it sounds like you've made it. There's nothing to apologize for! It's your data, and I respect you for making the choice you feel is right for you.

    Please consider this feature as you can see a lot of 1password consumers are not happy with your decision not to add 2FA to your app.

    As mentioned previously, 1Password already does offer multifactor authentication, in the form of Duo in 1Password Teams beta. And offering something like that to all 1Password.com members is already something we're considering...but we're not going to release something like this unless it's done right. I'm sorry if that wasn't clear, or got lost in the larger discussion.

    Our first priority was to introduce Two Secret Key Derivation (A.K.A. Secret Key + Master Password) with 1Password.com accounts, as that protects all 1Password.com members' data through encryption. Unlike multifactor, this is not optional; it's built in. Multifactor authentication is almost always optional because it has some serious implementation and usability issues in many cases. We want anything we do in that area to solve more problems than it creates, so we'll wait until we have something that meets that standard, which is what our customers expect of us — and we expect of ourselves.

    Certainly there are a vocal minority of 1Password.com members who do want multifactor authentication, and we care enough about them to not only take all of this feedback seriously, but also to ensure that we don't have the knee-jerk response of rolling out something to meet short-term demand at the expense of long-term happiness. What if we add this feature, but later, after rolling it out and people using it, we find that we should have done things differently? I'm sure you can imagine that simply disabling it and changing it to something new on the fly would be a problem, and making users do this and then go through and set it up again with the new thing would suck. So we'd rather take the time to get it right if we can.

    And what about all of the people who enable it because it's the new thing, "almost every big company" is doing it, and their nerd friends are all cheering "2FA! 2FA" (said in Homer Simpson voice for full effect)...and then they immediately proceed to lock themselves out of their accounts because we don't design or explain it well enough. Google says that only 10 percent of accounts use their two-factor, and that's going to include people who get locked out and have to get it reset. I'm not sure it would be appropriate for 1Password.com accounts, given the security implications, to have a "reset" option. All of that is to say these are all factors we need to consider because we care about our customers. Part of our job is education, but if we can make doing the secure thing intuitive enough, people won't need a "lecture" to use 1Password. And if we can roll out something that more than 10% of our customers can use — to actually be more secure, without making their experience worse — that's a huge win. :)

  • mattmoretti1
    mattmoretti1
    Community Member
    edited February 2018

    This entire discussion is nonsense...you want to protect people from a false perception of security? Only people who understand security at least at a basic level will even know what 2FA/MFA is (let alone turn it on), and many enterprises need it for contractual or regulatory compliance reasons as has been mentioned.

    If nothing else make it available only for teams so enterprise customers have the ability to make the determination, or do you think security professionals are ill-equipped to make the decision to use or not use 2FA?

  • Ben
    Ben
    edited February 2018

    If nothing else make it available only for teams

    It is, for the reasons you outlined. Duo MFA is available to 1Password Teams Pro plan subscribers.

    Ben

  • JaedaRich
    JaedaRich
    Community Member

    I've been using 1Password from 2010
    and today I migrate from stand alone to 1password account
    But I am disappointed, because 1Password account does not have 2FA.

    I have read this discussion from beginning to end, and I agree with other users' posts, that 2FA is very important if someone attacks my computer with a keylogger, keystore, or similar program. it will be safer if there is 2FA

    but 1Password seems to have another thought.
    and maybe I will follow other customers, who move from 1password to lastpass

  • AGAlumB
    AGAlumB
    1Password Alumni

    @JaedaRich: I'm not sure I understand why this is suddenly a blocker for you if you've been using 1Password for that long. Our security model remains the same, yet is strengthened in 1Password.com accounts by the Secret Key. I appreciate that this may not matter to you though. If 1Password doesn't meet your changing demands, we'd rather you use a competitor's product than nothing at all. We're not going to add a "security feature" unless it adds actual security, especially if it can potentially get a lot of people locked out of their data. Many other products offer "2FA" that is either insecure, not actually a second factor, has a backdoor for "recovery", or, more often than not, all of the above. We're just not going to do that. And, regardless of "2FA", if an attacker has control of your device, it's game over anyway. If we add this feature in the future, it will have to make 1Password better, not worse, and not be mere security theater. There are plenty of other options out there though if you value that above all else. Stay safe out there.

  • nated1
    nated1
    Community Member

    Having read the discussion, I’m somewhat intrigued by the opinion of the 1Password team.

    Without discounting the value of a 128bit secret key (for sure it adds value), and while understanding that the design of 1Password stipulates that both the secret key and the master password are meant to remain secret, that assumption can easily be broken.

    It would seem to me a simple virus targeting 1Password would be sufficient to obtain the secret key. Assuming a key logger or similar, and both items are compromised. Similar could happen with undesirable corporate policy.

    Yes, I agree that at that point if the attacker has the vault it’s game over for what was stored in it, but I’d expect more from 1Password for the following.

    Noting that the 1Password user may be blissfully unaware of the data breach, then

    1. The attacker might not have retrieved the vault, and might not be in sufficient control to go back after the fact to retrieve it. In such a situation, MFA to authorize syncing / retrieving the vault stands a reasonable chance of preventing the retrieval of the vault, and potentially alert the user of the deep trouble they are in. Yes, the vault would be compromised, but let’s not make it easier to retrieve the material.

    2. The attacker need not specifically mean to steal the data, but instead corrupt it in such a fashion that disguises the problem to the user. Eg modify entries in the vault to proxy connections to a slightly new url. Now when you click and fill, you hit their site, but if you’re not savvy you might not catch it.

    3. The attacker could simply delete / scramble you’re live data. Hold it ransom. Their target need not be to use your data.

    Basically, I understand the difference between the value of encryption and authentication. They serve different roles. The secret key is a good idea imho, but doesn’t address the fact that I don’t necessarily want to authorize someone to access my 1Password account or live data within simply by having it.

    To the developers of 1Password, my analysis of the product has been sufficiently brief that I could have missed how you address this. Acknowledging that a vault is compromised with the secret key + master password + vault data retrieved by an attacker, how does 1passwork make it impossible for that attacker to destroy / encrypt / ransom / corrupt / or cause my live data to point to websites of their choosing?

    MFA of some variety seems like the standard answer to this.

    Thanks,
    Devin

  • Hi @nated1,

    Our position has been that if your machine is “rooted” (compromised to the point that someone can read your keystrokes) there is little if anything 1Password can do to protect your data. If you have a virus on your computer that is capable of capturing your Secret Key and Master Password it is also capable of stealing your data as you fill it into web pages (whether you do that using 1Password or by hand), as one example. You’re right that often times MFA of some sort is touted as the answer to this sort of problem, but the reality is that an attacker with that level of access isn’t going to be stopped by MFA.

    We’re all for making 1Password as secure as possible while balancing convenience considerations, but what we absolutely want to avoid is lulling people into a false sense of security by offering solutions that they think / assume solve a problem that in reality the solution does not address (“security theater”). Folks might feel more inclined to log in on a public / untrustworthy device if they have MFA enabled when in reality that would still be a terrible idea.

    That said we have been closely evaluating how MFA / 2SV (two-step verification) might fit in, and what problems it might solve for 1Password customers. We recently took Duo authentication out of beta for 1Password Teams customers, and will continue to evaluate how we might move that sort of service forward.

    Use Duo for your team

    I hope that helps!

    Ben

  • nated1
    nated1
    Community Member

    Hi Ben,

    Thanks for the response. So what I’ve heard is that my analysis is essentially correct for the current product, and that the security model is such that

    if an attacker retrieved secret key (I’m assuming that requires no special privs as it has to be readable by a process running in the user context), and

    If an attacker determines the master key (I’m not suggesting a key logger here - yes a key logger may need to have rooted machine, but I’m not suggesting a key logger as the attack vector - the problem with passwords is they tend to be weak/shared with others/reused/ etc - I’m sure you’re intimately aware given the role your company plays in trying to solve with the product)

    Part 1 needs read access to secret key, which any process running as the user likely has,

    Part 2 needs the attacker to determine a password. The problem everyone including yourselves is already trying to solve for is the weakness of passwords. 1Password adds nothing especially new at this stage so this password could be as weak as any password

    Then the attacker obtains:

    1. The full contents to any vault files they may have access to (obviously) - I.e. the ability to decrypt a vault they have access to. This is to be expected.

    2. Full authentication and authorization to the cloud services / account services as provided by 1Password, including ability to retrieve vault, use vault, modify data, rekey vault, hold critical assets for ransom, etc, with no additional mechanisms to attempt to make more difficult or further challenge the user.

    Part 2 is the surprising bit and represents a known / acknoledged risk within the product and service at this time.

    When I say MFA, I include 2SV and several other approaches I’ve seen or evaluated. That function might be in teams via Duo which I will look into.

    1Password may be evaluating MFA/2SV in other ways.

    Have I missed anything?

    Thank you,
    Devin

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2018

    @nated1: I think you make some good assumptions based on planning for the worst case scenario, but I don't follow you with regard to the "known / acknoledged risk within the product and service". It sounds like you're saying that you using a weak Master Password which can be easily guessed (or giving it to the attack outright) is a flaw in 1Password, and that doesn't seem reasonable.

    It's also important to keep in mind that in your scenario, an attacker impersonating the user on the machine who is able to get the Secret Key should also be assumed to be able to collect other information, such as the Master Password as you enter it, or intercept a one-time password to use instead of you as well. When someone else controls your machine, it is no longer your machine, and all bets are off. Multi-factor authentication, in most cases, will not help you with that. I think that needs to be acknowledged.

    However, you may want to look into the Duo option in the 1Password Teams Pro plan, as it has a slightly different approach to what you may be used to, utilizing push notifications to a separate device rather than a code that you have to enter on the same machine you enter your Secret key and Master Password.

    Ultimately there is nothing that can fully protect you when you've ceded control to an attacker, as they can just sit back and collect data as you access it in that case, but measures like this can help mitigate some specific attacks. I hope this helps. Be sure to let me know if you have any other questions! :)

  • nated1
    nated1
    Community Member
    edited March 2018

    Hi @brenty;

    I'll move on quickly enough. My intention isn't to badmouth 1password or compare to the competition. In evaluating the top 3 password managers, I'm overall quite impressed with 1password.

    I happened to be a security professional, and work in regulated privacy/security markets. My current interest is by and large personal. One weak area I see is this notion of 'all is lost when ...'. I directly challenge your assumptions. I will happily stipulate that all is indeed lost when an attacker has 100% access to all of the resources of the intended victim and can duplicate the victim habits, but this is almost never the case. Most attacks don't involve fully rooting a system / having access to the full profile of resources a user has.

    Example, from an online gaming service - not meant as a comparison to your competition, but as a challenge to your assumptions. A parent buys an online gaming system, and subscribes to the online accounts for online game play. One of their kids is asked for the username + password into the account by an unknown third party, and the child is 'socially engineered' into providing that information to the third party. The third party tries to log in, but since the parent setup MFA/2SV they are denied access without an additional token. The parent gets a text saying 'you're trying to log in for the first time from a computer located in a city they clearly don't live in - the token code is XXXXXX'. The parent immediately logs into the account and changes passwords, and then determines one of their children shared private information. All was not lost, and potential serious consequences from data loss and account takeover was avoided.

    I can easily imagine that or many other scenarios where the private key material that 1password uses for encryption becomes not private. social engineering, software bug, OS bug, snoopy friends, etc., etc. All doesn't need to be lost - and multiple technologies exist, successfully implemented across multiple platforms, and in multiple industries for that very reason.

    So, my question is basically - what mechanisms or tools, if any, does 1Password have or support which would prevent that very real life example I just provided (it's by no means an exhaustive list of all the possibilities that exist). If 1Password does not have any technology or process to mitigate, and other industries/products/technologies do, and this is a plain and simple real world risk, how is that not a "known / acknowledged risk within the product and service"? Clearly, the team has made design decisions aware of this kind of risk, and make a stated assumption that 'all is lost'.

    Yes, I would advocate for 2SV (although in my world it gets lumped into the overall MFA technology space). No, I'm not advocating for ineffectively implemented or backdoored MFA, and yes I am aware of the difference between marketing claims vs actual provable security (i.e. I'm not saying MFA is everything). No I'm not saying 1Password sucks or the competition is better because you don't have it either - as I said, I'm overall quite impressed with 1password.

    I'm moving on to evaluate the Duo integration. It could be that you've only started rolling out 2SV/MFA in your more enterprise tools.

    Thanks,
    Devin

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member

    @nated1 When evaluating software, and this is just my habit, I try to evaluate the interest and knowledge of the staff, the sales team, the thought behind design decisions, and how they interact. E.g., once upon a time, a leading password manager put a OTP key in the browser so they could reset user access on demand. Plaintext. That told me all I needed to know. Dumb decisions there probably meant dumb decisions elsewhere or features implemented in a rush to accommodate everyone and everything or little or no intellectual review, it was all downhill for me from then. I kind of appreciate the culture that leaks out here in the forum, the willingness to stick to their guns to implement features they have the time, energy, and focus to implement well. Their willingness to have some of their senior staff stick their necks out. We all have different criteria.. not criticizing, but mfa in this context for me doesn’t have the same value as it does for my retirement account. just a different POV regarding MFA. If my android phone is owned, and I am using Google Authenticator to validate my access to 1Password on that same phone... access to the otp secret and everything else.... retirement account too! (Some days it just feels hopeless).

    But also, from a sales standpoint, the lack of 2fa made pitching 1Password a non starter at work, fair or unfair. That obstacle is now removed or lessened for teams.

  • nated1
    nated1
    Community Member
    edited March 2018

    @Ben, @brenty;

    Thank you both for your comments, and the recommendation to try the Team edition + Duo. I hate to ask, but I believe I've upgraded my trial account to teams properly, and I see many new team features, however there does not appear to be a 'Duo' option in the setting menu. I have logged into Duo first, added 1Password, and went to settings. All I see in settings is Team Name and Logo, and sign in address. I've tried both Safari and Chrome, and tried enabling beta and not - I'm not seeing the Duo option. I'd enjoy seeing if this does what I hope.

    Thanks,
    Devin

  • AGAlumB
    AGAlumB
    1Password Alumni

    @nated1: Ah, sorry for the confusion there. This got me too, because we've changed the setup process over time during the beta, which it recently graduated from, as Ben mentioned above. It sounds like you're on the right track, but maybe you're looking in Duo settings. You'll need to add 1Password there, which you've already done I guess, but the rest is done on 1Password.com:

    Set up Duo for your team

    Just to double check, are you on the 1Password Teams Pro plan? If not, that option won't be available to you. Let me know how it goes! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'll move on quickly enough. My intention isn't to badmouth 1password or compare to the competition. In evaluating the top 3 password managers, I'm overall quite impressed with 1password.

    @nated1: No worries. Thank you for the kind words! Indeed, I just want to keep the big picture in mind as I would not want others reading this discussion to get the impression that it is possible for 1Password to protect them from an attacker who has control over the device where. Thanks for understanding, and for such a great dialogue! You make some good points.

    So, my question is basically - what mechanisms or tools, if any, does 1Password have or support which would prevent that very real life example I just provided (it's by no means an exhaustive list of all the possibilities that exist). If 1Password does not have any technology or process to mitigate, and other industries/products/technologies do, and this is a plain and simple real world risk, how is that not a "known / acknowledged risk within the product and service"? Clearly, the team has made design decisions aware of this kind of risk, and make a stated assumption that 'all is lost'.

    I appreciate you bearing with me, but the answer is essentially the same. We notify the account holder of new authorizations via email, and if they were not the ones who signed in, that's a good opportunity to change the Master Password and generate a new Secret Key. And we're exploring ways we can leverage the native apps to help with this as well. But ultimately we can't prevent the user from giving their account credentials away. That is not a problem that is unique to 1Password, as you pointed out in your example. And the only real solution is for each of us to be vigilant and only enter account credentials into the legitimate app/site.

    Certainly there are some scenarios that additional factors can be used to defend against to some extent, and we'll continue to evaluate those. But the flipside of 1Password using encryption for its security (instead of authentication which can often be "reset" or worked around) is that any competent attacker will just go around that by going after the user themselves. And since they need to get the other account credentials that way anyway (we don't have them), they may as well get the data there as well, which means they won't have to authenticate with the server. That sounds dire, but in fact it's fine as we've built 1Password with the expectation that this will happen to people, because it will, and that 1Password's security — built on encryption — will need to withstand direct attack. So again, we're back to the user: "with great power comes great responsibility" — it's up to each of us to make sure that we do not give the "keys to the kingdom" away.

    Yes, I would advocate for 2SV (although in my world it gets lumped into the overall MFA technology space). No, I'm not advocating for ineffectively implemented or backdoored MFA, and yes I am aware of the difference between marketing claims vs actual provable security (i.e. I'm not saying MFA is everything). No I'm not saying 1Password sucks or the competition is better because you don't have it either - as I said, I'm overall quite impressed with 1password.

    Totally. We'd like to do more in this area. We're just cautious to not offer something whose security benefits are questionable or misunderstood, or merely add an additional way for people to shoot themselves in the foot while only defending against very limited attack scenarios, as many people — though probably not you — may assume that it keeps them safe even while behaving insecurely.

    I'm moving on to evaluate the Duo integration. It could be that you've only started rolling out 2SV/MFA in your more enterprise tools.

    That's exactly it. It's gone well there, so perhaps we'll have other options in the future. I'm interested to hear about your experiences with it. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    When evaluating software, and this is just my habit, I try to evaluate the interest and knowledge of the staff, the sales team, the thought behind design decisions, and how they interact. E.g., once upon a time, a leading password manager put a OTP key in the browser so they could reset user access on demand. Plaintext. That told me all I needed to know. Dumb decisions there probably meant dumb decisions elsewhere or features implemented in a rush to accommodate everyone and everything or little or no intellectual review, it was all downhill for me from then. I kind of appreciate the culture that leaks out here in the forum, the willingness to stick to their guns to implement features they have the time, energy, and focus to implement well. Their willingness to have some of their senior staff stick their necks out. We all have different criteria.. not criticizing, but mfa in this context for me doesn’t have the same value as it does for my retirement account. just a different POV regarding MFA. If my android phone is owned, and I am using Google Authenticator to validate my access to 1Password on that same phone... access to the otp secret and everything else.... retirement account too! (Some days it just feels hopeless).

    @nated1: Thanks for the kind words, and for bringing up a good point: I'm making a bit of an assumption here, but for a lot of accounts authentication is effectively the only security, so multifactor is absolutely critical in those cases. To be clear, I don't think either of us can really know where that's the case, but website breaches have taught me that even if they're securing the data so it cannot be gotten without login credentials, if the login credentials are leaked and I don't have multifactor, someone may get into the account before I know to change the password. With multifactor in those situations, I still need to change my password, but it buys me some time if they do not have the TOTP to get in, even if they have the rest. But yeah, if my machine is owned, I'm probably out of luck. With 1Password.com it's different though, since the account credentials cannot be gotten from us in the first place — we don't have them — whether or not there's multifactor on the account.

    But also, from a sales standpoint, the lack of 2fa made pitching 1Password a non starter at work, fair or unfair. That obstacle is now removed or lessened for teams.

    It definitely helps, but it's a long road. Glad Duo is out of beta (finally!), and we've got some more goodies coming there as well. Cheers! :)

  • nated1
    nated1
    Community Member

    @brenty

    Just to double check, are you on the 1Password Teams Pro plan? If not, that option won't be available to you. Let me know how it goes! :)

    Ah, that would be it. I am on the Teams Standard plan. I did check the documentation before asking and took a glance again now and didn’t see a mention of needing Teams Pro. I’ll check it out in the morning.

    Since I’m investigating for both personal use and for business, do you happened to know if I’m going to be able to convert my account back to a single user account, or is this a one way trip? I have no important data there save my test data.

    Thanks,
    Devin

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2019

    Ah, that would be it. I am on the Teams Standard plan. I did check the documentation before asking and took a glance again now and didn’t see a mention of needing Teams Pro. I’ll check it out in the morning.

    @nated1: I'm really sorry about that. I do believe we have that covered in most places, but it looks like the Duo new guide we created when it graduated from beta and got a few upgrades does not yet mention this. We'll get that fixed.

    ref: web/support.1password.com#1381

    Since I’m investigating for both personal use and for business, do you happened to know if I’m going to be able to convert my account back to a single user account, or is this a one way trip? I have no important data there save my test data.

    That's a great question. We don't officially support going from teams to individual or family because the permissions are so different that something may not convert properly, but I may have a workaround for you if you end up in that situation...and worst case scenario you could just create a new account and copy the data over in the app, since you can be signed into both. But if you just have test data, I think I might recommend starting over with a new account anyway, just to have a clean slate. Cheers! :)

This discussion has been closed.