Why not use 2 factor authentication to secure my 1Password Vault?

nated1

@brenty

I've just upgraded my 1Password account to Teams Pro. I can confirm that change worked, because I now have an audit history and a couple of new options, and the billing screen shows that Pro is selected. The settings option within 1Password still only has the ability to adjust Team Name and Logo and has the Sign in address. If it's related, I'm still within the 30 day trial period (expires Apr 19). Any thoughts? For what it matters, my account goes by the same account as my email addr in the forum here.

As to deleting and recreating account to move back to personal, that's great. I was concerned about getting a mean-spirited message saying my account name was already taken. If it comes up I'll ask :)

Thanks,

Ben

Hi @nated1

Please try this page:

https://start.1password.com/settings/duo

:)

Ben

nated1

Hi @Ben

No difference than what I saw before.

I also tried to go into the url and go to /settings/duo after I logged in. that also didn't work.

Ben

Okay. Let's move this conversation to email so that we can dig a little deeper. We'll be in touch via email soon.

Ben

ref: CHA-37536-561

nated1

Thanks, I've got to the Duo screen now with help from support. I've asked support the same, but I'm able to access Duo config from both Team Standard and Team Pro. If it's in Duo Team Standard, I may use it personally (in addition to assessment for business).

Ben

Will is more familiar with the recent changes to Duo and should be able to answer that for you. :)

Ben

AGAlumB

As to deleting and recreating account to move back to personal, that's great. I was concerned about getting a mean-spirited message saying my account name was already taken. If it comes up I'll ask :)

@nated1: Just to clarify in case it helps you or anyone else, while 1Password Teams (or Families) will use a custom sign in address you choose — e.g. some-name-i-made-up.1password.com — but all individual accounts use my.1password.com :)

rickfillion

The direct URL to get to the Duo configuration screen is https://start.1password.com/settings/mfa (the last bit is mfa and not duo, at least for now).

The Duo configuration screen will be unhidden soon, and I'm sorry that you're needing to access it via a direct URL if you don't already have it configured. We did this as we were in the process of changing how some of it worked. That work is now complete and is just waiting to get out the door.

Rick

nated1

@brenty @rickfillion

Thanks. I’ve been in touch with Will from Agilebits via email, and discussing with him.

Thanks,

rickfillion

Perfect. Will's awesome.

Rick

Catalin1P

Hello everyone! Is it just me or 1Password has secretly added two-factor authentication to 1Password? https://my.1password.com/signin

Enable two-factor authentication to add yet another layer of protection when signing in. Support for one-time passwords and Duo two-factor authentication is now available to further protect your account.

Later edit: I see this option under my individual 1Password membership and I turned it on. What would happen if I lose my devices that are signed into 1Password and my 2FA codes are there? I already stored my Emergency Kit with my Secret Key and Master Password in a safe place but that wouldn't be enough would it?

Edit 2: If possible my post may be moved to this thread https://discussions.agilebits.com/discussion/comment/419015#Comment_419015 as is frequently used to talk about 2FA.

pervel

Like @Catalin1P I've also noticed that you now seem to offer 2FA even for individual accounts. Will this be announced in a blog post soon? Or did you already do that and I missed it?

I see there is some documentation here: https://support.1password.com/two-factor-authentication/

However, I am concerned about the possibility of being locked out if I lose my authenticator (or if it malfunctions somehow). The recovery options mentioned in the documentation (https://support.1password.com/recovery/) only address Family or Teams accounts. How could the recovery process work for individual accounts?

And lastly a slightly cheeky question. Is this not security theater mostly? Did you cave to the pressure? I actually think you had great arguments against using 2FA when you already have the Secret Key. 2FA seems to add very little extra security while adding a potential for locking yourself out. I'm not sure if I want to enable it or not.

Edit: Right after posting I see you've answered some of my questions in another thread: https://discussions.agilebits.com/discussion/88005/no-2fa-recovery-options-for-individual-plan-accounts

AlwaysSortaCurious

@pervel I think it is not available for Indv. accts. As for the more corporate versions, I could not pitch this at work until that feature was there. Security Theatre vs Corp. Intransigence (which is required to release the budget dollars).

Catalin1P

@AlwaysSortaCurious It is available for Individual accounts as well. I just activated my two-factor authentication and @brenty was kind enough to answer my question in this thread https://discussions.agilebits.com/discussion/comment/419015#Comment_419015 after I asked a different question. Now I will pray that the 3rd party authenticator won't fail on me as long as I am alive.

AGAlumB

Like @Catalin1P I've also noticed that you now seem to offer 2FA even for individual accounts. Will this be announced in a blog post soon? Or did you already do that and I missed it?

@AlwaysSortaCurious: We haven't announced anything yet, as the weekend is a terrible time to do so. But I'm sure we'll have more to say in the very near future. ;)

I see there is some documentation here: https://support.1password.com/two-factor-authentication/

Yep! And some mentions in other places as well.

However, I am concerned about the possibility of being locked out if I lose my authenticator (or if it malfunctions somehow). The recovery options mentioned in the documentation (https://support.1password.com/recovery/) only address Family or Teams accounts. How could the recovery process work for individual accounts?

There is no recovery process for individual accounts, so I wouldn't recommend using it unless you backup your TOTP secret along with the rest of your account credentials, as you will need all of them to sign in on a new device, for example in the case of an emergency.

And lastly a slightly cheeky question. Is this not security theater mostly? Did you cave to the pressure? I actually think you had great arguments against using 2FA when you already have the Secret Key. 2FA seems to add very little extra security while adding a potential for locking yourself out. I'm not sure if I want to enable it or not.

Haha that's a great question — or, perhaps, cluster of them. A long while ago (I can't even recall when, but more than a year) we introduced Duo authentication for 1Password Teams Pro accounts. This was long a beta feature. It is no longer in beta, and is available to all 1Password Business and Teams accounts so that companies who already have the Duo service deployed can easily use that with 1Password as well, both on the website and in the apps. But we've also introduced our own two-factor authentication as well, again primarily for companies, especially those who are not using Duo. Both of these features have been added by request of those customers whose companies require this for one reason or another.

Now, this type of feature has been a real concern for us, especially as it relates to "regular", non-enterprise users, not only because of "security theater" issues but also, in conjunction with that, the very real risk of people getting themselves locked out of their accounts. Many people might be tempted (or cajoled by others) to enable multifactor authentication on their accounts because they think that will protect them against [insert real or imagined security threat here]. The reality is that mutlifactor authentication defends against very specific attacks. So while it is a security benefit in those cases, we have to be very careful about how we present this, as folks may 1) believe it offers protections it does not ("Now it's safe for me to login at the library!" — no, it isn't) and 2) get themselves locked out of their accounts, either by misunderstanding how it works or through sheer accident or misfortune. Unlike with most of the "2FA" out there, there is no automated recovery process. If you get locked out, you'll need to have a company admin whom you can contact directly — in person or over the phone is recommended — to have them start the account recovery process. There is no escape hatch for our multifactor — SMS, automated phone system, "recover codes", etc.

So, in summary, we can recommend it more readily to companies since they have security considerations very different to those most of us face as individuals (and often requirements for this), and also should have solid recovery plans in place. I hope that answers your question(s), but let me know if you have more. :sunglasses:

Edit: Right after posting I see you've answered some of my questions in another thread: https://discussions.agilebits.com/discussion/88005/no-2fa-recovery-options-for-individual-plan-accounts

:) :+1:

AGAlumB

I think it is not available for Indv. accts.

@AlwaysSortaCurious: Our two-factor authentication is available for all 1Password accounts, but we don't recommend using it unless you're comfortable with the tradeoff of added risk/responsibility for its specific security benefit. Be sure you have everything you need to get back into your account in an emergency.

As for the more corporate versions, I could not pitch this at work until that feature was there. Security Theatre vs Corp. Intransigence (which is required to release the budget dollars).

I have to ask, where have you been? We've had Duo already for quite a while now. ;)

But, teasing aside, we realize that not every company has or wants to deploy Duo, so we've rolled out our own two-factor authentication as well. Just keep in mind that the two are mutually exclusive. You can't use both. Anyway, if this rollout allows you and others get 1Password adopted at work, that's awesome. And, if it helps, all 1Password Business accounts include 1Password Families for each user. Cheers! :)

AlwaysSortaCurious

Awesome! Not enabling it. Ive had more trouble with totp and backing up recovery codes then I care to count. Oh and I always back them up in 1password! Lol. so how do I get in if I'm locked out.... I'd rather they try and crack a really long password with secret key...

pervel

Thanks for the reply, @brenty. I don't think I'll enable 2FA since the risk of being locked out (even if small) outweighs the benefits in terms of security.

Though, I do wonder if the lack of a recovery option for individual accounts (and I assume also for administrators of Family and Team accounts) is due to technical restrictions. It seems to me that such a recovery would be possible at least in theory - unlike recovering the Master Password or the Secret Key which is not possible even in theory. Or to put it another way: When customers start asking for you to assist them after losing their authenticator, are going to tell them that you can't or that you won't do this?

AGAlumB

Thanks for the reply, @brenty. I don't think I'll enable 2FA since the risk of being locked out (even if small) outweighs the benefits in terms of security.

@pervel: Keep in mind that, so long as you take the necessary precautions, you'll be just fine. I'm mostly being so discouraging to make sure that anyone reading this understands and accepts the risks before enabling this — especially on an individual account.

Though, I do wonder if the lack of a recovery option for individual accounts (and I assume also for administrators of Family and Team accounts) is due to technical restrictions.

To be clear, admins in family or team accounts can still benefit from recovery, so long as they are not the only admin. There just needs to be someone else to do that for them.

It seems to me that such a recovery would be possible at least in theory - unlike recovering the Master Password or the Secret Key which is not possible even in theory. Or to put it another way: When customers start asking for you to assist them after losing their authenticator, are going to tell them that you can't or that you won't do this?

Oh, we absolutely cannot. We simply don't have access to the keys used by the Recovery Group to do do it. We never have any keys to users' data. The only way it works in families and teams is because it works similarly to public key cryptography, as each team member has private and public keys. When a vault is created, a copy of the vault key is encrypted with the public key of the Recovery Group. The Recovery Group is able to decrypt the private key of the Recovery Group, which facilitates them restoring access to a user who goes through the recovery process. You can find more details in the security white paper, specifically page 38. And of course there is no one else who can belong to the Recovery Group with an individual account. :(

AGAlumB

Awesome! Not enabling it. Ive had more trouble with totp and backing up recovery codes then I care to count. Oh and I always back them up in 1password! Lol.

@AlwaysSortaCurious: Ah, I hear you. I've been lucky, but yeah, I've had issues with TOTP codes at times when Wi-Fi-only devices had time sync issues. :(

But, on the plus side, I know at least Authy does their own time sync, so it doesn't depend on the device itself to get it right. :)

so how do I get in if I'm locked out.... I'd rather they try and crack a really long password with secret key...

Well, yeah... I think it really doesn't matter in that case. Better to start over from scratch than to hold your breath waiting to brute force the Secret Key, even if you know the Master Password. :dizzy:

AGAlumB

It is available for Individual accounts as well. I just activated my two-factor authentication and @brenty was kind enough to answer my question in this thread https://discussions.agilebits.com/discussion/comment/419015#Comment_419015 after I asked a different question. Now I will pray that the 3rd party authenticator won't fail on me as long as I am alive.

@Catalin1P: As I mentioned above, Authy does their own time sync, so it doesn't depend on the device itself to get it right, so that's a comfort. I prefer 1Password to Authy...but in this case I have to make an exception. As mentioned in the support article:

Storing [1Password's authenticator code] in 1Password would be like putting the key to a safe inside of the safe itself.

Not a story that ends in "happily ever after" if we ignore this advice! :scream:

Catalin1P

@brenty Thank you for taking the time to explain everything so well! Wishing everyone Happy Easter and a nice weekend!

nated1

@brenty and folks here;

Indeed, Will had advised me to sit tight until now regarding the investigation I was doing as these features would unveil publicly.

As to the very real risk that users lock themselves out, it is definitely a very valid concern. As an idea, for accounts with TOTP enabled, add the TOTP secret-key (or qr code) to the Emergency Kit (and possibly update your website login to re-add the 'print out your Emergency Kit' notification when a user first adds TOTP MFA / updates it).

I guess it'll boil down to the question: will 1Password allow a user to go through some form of a process to have TOTP disabled on their account, though brenty has said no.

As a last resort, since MFA is likely only used to download encrypted material of the vault / login to the 1passowrd online service, and not to decrypt a previously obtained vault, then I'd imagine if you still had access to your 1password vault, you could do an export of material, make new 1password account, and import. It'll be fun to see as folks lock themselves out how billing gets dealt with, but I digress.

Thanks for the feed back and work by your team.

Thanks,

AlwaysSortaCurious

@nated1 im sure 1password support and devs who traffic in the forum cant wait ;) my sympathies to all ahead if time...

nated1

@AlwaysSortaCurious I like your name as I ask a lot of questions myself.

I guess it depends where TOTP MFA/2FA is enforced.
1. Every login to the online website for any reason;
2. Gaining auth to retrieve/sync the vault material every X minutes/hours/days/etc.
3. Adding a new device only;
4. On-login to the app every X minutes/hours/days/etc.

1 and 3 were the ones I was most interested in, and assuming that once a device is added then strong encryption/auth is used to deliver material only to that device.

And also, as I amended my prior comment, if 1Password provides a formal mechanism where they will allow MFA to be disabled from an account.

AlwaysSortaCurious

For me, Maybe, just maybe 3? If they know my secret key I am probably already done for and 2FA won't help.

The implementation, as developers know, you never get it right for all customers. I could deal with a web-interface 2fa or add device 2fa, but if they have the secret key too, well, they probably own my end point anyway. They could just export the DB when I wasn't looking would be my guess.

I get the need for 2FA in lots of capacities, authorization mostly, right? Access to the corporate portal since you can't depend on users, But in this instance, meh. If you can't crack my password on a GPU rig before I die of old age, it sure isn't going to go any faster knocking on the web portal's login page. My password is rather strong and long as well, just because I think short of a real crack in AES, speed optimizations are the real worry. All bets are off if a real (not pseudo) quantum computer shows up though, right?

With that as my premise, I think 2FA is a way to lock me out, not keep anyone else out (we all look at it differently, and I think the above is sound). Corp. Sec Departments, aside. They're just better off assuming everyone is typing something silly.
Wow, I think this is still on topic for the thread title.

AGAlumB

Thank you for taking the time to explain everything so well! Wishing everyone Happy Easter and a nice weekend!

@Catalin1P: Thanks! I hope you enjoyed yours as well. :chuffed:

AGAlumB

Indeed, Will had advised me to sit tight until now regarding the investigation I was doing as these features would unveil publicly.

@nated1: Thanks for understanding. I know firsthand it can be difficult! :lol:

As to the very real risk that users lock themselves out, it is definitely a very valid concern. As an idea, for accounts with TOTP enabled, add the TOTP secret-key (or qr code) to the Emergency Kit (and possibly update your website login to re-add the 'print out your Emergency Kit' notification when a user first adds TOTP MFA / updates it).

I don't think we want to do that automatically. Certainly you're free to add it there yourself, and maybe we'll add a special place for it in the future. But for those folks who really need this feature, it's because they have to have a truly separate second factor, so having it tacked onto the Emergency Kit would be a no-go. I'm talking about people who will not only use a separate app for the TOTP code, but will also likely have a single device they use just for that purpose, without using 1Password itself there. It's something we'll continue to evaluate, but it's much easier for those of us who want to add it to do so manually than it is for those folks — the ones who want the TOTP/secret to be fully discrete — to remove it.

I guess it'll boil down to the question: will 1Password allow a user to go through some form of a process to have TOTP disabled on their account, though brenty has said no.

It's a bit more nuanced than that, so I'll elaborate. But essentially, no, ultimately it will not be possible for the user to disable TOTP themselves without having it to sign in, but there are a few clarifications I'd like to make:

• With an individual account, you may be able to do it if you have a browser that is already authorized and your two-factor timeout hasn't expired so that the code is required. Otherwise though, it's game over; you'll need the TOTP to login, and since you'll need to login to disable two-factor authentication, that's all she wrote. So you should assume that you'll get locked out without having access to the TOTP/secret. And if you're lucky, you might not need it. Not something I'd count on in an emergency though
• With an account that is part of 1Password Families, Teams, or Business, another admin can help you go through account recovery. So that makes things less scary in a group setting, provided you have a solid recovery plan in place.

So we really only recommend using two-factor in a group setting where there are others that can help you if things go badly for you. Certainly that's a concern for individual memberships of all kinds if the other account credentials are lost, but this adds yet another layer of security/opportunity for disaster. We'd really like to be able to offer some sort of recovery option for individuals in the future too, but, as you can imagine, that's a bit of a technical challenge.

As a last resort, since MFA is likely only used to download encrypted material of the vault / login to the 1passowrd online service, and not to decrypt a previously obtained vault, then I'd imagine if you still had access to your 1password vault, you could do an export of material, make new 1password account, and import. It'll be fun to see as folks lock themselves out how billing gets dealt with, but I digress.

Indeed, in the car of lost account access, the one saving grace is that you could get your data off of an authorized device where it is already cached to copy it to a new account. We're always happy to help with that. Thank heavens for small favours!

Anyway, I know you didn't mean "fun" literally, but I can't even tell you just how un-fun it is when folks get into trouble. For a long time, that was just the Master Password, and for a while now the Secret Key has been a factor as well. So you can probably appreciate why we were not in a hurry to add an additional point of failure here. We're glad it's available for those who need it now, but I do hope that everyone who chooses to enable two-factor authentication will take the necessary steps to ensure they don't lock themselves out of their data.

Thanks for the feed back and work by your team.

Likewise, thanks for your passion! It helps alleviate the terror I experience any time I think of people losing data. :crazy:

I guess it depends where TOTP MFA/2FA is enforced.
1. Every login to the online website for any reason;

This is possible, unless you check the "public computer" option when you login each time. Duo admins have some control over the timeout, but it cannot be set to zero, requiring it on every login/unlock/use. That causes a lot of issues, and makes true offline access impossible.

2. Gaining auth to retrieve/sync the vault material every X minutes/hours/days/etc.
3. Adding a new device only;
4. On-login to the app every X minutes/hours/days/etc.

All of the above. It will be needed to setup a new device, and then periodically will be required when accessing the device. So #3 kind of applies to #1 as well. :)

1 and 3 were the ones I was most interested in, and assuming that once a device is added then strong encryption/auth is used to deliver material only to that device. And also, as I amended my prior comment, if 1Password provides a formal mechanism where they will allow MFA to be disabled from an account.

Duo admins have control over whether it's enabled or disabled for their users, and (TOTP) two-factor authentication users (this is only user-controlled, and will not be an option if Duo is enabled) can disable it only by signing into their account on 1Password.com. I hope this helps! :)

rickfillion

I'd like to try to add a bit more clarity about MFA and when it's required.

In order to do that, we need to split off MFA by type as they behave very differently.

Duo

You'll be required to perform the Duo step of authentication when:

• Signing in to 1Password from a new device after the admin has enabled Duo
• Periodically on that device based on the setting the admin chose for the number of days to remember devices

TOTP

You'll be required to provide the one time password during authentication when:

• Signing in to 1Password from a new device after you've enabled two-factor authentication for your user account
• If you disable/re-enable two-factor authentication for your user account
• If you explicitly request a certain device be re-authorized.

There is no time-out for TOTP, so there is no periodic need to re-enter it. During the TOTP authorization there is a shared secret exchange that happens with the server and going forward the app can authenticate with the server in a matter that satisfies MFA but does not require user intervention.

I hope this helps.

Rick

AGAlumB

Thanks to Rick for the clarity. Admittedly I muddied and messed things up a bit by not separating Duo and (TOTP) two-factor authentication. Hopefully that helps. :blush:

im sure 1password support and devs who traffic in the forum cant wait ;) my sympathies to all ahead if time...

@AlwaysSortaCurious: I don't know if you're offering sympathy to A. AgileBits staff, B. AgileBits customers, or C. anyone else reading this...but, based on my last reply to nated1, I'll go with D. All of the above. :tongue:

For me, Maybe, just maybe 3? If they know my secret key I am probably already done for and 2FA won't help.

Indeed, I think that's an important assumption to make, even if you might get lucky, because we need to plan for the smart attacker, not the stupid one. And if they have your encrypted data and Secret Key, they almost certainly got them from you, so they might as well just capture the Master Password that way too. And at that point, there's no authentication involved, and they can do everything offline.

The implementation, as developers know, you never get it right for all customers. I could deal with a web-interface 2fa or add device 2fa, but if they have the secret key too, well, they probably own my end point anyway. They could just export the DB when I wasn't looking would be my guess.

I hate that you're right, but you're right. if there were a one-size-fits-all security solution, that would be great. But, since there isn't, we start from the next-to-worst-case scenario ("worst case" being the attacker already has everything they need) and work from there. So 1Password's security assumes that the attacker has everything but your Master Password, so that it can withstand attack even in that scenario. And the Secret Key protects in the case of a server breach, so that the attacker cannot perform a brute force attack against all 1Password.com users' data.

I get the need for 2FA in lots of capacities, authorization mostly, right? Access to the corporate portal since you can't depend on users, But in this instance, meh. If you can't crack my password on a GPU rig before I die of old age, it sure isn't going to go any faster knocking on the web portal's login page. My password is rather strong and long as well, just because I think short of a real crack in AES, speed optimizations are the real worry. All bets are off if a real (not pseudo) quantum computer shows up though, right?

Indeed. Coming back to the last point, two-factor authentication protects against a very specific class of attacks, where the attacker has secretly stolen your account credentials (so you don't know you should change them) and then tries to use them to access your account at some point in the future. Since they won't have the second factor, they will be unable to. It still begs the question "How did they get your account credentials in the first place?" The answer is probably "From you" somehow, so this is mostly moot. But it is an additional hurdle they'd have to contend with, if they do not already have access to the data and don't want you to find out they have your credentials until it's already too late.

With that as my premise, I think 2FA is a way to lock me out, not keep anyone else out (we all look at it differently, and I think the above is sound).

That's not a bad way of looking at it. I think you can still look at it that way though and use it successfully, just by taking the necessary precautions. But, as always, better safe than sorry.

Corp. Sec Departments, aside. They're just better off assuming everyone is typing something silly.

A fair point. :wink:

Wow, I think this is still on topic for the thread title.

Oh, it isn't, but that ship has sailed! :lol:

This is ostensibly a discussion about using a second factor to protect access to a vault, but since there is no authentication involved at the vault level, it's morphed into a discussion about where it is possible: namely, 1Password.com accounts. Cheers! :)