Why not use 2 factor authentication to secure my 1Password Vault?
Comments
-
As commentary about TOTP and not 1Password in general:
Internal to our company, I’m developing a white paper re TOTP, which is definitely diff than DUO or others also. Our use of TOTP is meant to be educated. Vendors like 1Password and Authy (when used as a prover, vs requiring TOTP themselves), bend the notion that a TOTP key is device specific (at the end of the day TOTP is about if you have a shared-secret-key or not).
The value we believe we’ll prescribe to TOTP is to defend against interception of passwords across the network/internet, including sophisticated attacks by hackers (tls inspection, but without the ability to real time proxy connections and intercept valid totp codes for use by a hacker) and accidents by users emailing creds or what not. We’re treating totp as basically a password hardened somewhat against replay attacks.
Were totp fails on the server side is keys need to be stored cleartext. So we’re hopeful password + totp secret means:
At server side:
Password is stored hashed and salted using one way encryption, such that a compromise of server assets does not turn into the hacker getting all the cleartext passwords. Sadly I doubt this is true, but one can wish. Passwords however need to be transmitted in the clear if the server store them using 1way hashing.
totp secret needs to be stored in the clear, or in a way that the clear secret can be derived. But the totp secret isn’t ever transmitted in clear (except when specifically accessed to enroll in the first place, which should be far fewer accesses). So a hacker can get it server side, but not via intercepting transmissions. Any when the user screws something up, the codes are time limited.
Since Authy and 1Password (when used to store the totp secrets for use on other websites, and not the use of totp for access to 1Password) very much break the notion of a totp secret being tied to a device, and since an end user can add a totp secret key to lots of devices if not using a tool like 1Password or Authy, we’re adopting the position that totp secret keys are not device specific, but instead a hardened password that when used in conjunction with a regular password help prevent a number of security issues which normal users cause for themselves.
Thanks,
0 -
The value we believe we’ll prescribe to TOTP is to defend against interception of passwords across the network/internet, including sophisticated attacks by hackers (tls inspection, but without the ability to real time proxy connections and intercept valid totp codes for use by a hacker) and accidents by users emailing creds or what not. We’re treating totp as basically a password hardened somewhat against replay attacks.
That's a good way of looking at it, and I think that applies to most service providers. It doesn't quite work for 1Password itself though, as it's already not vulnerable to this kind of threat by way of using SRP. You can read about it more on the blog post I wrote about it here: https://blog.agilebits.com/2018/02/14/how-we-use-srp-and-you-can-too/
Were totp fails on the server side is keys need to be stored cleartext.
You're right. On the server this needs to be available mostly in the clear (something like KMS can help, but one can argue whether that's still considered in the clear)
Password is stored hashed and salted using one way encryption, such that a compromise of server assets does not turn into the hacker getting all the cleartext passwords. Sadly I doubt this is true, but one can wish. Passwords however need to be transmitted in the clear if the server store them using 1way hashing.
Or use SRP. It's really really cool. :)
we’re adopting the position that totp secret keys are not device specific, but instead a hardened password that when used in conjunction with a regular password help prevent a number of security issues which normal users cause for themselves
I think that's a fair statement.
Rick
0 -
Wow, I miss a few days and come back to this! Very cool!
0 -
I hope you guys can help me with this question. I am using Authy for the OTP and there is an option to encrypt and back it up. I have Authy synced on 3 devices, is that back up needed since I have it on 3 devices synced up? With the password on Authy, I almost feel like I have leaving the key in the safe since that password for Authy is in 1Password.
0 -
Wow, I miss a few days and come back to this! Very cool!
@prime: Haha welcome back! I think you might have missed a few other things too, but there's no rush. ;)
I hope you guys can help me with this question. I am using Authy for the OTP and there is an option to encrypt and back it up. I have Authy synced on 3 devices, is that back up needed since I have it on 3 devices synced up? With the password on Authy, I almost feel like I have leaving the key in the safe since that password for Authy is in 1Password.
Yeah that's definitely a bit of an Inception thing you've got going on there. If the backup is encrypted, then that's another piece of the puzzle you'll need to account for in your emergency planning. I'd recommend considering either adding the TOTP secret to your Emergency Kit or saving it separately in a wise place of its own. What that amounts to will depend on your needs and preferences. While being in a 1Password Family/Team/Business could allow you to have another admin help you recover your account, better safe than sorry. :)
0 -
Yeah that's definitely a bit of an Inception thing you've got going on there. If the backup is encrypted, then that's another piece of the puzzle you'll need to account for in your emergency planning. I'd recommend considering either adding the TOTP secret to your Emergency Kit or saving it separately in a wise place of its own. What that amounts to will depend on your needs and preferences. While being in a 1Password Family/Team/Business could allow you to have another admin help you recover your account, better safe than sorry. :)
My 1 idea I just thought about was to use Authy for everyday for me. But then I was going to add my TOTP to my wife’s 1Password as a back up, and do the same for her since we are both are family organizers for our accounts. This way if I somehow lose all 3 devices, my wife sill has access to my TOTP in her 1Password and vise versa.
Now Authy will sync without the back up part? This is the 1st time using this app. I have it on my iPhone, iPad, and MacBook and they are all synced.
My work vault, I put the TOTP in 1Password, Just because it’s not a Family organizer account, and it’s also a just guest account too.
This is great! I like that I have the secret key AND a TOTP now.
0 -
My 1 idea I just thought about was to use Authy for everyday for me. But then I was going to add my TOTP to my wife’s 1Password as a back up, and do the same for her since we are both are family organizers for our accounts. This way if I somehow lose all 3 devices, my wife sill has access to my TOTP in her 1Password and vise versa.
@prime: That sounds like a plan! :)
Now Authy will sync without the back up part? This is the 1st time using this app. I have it on my iPhone, iPad, and MacBook and they are all synced.
I have to admit I'm not sure about that. I found this article, which seems to present the two as being related, but it isn't clear to me that one can't work without the other:
https://support.authy.com/hc/en-us/articles/115001750008-Backups-and-Sync-in-Authy
My work vault, I put the TOTP in 1Password, Just because it’s not a Family organizer account, and it’s also a just guest account too.
Probably not something most people will do, but I think this is a great example of doing what makes the most sense for your situation. Thanks for sharing! :)
This is great! I like that I have the secret key AND a TOTP now.
So glad to hear it! :chuffed:
0 -
Hi folks! With the launch of 1Password Business, we've also added two-factor authentication for all types of 1Password accounts. That means you can set it up with a personal account, a family one, or a team one from your profile page.
Turn on two-factor authentication for your 1Password account
If you have some questions, feel free to let us know. Hope you like it. :blush:
0 -
I’m not following!!!!
Are you saying that you guys at 1password, after 6 pages of endless arguments with your clients defending your decision not to offer 2FA because of security issues.... simply just announcing that you’re offering 2FA now?
Is this a late April fool joke?
0 -
@mkd: This is part of the reply @brenty gave you on January 24:
As mentioned previously, 1Password already does offer multifactor authentication, in the form of Duo in 1Password Teams beta. And offering something like that to all 1Password.com members is already something we're considering...but we're not going to release something like this unless it's done right. I'm sorry if that wasn't clear, or got lost in the larger discussion.
It sounds like they've done exactly what they said they would.
0 -
As brenty via pervel has mentioned, we've supported Duo for a long time. We've recently completely reimplemented how Duo's integration with 1Password and in the process we abstracted it to open up more possibilities. This allowed us to do far more than our original Duo implementation where now all of the 1Password apps also support multi-factor authentication.
Most arguments from us regarding 2FA in the past (and present) that you'll find are in relation to combining 2FA with unlock of local data. That hasn't changed. This is about authentication with the 1Password.com servers.
Rick
0 -
finally 1Password uses 2FA,
it's time to use 1Password again :)0 -
Well, it has for quite a long time now with Duo, but I'm glad if the additional options we've added have prompted you to take another look. ;)
0