2way auth

guyco
guyco
Community Member
in Mac

Hi Everyone,

I read a lot of post regarding people asking about 2way auth and one of agilebits personal wrote this:

"No. 1Password and AgileBits don't know anything about you, so we cannot authenticate you. Your 1Password data is stored only on your device unless you choose to sync it elsewhere, and it isn't a service that you login to. There is no gatekeeper for your data who can authenticate you; rather, it is encrypted using your Master Password. I hope this helps! :)"

My question relates to this statement, I know that you can sync 1password across devices which mean you've got a 1password account(if you choose not to sync via dropbox for example), now, if I have an account it means that now I also have a gatekeeper which contradicts the statement above, if I don't have a 2 way auth to this account, someone can hack it (theoretically) and still my file with all my passwords and sync it to his 1password client, right? Am I missing something here?

I'm asking because I want to migrate to 1password from LastPass but i really like the 2way auth feature they have, i feel extra secure in that way, can someone please advice before I'm migrating.

Best,
Guy

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Pilar
    Pilar
    1Password Alumni

    Hi @guyco

    I'm not sure which post you're quoting, but my guess is that it's not very recent, and therefore we now have a different answer for you! :chuffed: If you have an account then your data is stored on our servers, always encrypted. We do have a second layer of security in this case: you don't only need your Master Password to retrieve your data but also your Account Key. This is a unique 128-bit identifier that is generated on your own device and that is also necessary to decrypt your data.

    The Account Key is even better than 2FA. With traditional two-factor authentication, an existing device is used to authorize a new one. But the existing device is only used for authorization. The one-time passwords are not used to harden the encryption. Your Account Key works in much the same way. It is required to authorize a new device. However, your Account Key is actually used to improve the encryption of your data. Both your Master Password and your Account Key are required to decrypt your data.

    You can read more about 1Password and how it keeps your data safe, you can take a look at our security page: https://1password.com/security/.

    If you have any other questions, or there's anything else that you would like to know about 1Password let us know and we'll be glad to help! :chuffed:

  • guyco
    guyco
    Community Member

    Thank you for the quick answer,

    One question remains if I want to purchase the 1password license product and not the subscription will I enjoy the key identifier as well? let's say I sync my data via dropbox and my computer got stolen, theoretically, I have 1-way protection which is my master password right? because the data is inside dropbox which can be reached from my computer and the 1password mac app is also on the same stolen computer, right? in a 2 way auth it will be rear that someone stole my computer and my iPhone with the auth app(let's say google auth) then it will be impossible for the thief to crack it since he doesn't have my iPhone. I'll be happy to learn how the key identifier works in such cases.

    Best,
    Guy

  • Megan
    Megan
    1Password Alumni

    Hi @guyco,

    One question remains if I want to purchase the 1password license product and not the subscription will I enjoy the key identifier as well?

    The Account Key is an extra layer of protection that we built into the 1Password account service. It is not available with the standalone licenses. But don’t worry! Your data file is always encrypted with an exceedingly secure encryption algorithm called AES. Even if someone were to acquire a copy of your 1Password data file, it would be extremely difficult (approaching impossible in a human lifetime) for them to actually gain access to your passwords without your Master Password. In short, we believe it is just as secure as having the data on your laptop. To learn more about cloud data security, have a read through our Knowledgebase article on Cloud Security.

    And you can see the thoughts behind our data format's design here.

    Also, you can check out our blog for many more articles that go into the nitty gritty math behind what makes 1Password so secure.

    I hope this helps, but we're here if you have any further questions or concerns!

This discussion has been closed.