Account Key and Two-Factor Authentication
I believe that use of Account Key is not really a 'two-factor authentication'. The reason is that 2FAs usually associate with devices that we have to make sure it is 'me' that is trying to log in to the account by sending a code that is never used again. However, Account Key itself cannot verify anything about the person trying to log in.
Here is a simple example: Let's assume that a hacker was able to acquire my master password and accout key at the same time. Since account key itself is used as a form of 2FA when the hacker tries to log in there is nothing that can stop the hacker from logging in.
I understand that requiring master password and account key for decryption increases the security way more than just having a master password alone. This is a perfect scenario for offline usage.
However, 1Password Families is supposed to be an online based service. That means it should focus on online security as well. And account key is not a very clever choice for online security in my perspective.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
A good example would be Google's SMS based 2FA.
If someone gets hold of my password and use it to log in, then I can be immediately notified that someone is trying to log in to my account by receiving a code via my phone.
Being notified when a new device was used to log in to my account via email is great but many of us will check text messages more often than emails.
0 -
Hi @dwk
Thank you for writing in with these interesting questions about similarities and differences between the Account Key and 2FA.
There are a few different things to note here. First of all, remember that neither your Account Key nor your Master Password are ever sent over the internet. Your data is encrypted and decrypted directly on your device. What does this have to do with what you're talking about? If someone has gotten access to both your Master Password and Account Key they most likely have your device and they could use it to verify 2FA as well.
On the other hand 2FA in 1Password accounts is something that has been mentioned several times to us before. Because we'll always listen to your concerns, ideas and needs on top of everything, while both your Master Password and your Account Key are used to encrypt your data, we have implemented 2FA on 1Password Teams Beta. Right now, we're still testing the waters and getting it to be better every day, as the Beta name suggests. While I can't tell any details of how 2FA will develop on 1Password Families, I can tell you that if you stick around you'll probably like the direction that all this takes! :chuffed:
0 -
@dwk: Another thing to keep in mind is that if you store your Emergency Kit in a secure location and never use it except in anactual emergency, the Account Key effectively becomes exactly as you describe multi factor authentication: it is only stored in the authorized device ("something you have"). So that device itself becomes the second factor you use to authenticate a new device, since the Account Key isn't something you can memorize ("something you know") and can only then be accessed within an existing authorized device.
It's different that what you're used to, yet similar in some non-obvious ways. And most importantly, it offers much more security over a short token, can never be intercepted, and actually strengthens the encryption by being used in conjunction with your Master Password. :)
0 -
Thank you for the replies :)
I'm hoping 2FA comes to Families as well.
My primary concern is due to the fact that I cannot check for keyloggers when I'm using a browser to log in to Families account. Even if my passwords are never transmitted over the internet, keylogging compromises both my master password and account key at the same time. Using 'secure unlock on desktop' functionality in Windows 1Password app allows me to avoid possible keyloggers. Can the similar approach be made through a browser ? (I'm guessing 'no' as an answer but gotta ask !)
0 -
Hi @dwk
Thank you for you answer and for taking some time to discuss these things with us! We hope to have good news for you sometime soon.
In one hand, the best way to protect yourself is to be careful with what you install and download from the internet to make sure you don't get a key logger to begin with! I also think that if you're at a point where someone has found a way into getting a key logger in your computer, you probably have some problems bigger than 1Password :scream:
On the other hand, even then you only authenticate your browser on your own computer once, and you're most likely going to be copy-pasting it, I think. I know I personally have not tried typing in an Account Key yet. If you're worried about very public computers, like that on al library then I can see your point, and you get to a point where you have to weigh the pros and cons of that edge case of 1Password :chuffed:
0 -
@dwk: That's an excellent point! You're absolutely right that the browser doesn't have the same ability to guard against key loggers that an OS does (with features like Secure Desktop on Windows and Secure Input on macOS). One thing that helps with this is that you will likely only need to enter your Account Key the first time. After that, you'll be entering only your Master Password, so both cannot be captured in that fashion. So the Account Key is actually more resilient against this kind of attack. More on that later.
Pilar gave some good general advice, but I'm guessing since you're thinking about and raising these issues you're pretty vigilant already, so perhaps what we're really talking about someone else's machine here. So it's important to note that if you're in a situation where a key logger is a concern (compromised or untrusted machine), all bets are off: the attacker could just as easily have other tools at their disposal to get anything and everything you access on the computer, in the browser or otherwise. It sounds tedious, but it can be automated (screenshots, data collection, or merely waiting for you to login and then locking you out while they access whatever they wish).
So while 1Password cannot mitigate someone else's ownership of a machine (malicious or otherwise) as a threat, I think it's at least valuable to be aware of this and weigh the risks involved beforehand, prior to getting into a bad situation. And regarding multi factor authentication specifically, even a one-time token is not sufficient protection in these cases either, since that can be similarly intercepted by the attacker (key logger or otherwise) who then hijacks the session. And all they really need is one session. MFA isn't a panacea; it's another tool in our toolbox to help mitigate some of the many risks to our security. But if we become too confident in the power of these tools, an attacker determined enough can and will use our confidence and inflated sense of security against us. That's ultimately what we need to avoid. Stay vigilant! :sunglasses:
0 -
Love the discussion so far !
If I'm allowed to make suggestions, I have an idea to implement 2FA.
All the login process is exactly the same except after typing in master password and account key a user would be redirected to a whole new page that requires one time 4 digit code that the user would receive from his/her phone and istead of typing, the page itself provides button layout for the user to click to enter the code. Since all this process is quite bothersome for normal users it could be an opt in feature like any other online services.
I'm not a programmer so the whole thing I described above might sound like alien-like feature from coding department.
But, if it were to came true then....
0 -
@dwk: Yes! Your suggestions are always welcome! Also, money. :money:
But in all seriousness, what you describe is roughly similar to the Duo authentication we're testing with 1Password Teams currently. If that continues to go well and there's enough interest, it's possible that it could be added elsewhere in the future. Thanks for your feedback! :chuffed:
0 -
+1 for 2FA, +1 for using Duo (Mobile) for 2FA
0 -
:+1: :)
0 -
@brenty, you asked "if there's enough interest". So, here's my +1 vote for 2FA especially using a mobile. Thank you.
0 -
@Scott Weatherhogge: Thanks for letting us know! Personally, I wouldn't mind having this option for my other 1Password Accounts too. ;)
ref: B5-2043
0 -
Thanks for the feedback, and optimism! :+1:
0 -
i think until you guys have a proper 2 factor solution, 1password is still insecure. the account key is a poor alternative to a rotating code. key loggers being just one example. its up to the user to secure they're 2fa device but right now we dont have that option. although i am trialling it with 1password teams, surely the individual 1password account will also have it ?
0 -
i think until you guys have a proper 2 factor solution, 1password is still insecure.
@mickdelaney: Fortunately that's simply not true. 1Password's security is built on encryption rather than authentication. And while authentication is certainly useful, a bug in an authentication system could grant unauthorized access, which is a weakness which encryption doesn't have. Encryption uses math to enforce security, not permissions, which is why that's the foundation of 1Password. You can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have!
the account key is a poor alternative to a rotating code. key loggers being just one example. its up to the user to secure they're 2fa device but right now we dont have that option.
Given that the Account Key is generated locally, never transmitted, and only used initially to authorize a new device/browser, the opportunities for it to be "logged" even on a compromised machine are fairly limited. Certainly there are always risks, but someone who is in a position to capture your Account Key (or Master Password) already, by necessity, owns the machine, and they can almost certainly get what they want other ways at that point. After all, a dynamic code can be intercepted on a compromised channel the same way the Account Key could, so multifactor is hardly a panacea. It's just another tool.
although i am trialling it with 1password teams, surely the individual 1password account will also have it ?
Currently Duo authentication is available only with the 1Password Teams Pro plan, but it's something we'll continue to evaluate. Thanks for your feedback on this!
0 -
Hello I would like to add my vote for the Duo Security's 2 FA solution for the 1Password Family plans.
We currently use the Duo Security 2FA Mobile App in instances where Google 2FA is required.
I use the old-school 1Password solution and I haven't moved to the Family Plan yet because I am waiting for the 2FA option.
Since Duo Security already has 1Password Teams as an available application to protect. I am looking forward to when it becomes available for 1Password Family plans.
0 -
To be clear, we haven't announced plans to add Duo (or another multifactor option), but it's certainly something we'll continue to consider. Thanks for letting us know you'd like that feature! :)
0 -
Short version: +1 for MFA options (Yubikey, Duo/Google Authenticator, etc.)
Long version:
Thanks for all the information and diligent responses from the AgileBits folks!I'm a really happy 1Password user who recently made the jump from the desktop app only to 1Password Families (i.e. from local storage to cloud storage). Now that I have data being stored in the cloud, I just wanted to add my vote into adding 2FA/MFA into any hosted product. I understand the encryption vs. authentication debate, as well as the account key discussion, and am glad that all those things are transparent and explained (here, the blog, and in other posts). However, would love to see things like Yubikey, Duo/Google Authenticator, and other options be implemented for those of us that are ultra paranoid (such as myself :smile: ) and are using any variant of the hosted solutions (personal, families, team, etc.).
As a confession, I've given LastPass a whirl to check out the Yubikey integration and it was pretty great. However, their app is miles behind yours in terms of usability, transparency of how it works (thanks for explaining things!), and general buggy-ness. Keep up the great work!
0 -
Hi @plusjeff -
We really appreciate the kind words and I'm happy to hear you're enjoying the new 1Password.com account :blush: I completely understand where you are coming from and I will make sure to share your request with the team. Thank you for taking the time to send us your feedback, it's very much appreciated. I wish you a safe & happy holiday :-) I hope to chat with you again soon.
0 -
+1 for MFA (Yubikey; Google Authenticator).
I've been using 1Password since January 2011. Like plusjeff, I made the switch to 1Password Families. I love the product; keep up the good work!
Vanguard, the large mutual fund company in the United States, recently implemented hardware-based MFA using Yubikey. In the past, Vanguard has moved slowly on certain security features (for example, Vanguard long capped the length of a user's password at 8 characters). I've now implemented Yubikey MFA at Vanguard and, in my opinion, it works very well.
Thanks for listening.
~Richard
0 -
That's great to hear — both that you're enjoying 1Password Families, and that a large financial organization is becoming more security conscious, as generally this is not the case. 8 characters definitely wasn't enough! Thanks for letting us know you'd like to use multifactor authentication with your family too. :)
0 -
Why not just implement 2FA yourself as well for Teams and of-course for Families? Such as:
SMS 6 digit codes
Time based 6 digit codes
One-tap push notificationsThis is similar to Dropbox and sync with v4. You leveraged them out of the gate, but over time you found it was best to do it yourself (i.e., sync) both from a feature and monetary perspective.
Sure, leverage Google Auth, Duo, etc., but SMS is very useful (and easy to use).
0 -
@mmm1: SMS is easy, but also incredibly insecure. In fact, it has no security at all and can easily be intercepted...which sort of negates the benefit of multifactor authentication. But so far I rather like Duo, since it uses a secure channel to authenticate with authorized devices. :)
0 -
@brenty I agree slightly with your point. Sure you can install an app on someones phone, clone a device, or borrow it. All are illegal.
That said, SMS should be implemented to be competitive. As you noted, auth is different from encryption for your product (you are trying to prevent the screen capture edge case) and everyone has SMS. Lastpass, Dropbox, Apple, Godaddy, and banks such as Bank of America, etc... the list goes on and on - all have SMS. You guys do not. That is the simple point.
By not having it and saying that it is "easy" and we are going to do better with apps and "charge for it" perhaps or only apply to "Teams" and not generally to all of your solutions, well perhaps a few will "get it", but to the average customer will not and people will vote with their wallets. SMS should be done since the points above are edge cases and when you have to explain why you do it one way and everyone else does it another....that is a hard point to make for the average consumer.
Last, SMS provides notifications that someone is trying to get your master password changed. A passive app does not do that.... If anything you should provide notifications when a password changes..........including email.
the simple solution is to provide the top 3 options (with the reasons why) and let the customer decide.
0 -
I agree slightly with your point. Sure you can install an app on someones phone, clone a device, or borrow it. All are illegal.
@mmm1: If we ignore very real threats because they involve illegal activity, we're failing to protect ourselves from the most likely threats. What I had in mind was just grabbing data over the air. Cell phone data is not secure and goes right through the airwaves anyone has access to, our phone numbers can be easily gotten, and this equipment is cheap and readily available.
That said, SMS should be implemented to be competitive. As you noted, auth is different from encryption for your product (you are trying to prevent the screen capture edge case) and everyone has SMS. Lastpass, Dropbox, Apple, Godaddy, and banks such as Bank of America, etc... the list goes on and on - all have SMS. You guys do not. That is the simple point.
SMS doesn't provide additional security. That's the problem with it. So we'd literally just be adding it to gain another checkbox on a product comparison sheet. At best, that's naive; at worst, that's lying to users by presenting this as a security enhancement when it isn't. It's our job not to do those things.
By not having it and saying that it is "easy" and we are going to do better with apps and "charge for it" perhaps or only apply to "Teams" and not generally to all of your solutions, well perhaps a few will "get it", but to the average customer will not and people will vote with their wallets. SMS should be done since the points above are edge cases and when you have to explain why you do it one way and everyone else does it another....that is a hard point to make for the average consumer.
It's a lot to expect the average consumer to do security research and make an informed decision to select a secure option from among insecure ones like SMS. By doing this, you're either placing a huge burden on the user — a burden which should be yours, as the security provider — or condemning them to roll the dice and hope that whatever they choose does not merely give them a false sense of security.
Last, SMS provides notifications that someone is trying to get your master password changed. A passive app does not do that.... If anything you should provide notifications when a password changes..........including email.
Email isn't secure either, which is why it isn't used for authentication. And Duo isn't a passive app. I was skeptical at first as well, but it's actually rather good.
the simple solution is to provide the top 3 options (with the reasons why) and let the customer decide.
Choice is good, but our customers trust us to offer them secure choices, not insecure ones; so we have no plans for adding SMS support. There are a lot of other multifactor authentication options which do offer actual security, so that's where we're focusing our attention.
0 -
Let's face it, it is better than what you have right now. It should have rolled out when you had an online system.
Since you are talking roadmap, what products will get the F2A? All, one, and what time frame?
0 -
@mmm1: SMS isn't better. It just looks better if you ignore that it's security theater. All 1Password Accounts have the Account Key, which provably strengthens security using encryption. That's much more important, and a much bigger security benefit to all users than if we'd gone with a traditional username/password login with SMS.
We don't discuss our roadmap or timeline publicly, as it's subject to change; only that we're looking into various (secure) multifactor options, and that Duo is one we've already implemented as a beta feature for 1Password Teams Pro accounts. I personally would like to see that finalized and available to all users since it's secure and a great user experience, but only time will tell.
0 -
The article you noted states my point. It is better than what you have..........even if you have an account + pass solution.
Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.
As a paying customer of both a teams account for business and family account, I do expect both to be supported with 2FA. So Duo is fine but you need a plan b for obvious cases (duo is acquired, etc.), and so are others that I don't need another account, etc., as Symantec VIP, Google, etc.
If both products (team/family) are not supported with 2FA, then I will need to review options going forward. Happy to discuss live.
0 -
The article you noted states my point. It is better than what you have..........even if you have an account + pass solution.
Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.
@mmm1: Not really. 1Password.com also already uses "more than a username and password": it also uses the Account Key, which, as mentioned previously, actually strengthens the encryption of your data (which an SMS code cannot) and is more difficult to capture since it is used so infrequently. While we're considering other multifactor options, and also the possibility of bringing this to other account types, we have no plans to add SMS, and no news in this area at this time. Multifactor isn't a feature you're paying for; it's an additional feature you're asking for. I'm sorry that isn't the answer you want, but it isn't my intention to mislead you in any way.
0