Feature Request 2 Factor Authentication to access 1Passowrd
Hi 1Password,
I was wondering if that would be any possibility that you guys would be able to implement 2 FA to open 1Password. Example to log in to 1Password App, a One-Time-Password or Yubikey is required to gain access? Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Mac OSX
Sync Type: Not Provided
Comments
-
Hi @leandrosiow,
I'm sorry for our delayed reply here! Thank you for writing in to ask us about that.
I don't know if you're using a 1Password.com subscription account or if you're using the app with a standalone license, so I'll give you both answers:
If you have a 1Password.com account, you already have an additional factor which keeps your data secure. It's called the Secret Key (also referred to as an "Account Key"), and it's better than two-factor authentication (2FA). Your Secret Key is generated locally so it isn’t sent to you from an authentication server, and it's never sent over the network. It is a 128-bit string of random characters, and together with your master password, it's used to encrypt your data. You can think of it as a second factor, but because it's a true encryption factor, it's much stronger than 2FA systems that rely on authentication alone. We call this approach to multiple factors Two-Secret Key Derivation.
If you're using a standalone license, 1Password is an encryption app, and not a hosted service using authentication. Therefore, classical approaches to multi-factor authentication don't apply because unlocking your 1Password data is not about authenticating to some service.
If you're interested, you can find more information in this knowledgebase article: Authentication vs. encryption in the 1Password security model
Hopefully this helps, but please let us know if you have more questions about that. Cheers! :)
0 -
Hi Drew,
Oh my bad. I did not realize that there were 2 types of services for 1Password. Mine is the one completely offline.
What I imagined for the 2 FA for the offline was to protect brute-force or other forms of attack on a local machine. For example, I lost my mac or mobile devices.
Hence the two-factor authentication like a Yubikey and/or OTP is additionally needed to decrypt and authenticate 1Password on the local machine. (You might have a point that the classical 2FA may not exactly apply locally).
So in short, on top of just having a password, a "secondary device" is required.
Hope my explanation is a litter clearer.
Apologize for the confusion and using "2FA" as a general term.
Nevertheless, I have to say that 1Password is awesome and keep up the good work.
0 -
@leandrosiow: Thanks for the kind words! We love what we do, and appreciate your support. :chuffed:
Given that you're using a local vault, there is nothing to perform (first-factor) authentication at all, so a second factor is impossible. You can, however, use Dropbox's TOTP support if you're using that to sync, since then you're authenticating with a server. But 1Password's security isn't based on someone deciding that you should be allowed to access your data by authenticating you; rather, your data is encrypted, so you're just entering a secret (your Master Password) to decrypt it. And we use PBKDF2 to strengthen your Master Password and protect your data against brute force attacks too. Cheers! :)
0