2FA support on 1password - logging in on public computer
I am currently a LastPass user looking to switch to 1password and have read various forum posts about 2FA not being available in 1password.
I understand that the 1password Secret Key adds a 2nd factor to the master password that strengthens encryption - which is great and a real benefit over just using a master password from an encryption point of view. I also understand that 2nd factor such as Yubikey / TOTP are authentication only, not encryption. I believe both are needed 2nd factor for encryption and 2nd factor for authentication. Lastpass provides one of these - authentication and 1password provides one of these - encryption.
My problem is this :
If I login to the LastPass web vault from a public/shared computer I provide my email address, master password and am then prompted for my 2nd factor authentication, YubiKey / TOTP / etc. before access is granted. This 2nd factor authentication is ever changing so if on this public/shared computer my email address and master password are captured then they can not be used to subsequently login to my LastPass web vault.
If I login to the 1password web vault from a public/shared computer I provide my email address, secret key and master password - if these are captured I have provided everything that is needed to subsequently login to my 1password web vault or using the 1password app. - yes I may get an email alert but by the time I get to do something about it my vault has probably already been exported to a text file. I don't think the workaround of changing the secret key every time you have used a public/shared computer and having to reauthorise all your devices and print out a new emergency pack is really practical ;-)
Having 2nd factor for encryption is great unless it is also captured with your other logon details. As there is nothing unique each time you login, such as 2nd factor for authentication, then capturing these three bits of information provides access to the password vault.
So how can I logon to my 1password web vault from a public/shared computer with confidence?
Even on a trusted computer is there a danger of the secret key cookie being snaffled along with the email address and mater password when I login?
1Password Version: 6
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided
Comments
-
Plus 1 for two factor authentication
0 -
So how can I logon to my 1password web vault from a public/shared computer with confidence?
@mmoud: You can't under any circumstances. We're always going to advise against accessing sensitive data on an untrusted/unknown (especially public) computer. Multifactor authentication doesn't protect you from someone who has control of that computer stealing your data as you access it. It's important to keep in mind that the owner of a device you use to sign in could simply perform a person-in-the-middle attack in that case. There's just no way around that.
However, we are looking at different options for adding a multi factor capability to 1Password.com in the future, as there are threats this can help to defend against. Thanks for letting us know this is something you're interested in! :)
0 -
@brenty Would logging onto a friend's device be considered acceptable? I can list it as a public computer I believe or do it on a private tab so as to not save cookies.
I think MFA is great but I think the secret key really covers a lot of the problems. One thing I like is being able to access my vault from anywhere even if my phone isn't on me or if it's dead. With MFA, assuming by text message, thats virtually impossible. Also a secret key being 128 bits of entropy really helps strengthen your overall login details. Having a very strong master password is definitely essential but it helps for those who have a weaker one. On other services your master password is your weakest and only link.
0 -
@AskAli sending a text message for the second factor is extremely unsecured and dangerous. If AgileBits does a 2 step factor, pretty sure it will be an authenticator app or something.
My rule I use, if I don't have control over the computer, I will not sign into anything that can harm me (so never). I will go by a charger for my phone to charge so I can go on-line before I use a computer I don't have control over.
0 -
@AskAli I wouldn't. Not that I don't trust my friends, I don't know what's on their computers. They can malware, viruses, Trojans, or whatever and they don't know. They can have something that takes my data, it's not worth it to me.
My moms computer, I would, only because I control and maintain it. Along with my in-laws computer. But I normally have my phone with me, so I don't see a need to ever use their computers.
0 -
I would agree, for the most part. I'm very hesitant about accessing 1Password or any other sensitive accounts from any devices I don't own/control.
Ben
0 -
Would logging onto a friend's device be considered acceptable?
@AskAli: That's not something we'd recommend either. Nothing against your friends or mine (or even my family, whom I'd be more apt to trust with things), but while we know them we don't really know what they might have put on their computers. In these situations it's less likely to be them being malicious, and just making a mistake that compromises their machine as they use it the rest of the time. "Unknown" is the biggest concern there. We just don't have a good sense of their computing practices, yet using their machines makes us vulnerable to them.
I think MFA is great but I think the secret key really covers a lot of the problems.
I think it's worth noting that they both serve to protect against different types of threats. Nothing to announce at this time, but we're definitely listening to feedback on this topic. :)
0 -
Thanks for the encouragement! We definitely want to do something in this area. Hopefully we'll have more to share in the future. :)
0 -
Currently is the only place to try out two factor authentication, using DUO, on the teams account (beta release)?
0 -
Yes, that is correct. :) It requires the Teams Pro plan.
Ben
0 -
This is the login experience for team and it is exactly we need for personal accounts. As you have everything in place so its just a matter of enabling feature for non team subscription users.
User Login Experience
Users will log into the 1Password for Teams website like usual. After authenticating with their e-mail address, account key, and master password they will be presented with the Duo Prompt. Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.
0 -
Remember that this is only in BETA at the moment and only on the $11.99 per month/user Team Pro subscription plan.
As such it could be dropped from the feature list when it comes out of BETA or only available on this level of subscription.0 -
This is the login experience for team and it is exactly we need for personal accounts. As you have everything in place so its just a matter of enabling feature for non team subscription users.
The feature is still in beta, which is why it is currently limited to a small group of users. If it makes it past the beta testing phase it is possible that it would be rolled out to a wider audience.
Thanks.
Ben
0 -
Indeed :)
Ben
0 -
Duo does have free version and it works great . Paid version just have few extra features which are meant for Enterprise.
0 -
@Frank Correct me if I am wrong. According to me , Duo Security provides free APIs for integration and any company can use it without paying them. It's the end user who wants to use Duo have to decide which plan they want to use free or paid according to their needs. Even the free password managers like LastPass provides duo integration free of cost. So even if AgileBits has million of users, they don't pay anything as every user has its own personal account with Duo.
0 -
@mmoud: Sort of but not really. That's how it works if you sign up for and manage a Duo account and providers yourself...but that doesn't offer the same level of integration. 1Password is designed to be user-friendly and not make people jump through hoops to setup accounts with separate providers — as was previously necessary to sync in most cases. Also, I'm not 100% sure that Duo's intention is to allow big companies to use "personal" accounts to get out of paying them for their service by placing the burden on individual users.
0 -
But that's what 1Password is doing with teams pro account. It's asking users to sign up for a free account with Duo and then make them configure it with all the details of 1Password. So how that's more user friendly then what LastPass is doing as it also doing same thing.
And by providing free API duo is getting more user base and many user indeed upgrade to paid plans or atleast buy call credits with free plan. So I think it's a win win situation for both companies.
0 -
But that's what 1Password is doing with teams pro account. It's asking users to sign up for a free account with Duo and then make them configure it with all the details of 1Password.
@mmoud: Nope. I use Duo with my 1Password Teams account, and I've never signed up for Duo.
So how that's more user friendly then what LastPass is doing as it also doing same thing.
That's how it's more user-friendly. It isn't something I ever had to do myself, or have to manage.
And by providing free API duo is getting more user base and many user indeed upgrade to paid plans or atleast buy call credits with free plan. So I think it's a win win situation for both companies.
They definitely get users, but if the users don't pay and the vendor supporting Duo doesn't pay, that's not going to be sustainable. That's why we pay, and why it's only available with a Pro plan currently. But that's something that could change in the future, either with us or with Duo. Only time will tell.
0
