To protect your privacy: email us with billing or account questions instead of posting here.

Is it possible to restrict the use of one-time passwords only to mobile devices and not desktops?

pparth
pparth
Community Member

I have moved my one-time passwords from Google Authenticator to iPassword in order to overcome the problem with persisting the algorithms centrally and being able to change a mobile phone without loosing everything. However, the notion of having a one-time password only on mobile devices, is still correct. Having them on a desktop is very handy but also much less secure. So, is it possible to setup one-time passwords to be usable only on the mobile versions of 1password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:one-time password

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pparth: It isn't possible. But while I appreciate that this may feel "less secure", in reality it's encrypted in 1Password and remains "something you have" (since I'm sure you're not doing TOTP code calculations in your head — I know I'm not!) And keep in mind that data availability is also part of security. Having this securely stored in more than one place means that not only can no one else access it, but also you're less likely to lose access to it. I hope this helps. Be sure to let me know if you have any other questions! :)

  • pparth
    pparth
    Community Member

    Well, the whole notion of the two-factor approach is that one that gains access to the password, does not have access to the one-time password. So, a setup where the password is only available in the desktop instances and the OTP is only available in the mobile instances, would be perfect. For availability, i would surely use more mobile devices, when possible, which is what people do now with Google authenticator too.

  • Lars
    Lars
    1Password Alumni
    edited February 2018

    @pparth - thanks for the suggestion; we're looking down the road to see what kind of incorporation of U2F might work well with 1Password, and we're always monitoring the security landscape to try to make sure we stay ahead of evolving threats. That said, I don't think we'll be headed down this particular road, but we can mention it to our developers to see what might be done.

    In general, you're correct to note that there's indeed a difference between 2SV (two-step verification) and 2FA. I don't think it's arguable that in a relatively narrow sense, 2FA is overall stronger than 2SV. However, for most people's purposes, 2SV, along with proper password management in general, is sufficient to protect your accounts. I'll explain why I say that.

    1Password makes that last bit - proper password management - easy to do -- and to remember! For example, one of the most devastating potential breaches of data comes through password re-use. If a password for one of your online accounts is captured by a hacker in a break-in somewhere, and it's the same password you use for a lot of other sites as well, then a great deal of your information is suddenly at risk. This is a scenario that can and does happen to ordinary people, which is why experts recommend so strongly against password re-use. Using 1Password means (hopefully!) that you're creating strong and unique passwords for all the sites you belong to. That way, if someone hacks a site like Yahoo or Equifax, even if your password is among the accounts disclosed, only that one site is compromised since you only used the password for that site in one place.

    But if you'd previously enabled 2SV for your account at that hypothetical site that suffered the breach, then your account is likely not vulnerable just because the password was obtained by a hacker, since that's also what both 2SV and 2FA help protect against. Someone who knows only your password for a site (whether it's a hacker or an ex-spouse) cannot access your account because they don't have that TOTP code. For most people, this is sufficient protection for their accounts. And because your TOTP codes are stored within 1Password, the only way for an attacker to obtain both your password for a site or service and your 2SV code simultaneously would be by compromising your 1Password data itself. Which leads us back to the security model and strength of 1Password.

    So, would having a genuine second factor such as a hardware-based token in addition to 1Password increase your security, versus using 1Password with a strong Master Password and setting up 2SV codes you store inside? It depends: if you're the type of person who both credibly assesses your likely active adversaries as placing enough value on obtaining your specific login credentials to be determined enough to want to make a targeted strike against your devices on which you use 1Password and you assess their level of skill as high enough to succeed in gaining root access to your computer or installing a keylogger that could capture your Master Password, then you are indeed a person with the type of threat profile for whom it might be prudent to make use of a genuine second factor in addition to 1Password -- not to mention a number of other security measures that most people neither bother with nor need because they are not subject to these kinds of targeted attacks.

    For the rest of us - including someone like myself, who works for a company that makes a password manager - the level of protection offered by using TOTP codes stored in 1Password is sufficient, as long as we make sure our Master Password is strong and we don't disclose it to others.

  • pparth
    pparth
    Community Member

    I totally agree with everything mentioned here and it is sure that i am not feeling more compromised with the 2SV implementation in 1Password, at all. It just feels that without designing a new solution that will take a lot of resources, allowing the user to decide for a specific Logon to be "2FA-friendly", meaning that the primary password is available only on non-mobile devices (configurable) and the second step is available only on mobile devices (without the ability to change this selection later on, even with the master password), seems to be a valid and easily implemented option that essentially covers the requirements.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Well, the whole notion of the two-factor approach is that one that gains access to the password, does not have access to the one-time password.

    @pparth: I think you're not considering which password we're talking about with two factor authentication: it isn't your Master Password. The "something you know" is the password for the account where you're using two-factor authentication. But it sounds like you're conflating that with someone knowing your Master Password for 1Password itself. The threat models are very different, as you will be sending your account credentials to websites, but you will not (or at least should not) be sending your Master Password to websites. That's how the first factor gets compromised: you enter it somewhere you shouldn't, or it gets stolen from the website itself when it gets hacked.

    I totally agree with everything mentioned here and it is sure that i am not feeling more compromised with the 2SV implementation in 1Password, at all. It just feels that without designing a new solution that will take a lot of resources, allowing the user to decide for a specific Logon to be "2FA-friendly", meaning that the primary password is available only on non-mobile devices (configurable) and the second step is available only on mobile devices (without the ability to change this selection later on, even with the master password), seems to be a valid and easily implemented option that essentially covers the requirements.

    However "easy" you might think it is to implement, it's our job to look past the immediate and consider the consequences first. What you're asking for is also a new solution that requires additional resources, for a feature that almost no one would use; and it would also cause a lot of confusion for those who did use it without fully understanding the implications. Best case scenario, it's an inconvenience; worst case, it's a huge problem (if you're in a situation where you need to get into an account immediately and only have a device with you that you've excluded this information from). It's a perfectly "valid" suggestion, but we have to consider all of our users and the ramifications as best we can when we introduce new features. This isn't something we're going to do right now.

  • pparth
    pparth
    Community Member

    For sure. Thanks for your time!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for your feedback on this, and for understanding. We'll keep it in mind. If we can find a way to do something like this in the future without making people shoot themselves in the foot, it might be worth doing if others are after something similar. Cheers! :)

This discussion has been closed.