To protect your privacy: email us with billing or account questions instead of posting here.

No 2FA recovery options for "Individual Plan" accounts

[Deleted User]
[Deleted User]
Community Member
edited March 2018 in Memberships

I've seen that, in 1P.com v477, you added 2FA (with Google Authenticator) for "Individual Plan" accounts. Although I think the Secret Key is more than enough, I wanted to try the 2FA as well.

It works as expected, but there are no recovery options:
1. No backup codes to enter
2. No recovery via URL sent by e-mail
3. In the "Emergency Kit" the 2FA secret is not saved (as text or QR)

IMHO, options 1 and 3 should be implemented...

Thanks

Edit: Maybe this discussion should be moved here: https://discussions.agilebits.com/categories/accounts

Comments

  • XIII
    XIII
    Community Member
    edited March 2018

    Ah, I see it's also available for Families.

    Maybe the "no recovery" is intentional? Some documentation would be nice.

    Did not try it yet, but I guess it's regular TOTP?

    (Was hoping we would get Duo, but alas)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII, @lammoth: Individual 1Password.com memberships have no means of recovery, as they are not part of a family or team. This is a new feature and not officially launched yet, so I'm sure we'll have more to share in the future. :)

  • XIII
    XIII
    Community Member

    Ha, then maybe I should wait (testing this)...

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: I think you'll be okay, but one concern is that people might try storing their TOTP secret in 1Password itself, which could have...undesirable consequences. Definitely use a separate app for that when you set it up. Cheers! :)

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi @brenty - For "recovery" I mean the ability to enter my account when the 2FA device gets lost.

    As you say:

    If you lose access to your authenticator app, you won’t be able to sign in to 1Password on new devices until you turn off two-factor authentication. To turn off two-factor authentication:

    1. Sign in to your account on 1Password.com in an authorized browser.

    If this is not possible, a backup code (as Google, Dropbox and others do) comes in help. Authy can backup the secrets while Google and MS authenticators can't, so people not using Authy (or not manually backing up the TOTP secret) may remain locked out.

  • XIII
    XIII
    Community Member

    Thanks for the link with documentation!

    Might try it this weekend...

  • Catalin1P
    Catalin1P
    Community Member
    edited March 2018

    Hello everyone! I tried it and I opened an incognito window in Safari to see if I could log into my account with just the Master Password and my Secret Key and it seems like I am screwed if I ever lose access to that 2FA codes. Any suggestions on how could I store these 2FA security codes that regenerates itself every 30 seconds without locking myself out of my account and lose access to my digital life?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hi @brenty - For "recovery" I mean the ability to enter my account when the 2FA device gets lost. As you say:

    If you lose access to your authenticator app, you won’t be able to sign in to 1Password on new devices until you turn off two-factor authentication. To turn off two-factor authentication:
    Sign in to your account on 1Password.com in an authorized browser.

    If this is not possible, a backup code (as Google, Dropbox and others do) comes in help. Authy can backup the secrets while Google and MS authenticators can't, so people not using Authy (or not manually backing up the TOTP secret) may remain locked out.

    @lammoth: Right, but there's a tradeoff with that with regard to security. It's something we'll continue to evaluate, but there are two important things to keep in mind: 1) these features are targeting primarily at businesses who require them, and 2) we're not recommending that anyone else use it at this time, as it is up to you to not lock yourself out, especially as an individual with no family or team admin to bail you out. That adds not only a means of recovery, but also an important social failsafe: you'd have to contact a loved one or colleague directly to ask them to help you recover your account, which adds a layer of real-world authentication. Having a bunch of different "get out of jail free cards" is convenient, but can also provide additional avenues of attack. For the target users of this feature, businesses, not having these additional threat vectors is important.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the link with documentation! Might try it this weekend...

    @XIII: Let me know what you think — bearing in mind that this isn't anything earth-shattering, just a feature that many companies have requested due to their requirements. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hello everyone! I tried it and I opened an incognito window in Safari to see if I could log into my account with just the Master Password and my Secret Key and it seems like I am screwed if I ever lose access to that 2FA codes.

    @Catalin1P: That's exactly it. This is designed to be an additional layer of security for business customers' accounts, and having ways around it would render that benefit less relevant. Please be careful.

    Any suggestions on how could I store these 2FA security codes that regenerates itself every 30 seconds without locking myself out of my account and lose access to my digital life?

    We have a few recommendations for 3rd party authenticator apps that will work with this in the guide I linked above. Just keep in mind that this feature is supposed to make it harder to get into your account.

  • XIII
    XIII
    Community Member

    Finally configured TOTP 2FA for 1 non-admin user in my Family account.

    Works as expected.

    Will you only offer TOTP or also Duo for the Family plan?

  • Jacob
    edited April 2018

    @XIII Fantastic! Duo is only for 1Password Teams and 1Password Business, since it's a business product in general. You can use two-factor authentication for your personal accounts. :)

  • AsParallel
    AsParallel
    Community Member
    edited January 2019

    @Catalin1P Months later, I had the same question as the experience seemed to move some cheese vs what most 2fa users are familiar with. The team has a strong opinion that their home-rolled solution is superior to the way the majority of the industry does it. In most ways they're not wrong, the rub is it's a vertical integration with a price tag to get back to the familiar. You can interpret that how you will.

    Tl;dr, The real solutions are as follows:

    1. Use authy, rely on its continued existence and service
    2. 2x your spend for a family account
    3. save your codes to a backup phone
    4. install the android sdk, create an android vm, install GA or similar to that, save your codes, put the vm in a secure cloud drive
    5. If you're savvy, you can google for authenticator-cli to accomplish the same thing.

    @devs, a monospace font would be awesome in this comment box

  • @AsParallel

    There are a lot of different apps that are capable of generating TOTP codes. It isn't a bad idea at all to have a couple different ones set up with the same TOTP secrets. For example I have all of mine in both 1Password as well as on a Yubikey. I'm considering also setting up Authy, Google Authenticator, or some other app that can sync these codes so that the loss of any device is not a single point of failure to my workflow.

    Ben

    P.S. you can get a monospace font by clicking on the 'paragraph' icon in the formatting toolbar above the reply area and selecting 'code':
    monospace goodness

This discussion has been closed.