Feature Request: Confirm new device from trusted devices (instead add. 2FA)
Hello 1PW,
When reading https://support.1password.com/two-factor-authentication/ I imagined how cumbersome it would be to have an additional tool, redundant on multiple devices, evtl. cloud synched, just to have a second factor for new device installations.
I would strongly prefer a mechanism like one of my bank has:
You setup a group of trusted devices, once you reach a minimum of 2, you initiate registration of new trusted devices on device 1 and have to confirm the registration of the device by device 2. Of course this works in any directions.
I would strongly prefer such a trusted device confirmation setup over having to maintain an additional second factor in an additional tool, which is a pain in the a... that said I desperately want a second factor mechanism to better secure my crown jewels.
Thanks for considering it.
Best regards
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@binaranomaly: We don't have any plans for what you're requesting, but it's something we'll continue to evaluate.
I hear you. It's a pain, but it's more secure and since it can actually be used as a second factor. What you're bank is doing, unless you're not able to actually use the banking app on the "trusted devices", is not really a second factor. I certainly prefer what you're describing myself, but the purpose of the two-factor authentication we've added is for businesses who require this feature. That way a completely different device can be used, separate from any use of 1Password. Keep in mind that 1Password's security doesn't depend on this, as it doesn't rely on authentication in the first place. So this is more of a hoop that some folks have to jump through than anything else. We try to avoid people getting the impression that this feature has security properties it does not, but it's really hard.
0 -
Thanks for your feedback @brenty.
Agree it's more a chain of trust thing or more abstract a way to setup/confirm a new device (more convenient than a totally independent totp solution - which would certainly be more secure). It is actually somewhat similar to what apple does https://support.apple.com/en-us/HT204915 (Apple calls it two-factor ;) )
The idea was not necessarily to replace the second factor approach but rather provide an alternative to it (for non business users?).
I feel a bit open with just the secret key and the password since both could more or less easily get into the wrong hands in the worst case (imagine a malicious browser plugin, cross-site scripting, etc.). 1Password just became too important here ;)
0 -
Yeah, having it all be self-contained within 1Password would have some pretty great benefits. You could mimic some of that functionality yourself though, by simply putting the two-factor authentication secret inside of 1Password itself. We don't recommend doing this because if you lose your last 1Password device you then get locked out of your account entirely... but in this case that's exactly what you're looking to do (if I understand correctly).
Rick
0 -
It is actually somewhat similar to what apple does https://support.apple.com/en-us/HT204915 (Apple calls it two-factor ;) )
@binaranomaly: Ha! I wanted to mentioned that earlier, but figured it was a bit beside the point. I really like Apple's implementation, and, in their defense, unless you're signing in through a web browser (this can actually trigger the authorization on the same device, since it's handled at the OS level), a second factor is required. For example, if I sign into iCloud on a new iPhone, I'll have to have another device I am already signed into handy to authorize that. But yeah, you raise a really good point, and that's a fantastic example of both the convenience and confusion that can be gained. ;)
0 -
@rickfillion "We don't recommend doing this because if you lose your last 1Password device you then get locked out of your account entirely... but in this case that's exactly what you're looking to do (if I understand correctly)." Everything else yes - but this not. There has to be some way to recover. Otherwise I need to setup additional redundant totp etc. to be on the safe side and this is the annoying part. My bank does recovery by sending you a postal letter with a secret code ;)
@brenty yes the webbrowser is the culprit here. Actually also it's the browsers that need to sign in anew much more often (browser updates, cookie cleaning, reset, etc.) than the devices themselves.
Looking forward to have an Apple like experience some day :)
0 -
I actually hate the Apple set up, and love the authentication app so much better. The main reason, I need Internet. With the authentication app, no cell or internet is needed. There has been times I waited a while for the pop up to come. At least Apple has a back up and you can go into the settings to get a code, but it’s a few clicks and screens to go though. It shouldn’t be that hard.
0 -
@prime I never had the slightest problem so far - but everybody as she or he prefers...
0 -
@prime I never had the slightest problem so far - but everybody as she or he prefers.
I’m just saying the Apple version will not work without internet (or 4 difference screens to get it from the device). It relies on it. If you do a search on this, I’m not the only one too. Another issue is the pop up doesn’t always clear (known issue, and I’ll try to look for it when I get home). For a while I thought someone was trying to hack my stuff, to just later learn the pop up sticks at times. I WISH I could use an authentication app for Apple.
The selling point of the authentication app, no signal needed at all.
0 -
My bank does recovery by sending you a postal letter with a secret code
Recovery codes are something we're still considering. I don't know about anyone else, but I store my recovery codes right along side TOTP secrets when I have them. This is sort of like when I go to a hotel and they want to give me 2 room keys. I'm one person, so one of two things will happen. I'll keep both keys together and lose them together, or I'll leave one key in the room and losing the other leaves me locked out. They got to feel better about themselves that they gave me the tools to not get locked out, but realistically they didn't help. This is why we decided to start without recovery codes.
Note that if you're using 1Password Families, 1Password Teams or 1Password Business and you get locked out of your account, your admin can use account recovery to get you back in. This will reset things and disable your two-factor authentication. That's another reason that we felt like we could start without recovery codes.
The selling point of the authentication app, no signal needed at all.
This is a strong point. It means that the device where you're getting the code doesn't need an internet connection. But since you're performing an authentication with the 1Password servers... I'd hope that you have a working internet connection. :)
Rick
0 -
@rickfillion 100% agree. The postal letter recovery code example was:
a) a good example for an out of band recovery factor
b) not meant too seriously since postal letter is rather unrealistic for the specific use caseI don't have THE answer for a secure, solid and easy to handle recovery option either, apart from the fact that I'm convinced there should be one - in the worst case probably email combined with something else. (Google has a pretty powerful recovery process, dynamically combining different factors...)
0 -
Recovery codes are something we're still considering.
I do not like recover code, and I hope I can opt out. The reasons, a TOTP is useless after :30 seconds, a recover code can work for as long as it wasn’t use. I love there are aren’t any and no cell phone connected as a back up. I guess for signal users, this can be an issue. I have a family plan and my wife is also a family organizer.
This is a strong point. It means that the device where you're getting the code doesn't need an internet connection. But since you're performing an authentication with the 1Password servers... I'd hope that you have a working internet connection.
True, but passwords are saved off line on a device ;) AND a computer can be hard line connected ;)
I know this is just for setting up a device, but just not a fan. I hate it when I’m trying to get on iCloud for my email, I have wait for a code, hands leave the keyboard, open my phone, click allow, and go back to typing. I love work flow... for work I open up my phone and have the authenticator app ready (to long into the work website). I log into work, I see the 6 digit code, and a nice work flow as I log in.
0 -
I do not like recover code, and I hope I can opt out. The reasons, a TOTP is useless after :30 seconds, a recover code can work for as long as it wasn’t use.
This is true. It goes from being 1/999999 chance of being right to 11/999999 (assuming 10 recovery codes which is typically the number i've seen). That's an order of magnitude different, and I can understand why some people wouldn't want those.
It'll be interesting to see how this works for us without the recovery option. It's a problem we're already very familiar with as new users sometimes find themselves having lost their secret key.
As with everything in 1Password, we'll assess how it's going and make changes accordingly. Nothing's ever written in stone.
Rick
0 -
@rickfillion I set up a pretty good fail safe for my Family account. When I get time and can put it into words, I’ll post it. I would have to lose a total of 6 devices for me to be locked out for good haha.
0 -
We'd love to hear about that @prime. :)
Rick
0 -
Guys, I appreciate the discussion but I feel my original thread got a bit hijacked now by @prime 's own story which should be a different topic imho.
@rickfillion @brenty as a bottom line of my original post I'd like to summarize that from my point of view:
1) A self-contained chain of trust / second factor (name it as you like it) solution similar to my Bank, Apple also Google, Facebook, etc. ( Login confirmation by App from a 2nd trusted device) would be very beneficial to increase security by still providing good usability
2) A sort of recovery mechanism that still has tbd should ideally be provided.Personally, I feel quite safe and comfortable with the Bank/Apple/Google/Facebook/... approach whereas I currently feel unnecessarily "open" with 1Password.
The provided totp approach does not make me happy as I don't want to setup another application with another 3rd party and synch, etc. Therefore I'd end up storing it in 1PW if I'd decide to use it which comes with the mentioned problems.This all doesn't have to be the mandatory standard for every user but having the option to use such a mechanism would be nice and would make me feel more safe.
Thanks for considering it.
0 -
@binaranomaly I only posted it here because @rickfillion wanted to see, and he can actually move it if needed. I do apologize, I didn’t want you to seem it was a hijack. It also showed how the trusted device set up isn’t perfect either. With my set up, if I lose all 3 of my devices, I can still get into my 1Password account because I shared my info in a shared vault that my wife has accesss too. With your idea, if I lose all 3 of my “trusted” devices, I am done. I know my idea won’t work with signal accounts, and maybe there is room for improvement foe the signal accounts. Heck, I can add the authenticatior on an old iPod Touch (or anything other device) than I can hide at home as a back up with this current set up if I wanted too.
Another great thing with my set up is now I have my TOTP in my login for my 1Password account on my login (starter kit) in 1Password itself. I log in (auto fill the info) then the TOTP is saved to my clipboard, I’m able to fill that in, and I am in my account. I didn’t even have to use the 3rd party app for this, my hands didn’t have to leave my keyboard, and I didn’t have to wait for the TOTP to pop up on my trusted device. It was a all a nice work flow.
Using a cell phone number is a horrible idea, so bad T-Mobile is telling it’s customers to put a PIN on their accounts. This is why having a cell phone number as a recovery is bad IMHO. Apple, Facebook, google, and I bet your bank too have cell numbers for their set up as a back up, and I do not like it for this reason. I posted here a while back how a YouTuber got hacked due the the flaw of a cell phone. Cell phones have no place for this, again in my option. I don’t remember what thread it was, I’ll see if I can find it, but it was probably over a year ago.
It’s sad when Snapchat had better than my bank. My daughter uses Snapchat and she set up 2 factor authentication, and you don’t have to have a cell number or recovery codes. It’s harder to get into Snapchat than my bank :(
If AgileBits does add this stuff, I hope people can opt out. I really love this set up now.
0 -
@prime it's ok that you like your approach and want to promote it. But for reasons I stated at the very beginning of the thread it's not what I would want to use and discuss. This is why I opened the thread in the fist place.
There's no flaw, I mentioned that a recovery option should be available, for the honestly rare but not impossible case this could happen. I didn't state what it has to be - this is a discussion of its own and this is also not the main discussion point since this is the exception case.
My main point is:
(Moving to the hosted 1Password service was a challenging decision for me. While it's very convenient I'm still only semi-comfortable with it because:)
I think setting up a new client/device is too easily possible. Leveraging a chain of trust by confirming new devices/logins from multiple devices/agents before a new client can become active is what I'd propose to mitigate it (alternatively to the existing totp solution that is not a real option for me even if it is for others).
If I keep feeling semi-comfortable, I may reconsider self-hosting it.0 -
We'll definitely be considering different approaches in the future. This is just a starting point.
I feel like I should make something clear though... In general (outside of 1Password), 2FA is seen as a way to protect against things like MITM attacks where someone can listen in on the wire. And that makes sense... it means that an attacker who can listen in on the wire won't be able to use the data they see on the wire to create a new authentication. Odds are that when they see the session info go back to a client they could use that to do as they please, but at least they can't create a brand new session. It "solves" the problem created by the fact that user's password is put into transit in the first place. There's nothing harmful about it, and it adds another layer to authentication.
By design, 1Password isn't vulnerable to any of that. Put someone in the middle of the connection listening to every byte sent back and forth, and they gain exactly nothing. It's difficult to overstate just how amazing Secure Remote Password is when it comes to this. I recently wrote about it on our blog.
We still see value in an additional factor, but we need to keep in mind that the attack vectors are completely different. SRP alone is far far stronger than any password based auth + 2FA where it all happens only protected by TLS.
Rick
0 -
The scenario I have in mind to protect from is much simpler:
Let's assume I have an unhappy day and someone gets hold of my 1PW Login credentials (Email - not really secret, key, password), rogue browser plugin, evil maid, malware, whatever...
As of today this person can login and compromise my account fully and immediately from anywhere with any client/device.
If I'd had to confirm from an independent device (better two) before the credentials can be used to access 1PW this would add a lot of difficulty to exploit this scenario.0 -
There's no flaw
I just posted how it could with the link from T-Mobile, so yes I disagree with you, there is a flaw in SMS (assuming your talking about a cell number being connected). I was going to attempt to look for that one post, but I have 788 posts... it will take a long time to look. SMS can also be intercepted and read by anyone, a cell phone SIM card can cloned as well. This is why it’s a flawed system.
More here:
Why SMS is bad for 2 step verificationThe scenario I have in mind to protect from is much simpler:
Let's assume I have an unhappy day and someone gets hold of my 1PW Login credentials (Email - not really secret, key, password), rogue browser plugin, evil maid, malware, whatever...
As of today this person can login and compromise my account fully and immediately from anywhere with any client/device.
If I'd had to confirm from an independent device (better two) before the credentials can be used to access 1PW this would add a lot of difficulty to exploit this scenario.How if you have 2FA turned on? Even with all 3, they still need the TOTP. Now an idea I would like is an email saying someone attempted to log into my account, so I can charge my master password and my secret key. Like a heads up that a failed attempt happened. So I guess this email idea is almost like what you’re requesting?
EDIT: Malware, someone has control over your computer, game over. Very little can help you at this point. They have access to everything and they don't need to set up anything at that point. Your idea actually won't work, because they have everything at that point.
An idea I do for the email. I actually use an email just I use just for 1Password. This way there is less of a chance of this email being out in the wild. I don’t ever use this email address for anything else at all. And it’s an alias on top of it, I can’t even use this email address to log into the email account itself. If I try I get “invalid email”.
0 -
@Prime I was never mentioning SMS. I talk of the 1PW Apps as 2FA. You may check how Google does it if that concept is new to you. https://support.google.com/accounts/answer/7026266?co=GENIE.Platform=iOS&hl=en&oco=1 Facebook, Apple, same same if you set it up.
I don't want to see a notification for a new login (reactive and too late since it already happened) that is existing anyway, I rather want to be able to approve a new login before it becomes active (pro-active explicit confirmation).
Recovery is a different discussion but personally I think it should consist of two distinct factors then it doesn't matter so much if one could theoretically be compromised. A combination of 2 of these (Email, SMS, Recovery code, U2F Key, ...) pragmatically thinking... whatever folks prefer.
0 -
@Prime I was never mentioning SMS. I talk of the 1PW Apps as 2FA. You may check how Google does it if that concept is new to you. https://support.google.com/accounts/answer/7026266?co=GENIE.Platform=iOS&hl=en&oco=1 Facebook, Apple, same same if you set it up.
I am very well aware of this, as I said before, it also requires you to put in a cell number as a back up. Facebook, google, and Apple require you to have a cell number as a back up, as it shows in step 3 of your link above:
0 -
@binaranomaly here is the Apple version, as you can see there are cell numbers as back ups. This is my Apple ID and I have 2 factor authentication turned on.
0 -
@Prime Sorry but done discussing with you. You miss the point of my thread since the beginning and get lost in your ever lasting rant against SMS. Over and out.
0 -
@prime, @binaranomaly: I've split prime 's post about his account recovery plan off into a separate discussion. I agree that it was a bit off topic, and I blame myself for rambling on a bit earlier. Sorry for steering you both wrong! I tend to get carried away. :blush:
Getting back on topic, I think that the takeaway is that it is hard to get everyone to agree on what's best, which is why we've been very conservative in our approach, first with no multifactor authentication with 1Password accounts (though Two-Secret Key Derivation has been there from the beginning), then with Duo authentication in beta until just recently, and finally today with the addition of two-factor authentication as well. Everyone's got different needs and use cases, so it's really helpful to get suggestions like these and hear multiple perspectives. Cheers! :)
0 -
@brenty Well summarized, thanks :)
Decided to use 2FA for now, of course stored in 1Password :-/
0 -
You're welcome, and likewise, thanks for the suggestion — and your passion! It isn't something we generally recommend (not because of security; 1Password is one of the most secure places you could put it) but so long as you always have one of your authorized devices available to you you'll be able to get the TOTP code when you need it. :sunglasses:
0 -
It isn't something we generally recommend
Thanks @brenty, I'm well aware of the undesired potential consequences. I mention it here to demonstrate that the currently available options force me into this somewhat unfortunate scenario.
Want: (Self-contained 1PW) 2FA for new device setup, recovery option
Do NOT want: Another piece of software, another device(s), another synch solution for 2FA0 -
Yep! Just want that there in case it benefits anyone else, just as your use case may. Anyway, it's something we'll continue to evaluate. Cheers! :) :+1:
0