Question about 2FA and 1P

AGAlumB

Sorry, I meant to clarify: an oversight from an educational standpoint.

@jadchaar: I agree with you completely on that point. We can do better. :)

What I envision for the emergency kit is a field reminiscent to what you guys do for the Master Password. Put a blank area that says "2FA Backup" and let the user fill it out. Make the section clear that it is only for users that have 2 factor authentication enabled. Or prompt a user to redownload their emergency kit when 2FA is enabled.

I think there are really good reasons not to handle it that way, but it's something we'll continue to evaluate.

I just really worry for regular users who are less knowledgeable who enable 2FA and do not write down the backup, but want the extra layer of security that comes with 2FA. Many people don't think about transitioning their 2FA codes (E.g. Google Authenticator or Duo) when changing phones or devices. It is sadly not as easy as syncing contacts with the cloud and just having it magically reappear.

You're totally right. I'm not sure what the ultimate solution is, but we'll work on it.

My two cents: I think you guys should REALLY make it clear that they need the secret code in case they get locked out. I think the best way to do this is by adding a blank field to the emergency kit. I think this is definitely doable and makes sense. Else, you guys should disable it for users without a teams, family, or business account and go back to the drawing board.

To be clear, this feature is disabled for everyone unless they go out of their way to enable it. But I think we should add some additional information there at that time.

Apologies for sounding like a broken record, but I have had some unrecoverable issues with 2FA that I do not want others to have, especially with something as critical as 1P.

No worries. This is important stuff. I'm sure I sound like a broken record too, but I'm glad we all care about this. That's what's going to make 1Password better. :)

AGAlumB

@prime: Thanks for your continued feedback and passion in this area as well. It makes us work even harder to be worthy of the high standards you folks hold us to. :)

prime

@brenty I am happy to help :)

Ben

:+1: :)

Ben

Manaburner

IMHO it should be called 3FA :) Because we already have master password and secret key

AGAlumB

I can't say I disagree. But from a marketing perspective that would probably be confusing. :lol:

Manaburner

@brenty Good point yes. Then maybe something like "2FA+" or "2FA Pro"? Just kidding ;)

AGAlumB

Ultra Super Factor Alpha ++ :lol: :+1:

luisalejandro_cc

Hi

@JasperP How can I view the "secret code" again if I already enable two factor authentication ?

Thank you in advance.

prime

@luisalejandro_cc

I just redid my 2FA yesterday. I went in, turned it off, and turned back on. This way I got the secret code and it’s now saved in my starter kit.

I’m pretty sure the only wait to get the secret code is to redo it. Unless someone at AgileBits knows another way. Yes, it’s a pain to redo it, but now that you have the secret code, you shouldn’t have to redo it again because you now have it. Even getting a new device, you can add the secret code and not have to redo everything.

AGAlumB

@prime, @luisalejandro_cc: You can also get the secret from the app you're using to generate the TOTP code, can you not?

prime

@brenty

I just tried and I don’t see it. It seems once it’s set up, that’s it.

AGAlumB

@prime: Which app did you end up using?

prime

@brenty right now, the Microsoft one. I will switch back to Authy once the old info is deleted. Authy has it that it doesn’t fully delete for 48 hours and I don’t want an “oops”.

AGAlumB

Ah, interesting. I've never used Microsoft's, and I didn't realize that Authy deletion worked that way. Thank you!

prime

@brenty it’s a fail safe for them. I could have used it now, but I like to be extra careful.

Authy emailed me back and the only way you can sync across devices with their app is to use the back up. I like that. I won’t use the back up, I just don’t feel right about it. So if someone gets my cell number, they won’t get anything from it with Authy if I don’t use the back up feature. It is to recover you account, but it starts as new (nothing on the app) if you don’t back it up. If that makes sense.

XIII

You can also get the secret from the app you're using to generate the TOTP code, can you not?

I’m using the Duo Mobile App (but not the Duo Security part; just regular TOTP). This App does not give access to the codes once they are added.

They won’t even be restored; not even in the case of encrypted backups...

prime

@XIII

I’m using the Duo Mobile App (but not the Duo Security part; just regular TOTP). This App does not give access to the codes once they are added.
They won’t even be restored; not even in the case of encrypted backups...

I might have to check them out. Thanks for the info.

luisalejandro_cc

@brenty I can not see it. I’m using Authy. I think the only way to see it again is the way @prime explain: turn off and turn on back. Maybe the 1Password team can improve this in future update?

JadC

@prime Duo is great. We are forced to use it with our university systems and it is pretty flawless.

AGAlumB

I can not see it. I’m using Authy. I think the only way to see it again is the way @prime explain: turn off and turn on back. Maybe the 1Password team can improve this in future update?

@luisalejandro_cc: Indeed, I think Prime's suggestion is best for now. We don't make Authy though, so that's not something we have control over. I can't find it either now, but I could have sworn there was a way to get it there.

Anyway, as far as 1Password.com itself, it's something we can consider. But I think there's something to be said for not being able to grab the TOTP secret from within the website once it's setup. I'm not sure which is the best way to go. We'll continue to evaluate the options. Cheers! :)

AGAlumB

Duo is great. We are forced to use it with our university systems and it is pretty flawless.

@jadchaar: It can be a real pain with a spotty internet connection, but that's not their fault. The first time I tried it I was impressed with how slick it is too. :)

AGAlumB

I’m using the Duo Mobile App (but not the Duo Security part; just regular TOTP). This App does not give access to the codes once they are added. They won’t even be restored; not even in the case of encrypted backups...

@XIII: Good to know! I completely forgot about that too since I just setup the app log ago and never actually open it; I just get the push when needed.

AGAlumB

it’s a fail safe for them. I could have used it now, but I like to be extra careful. Authy emailed me back and the only way you can sync across devices with their app is to use the back up. I like that. I won’t use the back up, I just don’t feel right about it. So if someone gets my cell number, they won’t get anything from it with Authy if I don’t use the back up feature. It is to recover you account, but it starts as new (nothing on the app) if you don’t back it up. If that makes sense.

@prime: Totally. I think that's a reasonable precaution.

JadC

@brenty they recently issued an iOS update and one of the notes was that they improve handling of low signal connections. Hopefully it works!

AGAlumB

@jadchaar: Yknow, I downloaded the update but was probably lazy and didn't read the release notes this time. I'm interested to see if that helps me make fewer authentication attempts next time it's requested. Thanks for the heads up! :) :+1:

aegos

Let me try to understand.

If I lost my 2FA I can still access my password. It's not asked anyway. But I cannot sign in on new device. Is that true?

Ben

Correct. Once a device is authorized you won’t be asked for a TOTP code again on that device unless / until that authorization is cleared.

Ben

Murphdog

Any new plans on having a 2FA option added on all logins(not just new devices or once a day with DUO) at some point?...please :) I know we discussed this at great length before and we agreed to disagree over it. I have to leave my work passwords in Lastpass because of this and my personal in 1PW. I'm getting ready to bring my family into using a password manager and it would be great having it all in one spot.

Also I just noticed that 1PW Teams account(trial) on Windows is not prompting for DUO 2FA once a day. Its working for the web page. Is this normal? I know a few months ago it just let me bypass the DUO push. Was hoping this was fixed but now its not prompting.

AGAlumB

Any new plans on having a 2FA option added on all logins(not just new devices or once a day with DUO) at some point?...please :)

@Murphdog: No. Not unless we get overwhelming feedback that customer do not want to be able to access their data offline.

Also I just noticed that 1PW Teams account(trial) on Windows is not prompting for DUO 2FA once a day. Its working for the web page. Is this normal? I know a few months ago it just let me bypass the DUO push. Was hoping this was fixed but now its not prompting.

I think you may just be confused that you don't need to "login" to anything to access encrypted data that's stored locally on your device. That's expected. Certainly, you may want to restrict yourself from access your data only online, and only after authenticating each time, but that's not the expectation of most users. And since 1Password's security is fundamentally based on encryption rather than mere authentication (which could allow for a login exploit to net user data, as in the case with Facebook), we're able to allow offline access without compromising security, since the data can only be decrypted with the correct Master Password.