Security: Secret Keys and 2FA
I use a password manager because of the added layer of security and so that in case I die my family can still access all my passwords.
The only concern here is putting all my eggs in one basket.
If someone has access to my 1password account, all my information is up for grabs.
The 1password security model, as I understand it, consists of the secret key and the master password.
When setting up the 1password application on my laptop I had to enter both of these.
This means that if there is some sort of keylogger or other malicious software on my laptop that I am not aware of, my account is now completely accessible to hackers.
One way to avoid this would be by using 2FA.
I see the only option here is using an authenticator app.
That is fine but suppose I die and my phone is destroyed (car crash for example), now my family is locked out of my account.
Other applications, like Dropbox for example, allow SMS as authentication and you can set an alternative phone number to send the codes to.
So, if my phone is destroyed I can just get a new phone with the same number. If I die, my family still has that alternative phone number that the codes can be send to.
I know that SMS is not secure and can be compromised but that would require a targeted attack at me personally which is a lot less likely then some general malware floating around infecting everyone it can.
The feeling I get is that I have to compromise here, either I go really secure with an authenticator app but then my family is screwed when I die together with my phone, or I don't use 2FA and risk all my personal data, passwords, credit card info etc to be at risk when a simple piece of malware infects one of my devices.
What are your thought on this? Is there anything I'm missing? Am I being paranoid? :blush:
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @pmarcoen
The way I handle this is to have my credentials for the email account I use for 1Password stored securely where my family can find them in such an event. They are part of a 1Password Families membership with me, and once they have access to that email account could perform recovery on my 1Password account to gain access:
Recover accounts for family or team members
I hope that helps!
Ben
0 -
I don't have a family account (still on the evaluation period) but even if I did, suppose I take my family on a holiday and the car crashes.
Now my data is still not accessible to others I might want to leave it to (parents, friends, ...).The Emergency Kit is great because I can print it and give it to several people in case I die.
I leave a copy with my parents and one with my closest friends.
However, if I use 2FA this becomes useless because the Emergency Kit alone will not be enough, they will need my phone which may be lost too.Is there any sort of recovery option for when my 2FA device is inaccessible? Assuming other devices I am logged into are not accessible either.
This does not seem that improbable, all my devices require my biometrics to unlock so if I die the 2FA option will assure nobody can ever access my account.I'm loving 1password thus far but I hate that I need to compromise here: either very secure but lost if something happens to me or everything is exposed by even the simplest of malware (I once had to write a keylogger for a legitimate business need and it's crazy how easy this is).
0 -
@pmarcoen: Unfortunately the best solution is going to vary from person to person. But arguably if you know you're going on a trip with everyone in your family it's a good time to leave instructions with someone outside of your family with instructions in case you all meet an unfortunate end.
It's generally a good idea to leave this sort of information with your executor or attorney, or accessible in a safe deposit box that the responsible party would be able to get to with a court order upon your passing.
However, if I use 2FA this becomes useless because the Emergency Kit alone will not be enough, they will need my phone which may be lost too.
Regarding two-factor authentication, it sounds like you're assuming that 1Password uses SMS for this. It does not, as that isn't a secure channel. It uses TOTP. So when you save the TOTP secret in an authenticator app (these are available on a number of platforms, and in browsers), you can and should back that up as well.
Is there any sort of recovery option for when my 2FA device is inaccessible? Assuming other devices I am logged into are not accessible either.
A "recovery" option not only introduces a potential security hole (either by allowing a "reset" or using static "recovery codes"), it's completely unnecessary, as you can save the TOTP secret itself.
This does not seem that improbable, all my devices require my biometrics to unlock so if I die the 2FA option will assure nobody can ever access my account.
That's a really good point. Either you're ensuring that no one can ever access your account if someone happens to you, or you're taking measures to ensure that those who would need to in your absence can. You can't have it both ways.
I'm loving 1password thus far but I hate that I need to compromise here: either very secure but lost if something happens to me or everything is exposed by even the simplest of malware (I once had to write a keylogger for a legitimate business need and it's crazy how easy this is).
This isn't a 1Password problem, or even a technological one. The same holds true if you keep a spare key somewhere: it could be found; the trick is ensuring that it will only be found by the right people.
0 -
@brenty I'm not that familiar with authenticator apps so maybe I'm mistaken here.
A "recovery" option not only introduces a potential security hole (either by allowing a "reset" or using static "recovery codes"), it's completely unnecessary, as you can save the TOTP secret itself.
Does this mean that I can somehow set this up so that if I die my family can download some 2FA datafile and using a password (that I can write down on the Emergency Kit) they can then generate 2FA keys to sign into my account?
If so, how would you go about this? Where would you store this datafile?I'm quite concerned about using 1Password without 2FA. I just tested a very basic keylogger I wrote a while back and it logs my master password without the user knowing anything. This program is about a 100 lines of code and can be compiled to a .exe file.
If I email this to you and you double-click it, when you setup a new instance of 1Password where you are forced to enter the secret key, then your 1Password account is now completely open to me.I know 1Password does not support SMS as authentication, however if SMS was an option I could set an alternative phone number (or several) to allow family members to still recover my account if something happens to me. This is a lot harder when using an authenticator app.
I know SMS isn't secure but it does assure that when a virus captures my secret key and password my account is still not accessible.
Sure, a highly motivated and highly skilled hacker that is specifically targeting me could still gain access but the changes of this happening are exponentially lower then every day viruses.
This is the compromise I am talking about, you either make it fairly easy to hack my 1Password account (simple virus) or you make it very complex for others to recover my account (authenticator app), a middle ground here would be SMS: the virus alone is not harmful and my account can still be easily recovered.0 -
I'm not that familiar with authenticator apps so maybe I'm mistaken here.
@pmarcoen: Admittedly, TOTP stuff is a bit confusing, but it's nice because it's an open standard.
Does this mean that I can somehow set this up so that if I die my family can download some 2FA datafile and using a password (that I can write down on the Emergency Kit) they can then generate 2FA keys to sign into my account? If so, how would you go about this? Where would you store this datafile?
There's a good discussion about this here.
Your family will not be able to access your TOTP secret without access to your account unless you save it in advance and provide it to them. This is shown as a text code when you setup two-factor authentication along with a QR code for scanning:
Either of these can be used to generate a one-time password using an authenticator app. So, provided you've planned ahead, your family could do that as well.
I'm quite concerned about using 1Password without 2FA. I just tested a very basic keylogger I wrote a while back and it logs my master password without the user knowing anything. This program is about a 100 lines of code and can be compiled to a .exe file. If I email this to you and you double-click it, when you setup a new instance of 1Password where you are forced to enter the secret key, then your 1Password account is now completely open to me.
The problem is that nothing can protect you on a system that is compromised, and believing that you will be okay in that scenario puts you at even greater risk. We don't claim that 2FA can help you in that scenario, because it cannot: you're giving someone your account credentials, and they can just as easily ask you for the one-time password and use that as well.
I know 1Password does not support SMS as authentication, however if SMS was an option I could set an alternative phone number (or several) to allow family members to still recover my account if something happens to me. This is a lot harder when using an authenticator app.
You can setup authenticator apps on as many devices as you want. You could even turn one off and store it with your Emergency Kit, though that seems like overkill. Any app that supports the TOTP standard will be able to generate valid codes using the TOTP secret and the correct date/time.
I know SMS isn't secure but it does assure that when a virus captures my secret key and password my account is still not accessible. Sure, a highly motivated and highly skilled hacker that is specifically targeting me could still gain access but the changes of this happening are exponentially lower then every day viruses.
We really need to worry about the skilled attackers, not the inept ones. Only ever enter your 1Password.com account credentials into the 1Password.com website or apps.
This is the compromise I am talking about, you either make it fairly easy to hack my 1Password account (simple virus) or you make it very complex for others to recover my account (authenticator app), a middle ground here would be SMS: the virus alone is not harmful and my account can still be easily recovered.
SMS is 1) well-known to be insecure (it is very old and not at all designed with security in mind) and 2) not two-factor authentication, but rather two-step. You're talking about two step authentication, not a second factor. It can be encrypted, but the encryption is old and weak; and the encryption can be bypassed entirely by spoofing your device and/or socially engineering your provider to activate another (never mind that government agencies have access to their systems). We have no plans to support SMS in 1Password. It's really fairly straightforward to backup the TOTP secret along with your other account credentials, so that's what we recommend.
0 -
@brenty Thank you very much! Your answer was very helpful.
I didn't realize that TOTP is an open standard and that all it took was a secret.What I did now was print this screen as well and attached it to my emergency kit.
I just tried uninstalling 1Password on my mobile and re-installing it using only the information I printend (Emergency kit + 2FA secret) and it works!I do agree with the people in the other discussion that this should be part of the emergency kit. What good is an emergency kit if you don't have the 2FA code anyway? :blush:
0 -
Thank you very much! Your answer was very helpful. I didn't realize that TOTP is an open standard and that all it took was a secret.
@pmarcoen: You're welcome! And yeah, TOTP is pretty cool! :sunglasses: : :+1:
What I did now was print this screen as well and attached it to my emergency kit.
Normally I wold recommend against that...but the 1Password.com TOTP secret is mercifully readable. Some sites has really crazy codes that I would prefer to copy and paste. :lol:
I just tried uninstalling 1Password on my mobile and re-installing it using only the information I printend (Emergency kit + 2FA secret) and it works!
Awesome! Indeed, gotta test your backups beforehand to save any surprises later. :chuffed:
I do agree with the people in the other discussion that this should be part of the emergency kit. What good is an emergency kit if you don't have the 2FA code anyway? :blush:
The vast majority of 1Password.com users don't have it, so it would be pretty confusing for them. And many who do really no not want to keep these together. You'll note that I didn't suggest that you do! It's really a personal decision, but we'll see if we can offer more guidance in the future. Thanks for the feedback! :)
0 -
@pmarcoen: Well...you should really already have the Emergency Kit saved at that point, so I'm not sure what the solution is. A lot of people will say, "Forget it! I already have that; I don't need another one!" We need to make this clear somehow, but most people don't read it if we just put a message there... :(
0
