Security Web Login

Options
funzyl
funzyl
Community Member
in Families

Hey there,

I‘m thinking about switching to 1Password for Families now that 1Password 7 is out.

I‘m wondering though whether I’m going to give up a bit of security in order to do that. Currently, my data is stored in iCloud, which means an attacker would need my AppleID Password, my Apple 2FA-code and my 1Password Master Password in order to access my data.

If someone got hold of my 1Password account password, he could then access my Secret Key on the website (as outlined here: https://support.1password.com/secret-key/#find-your-secret-key-in-the-1password-apps), but he‘d still need my Master Password (account and master password are not the same, right?). So there would be only two layers of security instead of the three (AppleID-password, Apple 2FA, Master Password) I have now.

Is my assumption correct or did I miss something?

Kind Regards
funzyl

Comments

  • danco
    danco
    Volunteer Moderator
    Options

    Not really. You can find the Secret Key if you are already signed in to the account. But you can't sign in on a NEW device (which is presumably what an attacker would be doing) without knowing both the Secret Key and the Master Password.

    Also you can set up 2FA on 1PW7. That can be dangerous, though, as there isn't a recovery option from the 2FA.

  • roustem
    roustem
    Options

    Thank you for answering the question, @danco!

    You are absolutely right, the Secret Key is never sent to the website. It is always stored locally.

  • frec9_piet_ac_orr_yk
    frec9_piet_ac_orr_yk
    Community Member
    Options

    I do not know much about 2FA so bear with me, for further clarification. If it is dangerous to use 2FA to login to 1Password (I understand that 1Password contains all your login credentials and other important information), then in principle why wouldn't the same argument apply to any 2FA-enabled site or app?

  • Ben
    Ben
    edited May 2018
    Options

    Hi @frec9_piet_ac_orr_yk

    It sounds like we may have caused more confusion than we fixed. I don’t think anybody is saying 2FA is dangerous, though it can provide a false sense of security, and it doesn’t actually protect against many of the threats people have been lead to believe it does. And also we do actually offer the ability to use 2FA (TOTP) with 1Password memberships now and Duo MFA with some levels of membership.

    The argument has always been that authentication (which is the a in two factor authentication) isn’t the strongest part of what protects your 1Password data. Encryption rather than authentication is the primary protection for your 1Password data. The real basic rundown:

    Authentication

    I have a secret. In order to get it from me, you must know a password. I get to choose whether you see the secret or not. It may be possible to convince me to let you view the secret without providing me with the correct password. You could also hit me over the head with a wrench and take the secret. I’m the only thing protecting it.

    Two-factor authentication

    All of the above still applies, but now in order to get the secret from me you must prove yourself by telling me the password as well as proving to me that you have the key. You can still beat me with a wrench and take the secret.

    Encryption

    I don’t know the secret. The secret is stored jumbled. The only way to un-jumble it is to know a password, which can mathematically turn the jumbled secret into the un-jumbled secret. Math is protecting the secret. Even if you beat me over the head with a wrench, you may be able to obtain the jumbled secret, but you’re still no closer to un-jumbling it.

    This is an extreme simplification, but it may help understand the difference. If you’re really curious, there are better resources than my extreme simplification to better explain these topics. :)

    Ben

  • danco
    danco
    Volunteer Moderator
    Options

    @frec9_piet_ac_orr_yk When I said that using 2FA on 1PW itself could be dangerous I wasn't implying that it was insecure in any way. Rather, I was concerned that it is too secure. If all your devices were lost, stolen, or destroyed, it might well be that the code for 2FA was not stored anywhere, in which case you would not be able to get back into the account.

    It is true that the same could apply to the Secret Key, but there you are prompted, when setting up the account, to print out the Emergency Kit.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    Indeed, after many people asked us for this feature, the question I hear most about it since it's been released is what happens if they lose their two-factor TOTP secret. Definitely back that up like you would any of your other account credentials, as it is necessary to access your account.

  • funzyl
    funzyl
    Community Member
    Options

    Thank you very much for explaining! I do feel more confident now about the 1Password Accounts and I have already started my free trial. :)

  • Ben
    Ben
    Options

    Excellent. :) Please let us know how it goes.

    Ben

This discussion has been closed.