Logging in to Google on an unrecognised device
I'm working away at convincing my wife to use strong passwords and 2FA. She popped me a "but what if" question that's got me stumped. Can someone help me please? The question is what one does if wanting to login to one's google account on a friend's computer or a library computer etc, if one's google account has one of those very strong passwords that 1PW creates.
We've got 2FA setup, including 1PW's OTP function, and yes we've also got a bunch of those backup codes. But if I understand correctly, the OTP or the backup code is entered after the main password. Is that correct? If so, doesn't that mean one would have to manually enter all 64 characters of the main password before getting to the OTP?
Does that mean one needs a shorter simpler password that might be less secure, on the basis that the 2FA will compensate for that? Or am I missing something?
A related question: could one get the OTP from 1PW on the phone? Or does that only work if logging in on the phone?
Thanks.
1Password Version: 7.0.4
Extension Version: Not Provided
OS Version: macOS 10.13.5
Sync Type: Not Provided
Comments
-
I'm working away at convincing my wife to use strong passwords and 2FA. She popped me a "but what if" question that's got me stumped. Can someone help me please? The question is what one does if wanting to login to one's google account on a friend's computer or a library computer etc, if one's google account has one of those very strong passwords that 1PW creates.
We've got 2FA setup, including 1PW's OTP function, and yes we've also got a bunch of those backup codes. But if I understand correctly, the OTP or the backup code is entered after the main password. Is that correct? If so, doesn't that mean one would have to manually enter all 64 characters of the main password before getting to the OTP?
Does that mean one needs a shorter simpler password that might be less secure, on the basis that the 2FA will compensate for that? Or am I missing something?
@Lance Lawton: Wow. That's a doozy! I'm really glad you asked though, because there are a few things here that are very relevant to 1Password users. I'll try to break it down as best I can, but please don't hesitate to ask for clarification, or any followup questions.
Other people's computers: To login or not to login
In short:
Don't
. You really don't know the situation on something like a library computer. Is there malware? Is there a hardware keylogger setup via USB? Using that would be a huge risk, so it isn't something we ever recommend doing. And while you can perhaps trust the friend, you can't really trust the friend's computer. Who knows what their security hygiene is like. And security-minded people are still just people and can make mistakes. Are you really comfortable counting on them -- or their families -- not having inadvertently compromised that machine? I wouldn't be.But the reason I'm leaving some seemingly rhetorical questions in there is because ultimately it's your call. Perhaps there's an emergency that necessitates logging into a single account on an untrusted device. That's maybe a reasonable trade off for you. After all, if you're using a unique password for that site, you can always change it afterward -- on your own device -- just in case. That can limit exposure. But it would have to be a matter of life and death for me to do that with my 1Password.com account.
Two-factor: What is it good for?
Now, when you bring two-factor authentication into the equation, that can change things slightly. Signing into an account in that case is slightly less scary, because it could prevent a replay attack, where someone captures your credentials to use later; the expired TOTP code would prevent that. But there's not much stopping someone in control of the system you're using to just use your login credentials and TOTP code as you enter them, and then present you an error or fake site while they access your account instead. So while Two-factor makes them work a bit harder, it's hardly a cure-all. So using a shorter, weaker password is not something we could recommend either. Two-factor is meant to add an extra layer of security, not weaken other layers.
Making passwords more secure and easier
This may seem a bit contradictory, but please don't discount my earlier comments. I did want to mention that there's a great way to have a strong password and type it too, when needed. I still would discourage the use case discussed above, but there are good reasons for using readable, memorable, typable passwords in some cases, and 1Password can help. If you select the "Words" option in the password generator, it can choose a number of words you specify at random. These will never be as strong as a random, character-based password of the same length, but using 4 or more words is very secure.
A good use case for these is for things like the Netflix password, because you're probably going to have to enter it on an awful TV or TV-box at some point. If you've got an Apple TV or something similar that lets you use your voice, that will help a lot. They're also useful when you know you're going to have to read something like the answer to a "security question" over the phone, or for things like iCloud, since you'll need to enter that password when setting up a new device, before you can get 1Password setup there. So while I'd still discourage you from accessing anything sensitive or important on an untrusted device, there are sometimes good reasons to use a human-friendly password.
A related question: could one get the OTP from 1PW on the phone? Or does that only work if logging in on the phone?
I'm not sure what you're asking here, and, more specifically, if you're referring to having two-factor authentication enabled on a1Password.com account, or using 1Password to generate TOTP codes for another website's two-factor authentication. Let me know! :)
0 -
Wow. I'm honoured to provide a dozy ;). I'll need to digest the main part of that (I'm out at a friend's place so can't really now). But on a quick look it seems clear enough.
Re the last bit where I've got you puzzled ... What I mean is: Let's say I'm logging in on my dad's computer. I've entered the password and I'm at the OTP stage. I was wondering if I could then grab my phone, get into 1PW, open the login for my google account, read the OTP there, and then key it in on the computer.
0 -
Wow. I'm honoured to provide a dozy ;). I'll need to digest the main part of that (I'm out at a friend's place so can't really now). But on a quick look it seems clear enough.
@Lance Lawton: It's a really interesting topic! I enjoyed it. Thank you! :chuffed: And certainly if you have other thoughts later, let me know.
Re the last bit where I've got you puzzled ... What I mean is: Let's say I'm logging in on my dad's computer. I've entered the password and I'm at the OTP stage. I was wondering if I could then grab my phone, get into 1PW, open the login for my google account, read the OTP there, and then key it in on the computer.
Oh, absolutely! This is one of the things I use the mobile apps for the most. Often I'll just login to an account directly on my phone, but when I use a (trusted) computer where I don't have 1Password setup, I can easily grab my login credentials on my phone to type in. The Large Type option for the password field is really handy for this. Cheers! :)
0 -
Great! Well that's a big help anyway.
I've told my wife the story of what you said. She appreciated it, and is now pondering what she'll do in light thereof.
0 -
Glad to hear it! Be sure to let me know if you -- and any of your loved ones -- have any other questions. :chuffed:
0 -
Oh, it really is a doozy, @Lance Lawton!
As a matter of fact, I will be presenting a paper at the Workshop on Authentication at SOUPS (Symposium On Usable Privacy and Security) on misunderstandings of 2FA.
The most dangerous misunderstanding of 2FA is the notion that it makes it safe for you to deal with secrets on a compromised computer. It does not do that. Do not think that 2FA protects your secrets if you reveal those secrets on a compromised compromised computer.
What 2FA is supposed to guarantee is that the authentication process remains secure as long as at least one authentication factor is uncompromised. And that is true. But it does nothing to product you doing things beyond authentication on a compromised device. So I understand how people make this mistake, it is a very dangerous one, and so I try to confront it at every opportunity.
0 -
Thanks for confronting it. Much appreciated.
btw - I bet it took some nerd a few hours to come up with SOUPS 😉
0 -
I'm sure they had fun with naming it. I should ask. It's been around for about 10 years now. It started out as a very informal thing, mostly centered at Carnegie-Mellon University.
0