1Password should support multiple 2fa devices and/or backup codes
First, thank you very much for adding 2fa support to 1Password online accounts (https://support.1password.com/two-factor-authentication/). I am concerned about account lock-out without a backup authenticator or backup codes. Would it be possible to add support for multiple authenticators and backup codes?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:two-factor
Comments
-
@rinon - we've already got Duo as well as our own multi-factor authentication. I don't think we'll be adding support for many more options, but I can certainly pass along your suggestion. If you have your 1Password.com account added to any of our native apps (Mac, Windows, iOS or Android), you won't be "locked out" of your account even if you do experience some mishap with multi-factor authenticators/codes/devices. In a worst-case scenario, all you'd lose is (temporary) access to 1Password on the web, but your actual data would remain available to you within whatever apps (or other browsers) you'd already signed in from.
0 -
I didn't mean to ask for an additional authentication mechanism, just that we have some way of having a backup for the existing authentication mechanisms. I understand that local copies will still be available, but it seems problematic to have any way to recover access to the online account without the 2FA token. Do you mean that I would have to reset my online account and re-sync the local copy with it?
0 -
I didn't mean to ask for an additional authentication mechanism, just that we have some way of having a backup for the existing authentication mechanisms. I understand that local copies will still be available, but it seems problematic to have any way to recover access to the online account without the 2FA token. Do you mean that I would have to reset my online account and re-sync the local copy with it?
@rinon: No. It may be possible to disable two-factor authentication on the account, depending on what you have to work with.
But let's not let it come to that, as it's not something you should count on. With great power comes responsibility, and you should be perfectly capable of implementing a fallback plan that works for you. There are a number of possible backup mechanisms you can choose (or not) to use:
- Save your TOTP secret somewhere else.
- Setup multiple devices as authenticators for this purpose — you could even use an old phone without internet, turn it off, and stick it in a drawer for emergencies.
- Be creative and do something else that makes sense for you.
We don't currently have plans to offer "backup codes" because those never expire and can be stolen and used at any time in the future. Sort of negates the security benefit of using Time-Based One-Time Passwords as the second factor.
0 -
Hi, I was hoping to set up two different 2fa methods to help ensure I don't accidentally lock myself out of 1password. For instance, I'd like to use an authenticator app primarily, as well as to use my yubikey (or perhaps even two of them) as backup second factor. Correct me if I'm wrong, but it looks like I can only set up one second factor at a time, or at least I'm not seeing the option to add another within the 2fa section of my profile on the website. Is this something that's supported, and if not, are there any plans to add this?
Thanks for the great product!
0 -
@SleepySlug: Hey, thanks for your support! I'm glad you asked about this. You can actually setup as many devices/apps whatever to generate your two-factor code as you can afford! Your 1Password account just gives you a TOTP secret / QR code to use for that, as many times as you wish, as it doesn't "expire" or anything. It isn't tied to a specific authenticator app, hardware token, etc. You could add it to Authy, Google Authenticator, (a) Yubikey(s) (plural) -- whatever you want. It never hurts to have a backup. :)
0 -
@brenty thanks for the response! I finally understand, and have been able to configure both an app and a yubikey by simultaneously setting them up when 1Password first shows me the TOTP secret / QR code. I think my confusion was that I expected to be able to go through this flow several times in succession to add each additional second factor, and I was stymied by the fact that the UI appears to give me zero ability to set up an additional factor once it's enabled, or even to re-display my existing TOTP secret:
I'd still like to add an additional device, actually. If I didn't happen to save the TOTP secret do I need to disable, re-enable, and set up every single device (plus one) again? If so, I think some additional explanation directly in the UI would be extremely clarifying, e.g. "Save this TOTP secret if you want to set up multiple devices, as you won't be able to access this again after this point."0 -
@brenty thanks for the response! I finally understand, and have been able to configure both an app and a yubikey by simultaneously setting them up when 1Password first shows me the TOTP secret / QR code. I think my confusion was that I expected to be able to go through this flow several times in succession to add each additional second factor, and I was stymied by the fact that the UI appears to give me zero ability to set up an additional factor once it's enabled, or even to re-display my existing TOTP secret:
@SleepySlug: You're welcome! Indeed, there isn't anything about TOTP that prevents using it to generate codes in multiple places -- it's just an algorithm to use the current time and the secret to create successive one-time use passwords that expire.
I'd still like to add an additional device, actually. If I didn't happen to save the TOTP secret do I need to disable, re-enable, and set up every single device (plus one) again? If so, I think some additional explanation directly in the UI would be extremely clarifying, e.g. "Save this TOTP secret if you want to set up multiple devices, as you won't be able to access this again after this point."
If you don't have access to the TOTP secret anymore, then yes, you'd need to disable it in your account and re-enable it to get a new one. But I'd be surprised if none of the authenticator apps/devices you're using allow you to view the TOTP secret stored there. They have to have it, after all, or they wouldn't be able to generate the code for you.
0