Policy for Two-Factor Authentication Removal

bug

What is the policy for removal of two-factor authentication in case of a lost/damaged two-factor device/token for individual 1Password accounts? From what I understand, cryptographically there's nothing that would prevent the user from regaining access to their account and data (provided they know their secret key and master password) once support removes the two-factor auth requirement.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Ben

Hi @bug

You are correct that the TOTP code is not used in the encryption process. Are you in a position where you need the TOTP protection removed from your account? If so please email us at support+forum@1password.com and then post the support ID you receve back here so I can put you in touch with our security team.

As for the process... there is an account verification that must be completed via email that involves answering questions specific to your account.

Ben

bug

Thanks @Ben. I'm just trying to figure out the scenarios in which using two-factor auth for 1PW makes sense at all, and whether adding it increases the risk of permanently losing access to the account's data.

Ben

and whether adding it increases the risk of permanently losing access to the account's data.

Objectively yes: it does. TOTP does protect against some attack vectors but it definitely is not the silver bullet that some think it is, nor is it an excuse to use a weak password.

Ben