Safely converting old login entries to use one-time passwords
I started listening to the new 1PW podcast, and they talked about the OTP feature in 1PW and how the legacy user base has not adopted newer features. I'm definitely in this bucket. I've known this OTP feature exists in 1PW, but I just don't understand the how of using OTP in 1PW. Also, as an early adopter of two factor authentication, I have a ton of old logins that have 2FA enabled, and I've just been dealing with manually entering the one time codes from either Google Auth or VIP Access app during logging in. Given the relative importance of the services protected by 2FA, I don't want to change to the authentication for these services, without 100% confidence I understand what I am doing.
Do you have tutorials for setting up a new login with the OTP feature? How about a tutorial for updating legacy logins? Like how do I get the QR codes for the items long ago added in Google Auth into 1PW so that the code generation is in sync?
1Password Version: 6.8.9
Extension Version: Not Provided
OS Version: OSX 10.13.6
Sync Type: Dropbox
Comments
-
@Superfandominatrix - yep! I'm not sure I'd call it a tutorial, but we definitely have a well-documented support page for using 1Password for your TOTP needs.
0 -
@lars thank you! I will look at it for a couple of low importance sites that I have that don't already have 2fa turned on. About once a year or so, I review https://twofactorauth.org/ for new additions.
Where I am fuzzy, and why I've stayed away from 1Password's OTP til now, is for sites where 2 factor is already turned on.
Is there support page or good youtube video that describes how to deal with the cases where 2fa is already turned on?
0 -
@Superfandominatrix - I don't have any specific YT videos, no, but here’s an article written a while back by a former co-worker regarding making the switch. It's pretty thorough and most of it is still relevant -- the important parts, anyway.
0 -
@Lars oh, that's helpful.
If the already-2fa-enabled accounts have no way of showing the original QR code used during the initial set up, the work flow for setting up 1Password OTP appears to be:
- disable 2fa in site
- delete old token from Google Auth / Authy
- create OTP field in 1Password then launch the QR code reader
- return to site
- reenable 2fa with new QR code
- read QR code into 1Password
- (optional) read QR code into Google Auth/ Authy
- confirm the codes are in sync
- enter code into website, note recovery codes if any.
Final question, is there any way to integrate the VIP Access token into 1Password?
0 -
@Superfandominatrix - I'm not sure. What's a VIP access token? :)
0 -
@lars It's another token generation app, equivalent to Google Authenticator, although I don't think it is initially configured by QR code. I set this up eons ago and my memory is a bit hazy, but I think it might be configured by credential ID. Here's a link to the application.
https://itunes.apple.com/us/app/vip-access-for-iphone/id307658513?mt=8
I use VIP Access tokens with usaa.com. Their 2fa implementation requires log in with two pieces of information, a user ID and password, where the password is a concatenated short static pincode + the code generated in VIP Access.
0 -
If the other authenticator app doesn't provide a way to access the secret that's used to seed the number generator, or access to the QR code, or you didn't save off the QR code or secret when you set up the 2FA then its pretty likely that you would need to log into that account and re-setup 2FA (i.e. turn it off and on again) in order to be able to set it up again.
I typically save a screenshot of the QR code and attach it to the item in 1Password so i can create backup-authenticators on other devices if need be.
0 -
@rudy @lars if memory serves, the secret code in VIP Access is the credential ID inside the VIP Access app. This app is provided by Symantec, so the credential is probably a part of a larger 2-factor security implementation using Symantec technology for USAA.
Does 1Password OTP support Symantec credentials? If 1Pw does support Symantec, how should I provide the Symantec credential ID into an 1pw OTP field?
0 -
@Superfandominatrix: No. 1Password supports the open TOTP standard, and they seem to be using something proprietary. You may be able to get it to work, but since it's something that neither they nor 1Password supports and could break at any time I'd recommend against it for anything you care about. I apologize if that sounds harsh, but getting locked out of something important would be very bad.
0 -
@brenty Not harsh at all! Thank you so much for following up.
I finally am comfortable with the OTP feature. The great part about it is that while I will be / am paranoid about losing my phone, I can be fractionally less paranoid about it now. Since the QR codes can be scanned into both the 1Password desktop app AND the Google Authenticator app with the two devices' codes perfectly in sync, lose the computer/mac, I have the phone for OTP code generator back up. Lose the phone, the computer / mac is the OTP generator back up.
What would be cool as a feature add on is the ability for 1PW to automatically store the QR code along with the OTP code generation for cases like if I have my computer / mac but I've lost my phone and need to set up Google Auth again. If 1PW kept the QR code, would not need to make changes to the accounts if I needed to set up a new phone / authenticator. Somebody suggested capturing the QR code in one of my raised support tickets, but by the time I had read that recommendation, I had already blasted through most of the 2fa protected accounts without manually saving anything.
0 -
What would be cool as a feature add on is the ability for 1PW to automatically store the QR code along with the OTP code generation
It's an interesting idea; certainly something we can look into. :)
0 -
@Superfandominatrix: You can always disable two-factor and set it up again, and save the QR code and/or TOTP secret. While I don't think you were under this impression, I have seen comments by others recently who seem to believe that this can only be setup on a single device. You can certainly have multiple devices setup to generate the authenticator code -- though I'm not sure everyone has as many extras lying around that some of us do! :lol:
0 -
@rudy this week, my phone hardware failed, and I came away from the event with a new-to-me phone. I had a fresh phone image back up (2 days old) but the restoration nuked all the one time password set up in Google Authenticator. I had not been able to take your Oct 2018 advice to save the QR codes when setting up the OTP, so I feared the worst case scenario: having to reset each site's two factor settings to restore 2fa from 1Password on the computer and Google Authenticator on my phone.
The good news the worst case is avoidable. I appear to be able to extract the OTP secret key out of 1Password's OTP field, and then manually set up the OTP in my new phone's Google Authenticator app. Edit the OTP entry > copy the entire OTP field text > paste into the notes field > find the manual key inside the OTP configuration string > paste that into Google Authenticator manual entry field. The manual key appears between "secret=" and "&issuer=" in the later half of the configuration string.
Not as clean as proactively saving the secret keys, but this method is going to allow me to save the secret key in a 1pw field, recover Google Authenticator, without having to reset 2fa on each service.
0 -
Indeed, if you've got your TOTP secret saved in 1Password, you can edit the item to copy that string again. We want 1Password to not be destructive so you can get out what you put into it, and while I'd wager it isn't something people need to do often, this is an example of why that's important. I'm glad that helped you. :)
0