Can 2FA be added to protect the master password?

tradeski
tradeski
Community Member

1Password is great and my family uses it for everything. My problem, however, is that if someone finds out our master password (e.g. via a keyboard logger), I'm toast!

So, I'd like to be able to add 2FA to unlock 1Password. i.e. A separate app on my phone would provide a 1-time password that would be required in addition to the master password (maybe not all the time, but after a reboot, on a new device, etc). Is this possible? If not, please consider this a feature request!

On a similar theme, it's nice that 1Password supports 1-time passwords... BUT, if I'm trying to add an extra layer of protection for accounts in case someone has obtained my master password, having both the 1-time password and account password held in the same place is a problem. I can, and do, use third-party authenticators to get around this problem. However, it would be great if there was a separate 1Password Authenticator app on my phone that could provide the 1-time password - especially if prompted to do so via a push message from the desktop browser plugin... (feature request #2).

Cheers!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2FA

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @tradeski: First and foremost, when you're using 1Password locally on your device, there is no authentication happening. 1Password's security is based on encryption, not authentication. So unless you and everyone else want us to change that, and require that you be online in order to access your 1Password data, requiring a new sign in each time, having two-factor authentication to unlock is not going to happen, as there can be no authentication at all otherwise.

    We also have no plans to make a separate "authenticator" app. That wouldn't offer any real security benefit if you're using it on the same device anyway. It's best to simply use a long, strong, unique Master Password and not give it to anyone else.

    Two-factor authentication can be enabled on a 1Password.com account, but this does not "protect the master password". It can only prevent someone who has your other (static) account credentials from signing into a new device/browser. If you're in a situation where someone else is in control of your device (malware, public computer, etc.), it isn't safe to access sensitive data anyway, as someone could just capture your data as you access it, or perform a person-in-the-middle attack to sign in as you when you enter your credentials -- including the one-time password. It's important that you only use 1Password (or anything else sensitive) on a secure, trusted device. Better safe than sorry!

This discussion has been closed.