Can I disable two-factor authentication support for my organization?

From my perspective, the two factor support in 1password is an anti-feature which I do not like people to use, since it effectively reduces two-factor authentication to one-factor of having access to 1password for that person.

Hence I would like to completely remove this "feature" for my organization.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:two factor disable organization

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    From my perspective, the two factor support in 1password is an anti-feature which I do not like people to use, since it effectively reduces two-factor authentication to one-factor of having access to 1password for that person.

    @stefaneg: Can you clarify? I'm not sure what you're talking about. Two-factor authentication in a 1Password.com membership is definitely multiple factors: the static account credentials and the dynamic one-time password (or push, for Duo). What is the challenge that your organization is facing due to some users having it enabled as an additional protection on their accounts?

    Hence I would like to completely remove this "feature" for my organization.

    It's not something that can be controlled by an admin unless you're using Duo. But you could see in a report who has it enabled and tell them to disable it.

    Anyway, something we can consider, but I'd really like to understand the reasoning, and we have not had other requests like this -- quite the opposite. I look forward to hearing back from you. :)

  • stefaneg
    stefaneg
    Community Member

    I am talking about using 1password as virtual MFA device, for example to fill in for AWS management console. I am not talking about MFA to access or open 1password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @stefaneg: Thanks for clarifying. So you're talking about, say, using 1Password to generate the TOTP code to sign into an AWS account:

    Use 1Password as an authenticator for sites with two-factor authentication

    If that's the case, then what you're requesting is out of scope for 1Password. They can save TOTP secrets to generate the codes for AWS or even 1Password (which would be a bad idea, since they would need to be able to get into 1Password in order to get the code to get into 1Password). We don't have any control over what people save in their vaults, or access to even know about it, and neither should you. That's why it's all encrypted. The only potential way to work around vault security would be that you could save the AWS Login in a _shared_vault which you also have access to. Then you'd be able to see if there's a TOTP code being generated there.

    And it's worth reiterating what I mentioned above, since it also applies in this context:

    Two-factor authentication [...] is definitely multiple factors: the static account credentials and the dynamic one-time password (or push, for Duo).

    While I can understand why you might be reluctant at first, if you think about it, using something else to generate the TOTP code will often be less secure (authenticator apps don't always encrypt everything, and often are not secured even with a PIN), and/or increase the possibility of getting locked out -- if the device is lost, stolen, or destroyed, you're probably out of luck with a separate authenticator app, but you'd be able to sign into your 1Password.com account to get back any data you've saved there. Food for thought.

  • stefaneg
    stefaneg
    Community Member
    edited November 2018

    How can a feature of 1password be out of scope for 1password? 1password explicitly supporting MFA secrets to generate TOTP is exactly what I do not want it to do.
    I understand that you want to project the idea that 1password is perfectly secure. It is not. It never will be. It has had its security issues in the past, and will in the future. When that occurs, it will be negating the core point of two-factor authentication to store both the password and token generation secrets in there.

    Regarding account recovery in case of lost token generators, that is a separate issue that is irrelevant for this discussion from a security standpoint.

  • AGAlumB
    AGAlumB
    1Password Alumni

    How can a feature of 1password be out of scope for 1password?

    @stefaneg: That's backward. Using a 1Password feature is in scope for 1Password. Not using a 1Password feature is not in scope for 1Password.

    1password explicitly supporting MFA secrets to generate TOTP is exactly what I do not want it to do.

    Then don't use that feature.

    I understand that you want to project the idea that 1password is perfectly secure. It is not. It never will be.

    I never said that. There is no such thing as perfect security. Otherwise you wouldn't be able to access the data in 1Password either. Even now, you could totally compromise it by giving someone else your account credentials. We have no illusions about that.

    It has had its security issues in the past, and will in the future. When that occurs, it will be negating the core point of two-factor authentication to store both the password and token generation secrets in there.

    Absolutely weaknesses have been found in 1Password features, as with any other software you're using to write this. But when things like that are found, we address them. On the other hand, there have been no breaches of 1Password, which is what it sounds like you're insinuating.

    Regarding account recovery in case of lost token generators, that is a separate issue that is irrelevant for this discussion from a security standpoint.

    Okay. I mean, you may not care about that, but it's relevant to many other 1Password users, so that very much matters to us.

  • The long and short of it is no, it is not possible to disable the ability for someone to use 1Password to generate TOTP codes. That may be something that our development team would consider in the future, but it isn't on the roadmap right now. I'm sorry I don't have the answer you were hoping for.

    Ben

  • stefaneg
    stefaneg
    Community Member

    Thank you for the candid answers. Regarding "insinuating" a breach of 1password, I am more looking at it as "assuming the worst, hope for the best", which is a healthy approach to security IMHO. From that perspective, putting all of your security eggs in one basket is very stupid, however secure it may seem at the moment. Having said that, you do have a good track record, otherwise we probably would not be buying your services.

    In this particular case, I would at the very least like 1password to stop annoying me and other users with notifications about MFA not being enabled on accounts like aws console, for instance by being able to permanently dismiss all such notifications. And from there is a short way to disable such notifications for an org. Which would already be a big step forwards.

  • You can disable the warning on a per-item basis by adding a 2FA tag to the item(s).

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @stefaneg: Likewise, thanks for your honest feedback! There's no need to rely on hope for security though: we simply don't have the "keys" to anyone's data, so neither we nor someone who attacks us can gain access. That's by design, and I'd encourage you to check out the security white paper for more details, and let us know if you have any questions:

    https://1pw.ca/whitepaper

    Cheers! :)

  • stefaneg
    stefaneg
    Community Member

    Thank you Ben. I will communicate the tag trick within my org.

  • You're welcome. :)

    Ben

  • abcdefg123456
    abcdefg123456
    Community Member

    I want to add my voice for the need to be able to disable 2FA feature on an organisation basis. When my organisation is next audited on our IT security, I'll have to stand over the use of 1Password within our organisation. Trusting 1Password for both password and 2FA token generation is just something that I will not be able to justify to an auditor. A single point of failure negating benefits of setting up 2FA across multiple critical systems. Sure I can make a policy in our company not to use 1Password 2FA, but that will never be as strong as showing an auditor that we have disabled this feature.

  • Thanks @abcdefg123456. We don't currently have plans to offer an option to disable TOTP code generation by 1Password, but I'll certainly continue to pass the feedback on this along to the rest of the team.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @abcdefg123456: It's a good point, but consider the alternative: the other means people use for TOTP generation are often much less secure than 1Password, and not-uncommonly have no security at all. I don't disagree with you in principle, but in practice you can do a lot worse than using a long, strong, unique Master Password that only you know to secure everything -- auditors notwithstanding. ;)

  • leon321
    leon321
    Community Member

    I just want to say as a customer (despite being a tiny one), I'd like to 2nd the feature request. Otherwise, we may have to move away from the product since it's not going to give us peace of mind from security perspective nor let us justify ourselves in front of various scrutiny.

    Furthermore, I understand as a product you would like to provide more feature and get user more sticky to it, however, the way you guys think about security only makes me more (not less) concerned about the security of you product and service.

  • Ben
    Ben
    edited April 2019

    @leon321

    Could you please elaborate about what your concern is? I'd like to better understand, so I can perhaps better explain why we do things the way we do, or to better advocate for your position.

    Ben

  • leon321
    leon321
    Community Member
    edited April 2019

    I think I can't say it better than @stefaneg so I just quote " it effectively reduces two-factor authentication to one-factor of having access to 1password for that person."

    ***************************TLDR

    To elaborate, according to wikipedia (I learned the same from my CISSP training years ago), MFA/2FA is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. To me, the whole purpose of MFA is to increase the difficultness of stealing an identity. If we strictly follow the MFA principle defined here, then, in most cases I can think of, an attacker need to be physically close to the victim in order to get the 2nd factor either a hardware token or his/her fingerprint.

    However, the emerge of software token blurs the traditional definition of MFA/2FA and make it possible to get the 2nd factor without being physically accessible to the victim. In 1Password case, by putting TOTP right next to the password, when an attacker get hold of the 1Password access of a victim, admittedly very difficult but not completely impossible, then two-factor becomes one-factor at that moment.

    Of course, storing TOTP as a 2FA is still very very useful for some other, which could be more real, threat scenarios. If an attacker get hold of the password of a victim, either from a previous breach, or simply brute force, phishing, etc..., the 2FA will be still safe in 1Password and it will still prevent the attacker from accessing the victim's account.

    With that said, allowing organization admins to have the capability to disable the 2FA feature could help them justify the usage of 1Password when dealing with all sort of security scrutiny plus give peace of mind to someone like me. I know I have a little bit OCD gene :D

  • @leon321

    I chatted with our security team about this request and they suggested I point to this article:

    TOTP for 1Password users

    Does that help allay some of your concerns?

    Ben

  • leon321
    leon321
    Community Member

    That explained and echoed (but not removed) my concerns. To quote "if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password." Since the article acknowledges that in certain circumstances we should not use 1Password to store TOTP, why there is such a reluctancy to add a feature to allow the organization admin to disable this for their organization? This is not to ask you to remove this feature but just to give more controls to organizations.

    I know at the end of day, the decision is yours how to design your product and features but users have their choices too

  • @leon321

    We always approach feature requests with some level of caution and a desire to better understand the reason behind the request. Development time is a limited resource, so we have to prioritize what we work on. There is no such thing as a "quick and easy fix" in an offering like 1Password and everybody wants something just a little bit different. Everything we implement has to go through multiple levels of review, QA, etc. It isn't necessarily reluctance, but more a matter of approaching things sensibly. If there are already features that may fill a need, or explanations for why things are the way they are, it is part of our job to point customers to them. We want to make sure development time is spent wisely, making the greatest impact for the greatest number of customers. This may indeed be something that falls into that category, but we need to have some support for that position before we present it to development. So that's why we approach these things the way we do.

    Does that make sense?

    Ben

  • Alfonsozubi
    Alfonsozubi
    Community Member

    Yes, it makes sense, but I will add an opinion to my reply. It would seem you would be experts at trying to make my data secure, and this reality should not be that difficult to understand. Having only one authentication, which may be breached by a key logger app (a malicious app that logs your keystrokes) is a concern and not acceptable to some organizations. If in addition to my master password I must add a code from my phone app to my log in that is time sensitive, then even if the key log app (which many have and do exist) gets my master password, the effects of the compromise might be reduced....

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Alfonsozubi: If there's malware on your machine, and you sign in there, you'd be giving them everything they need anyway: username, password, and one-time code. I get what you're saying, but you'd really be counting on an edge case -- or an incompetent attacker -- for the scenario you're imagining to be a win for you in the end. I'm not sure it would be prudent for any of us to take that bet. Certainly for some non-zero number of people there may be good (often practical) reasons to store/generate TOTP codes elsewhere, but for most people 1Password is going to be the best option, by a long shot.

  • Being able to disable TOTP component for an organisation is valuable to my organisation. Yes, it may be that a laptop is monitored by malware, but if another device, say a phone, holds the TOTP component instead, it could be argued it makes the situation more difficult for the attacker to gain complete control over the stored/protected accounts. If TOTP is an option in 1Password, people will use it and collapse MFA to one factor, like others have suggested. Sure, it could be monitored by feature use reports, and yes, it provides an opportunity for education, but isn't it better to just have the option to disable TOTP? Those comfortable with using the feature can use it, and the ones with strict requirements can disable it.

  • Perhaps. :) Thanks for the feedback. We'll continue to evaluate the feedback we receive on this subject. There may be room for improvement in the future.

    Ben

  • Being able to disable TOTP component for an organisation is valuable. It may be that a laptop is monitored by malware, but if another device, say a phone, holds the TOTP component instead, it could be argued it makes the situation more difficult for the attacker to gain complete control over accounts. If TOTP is an option in 1Password, people will use it and collapse MFA to one factor, like others have suggested. Sure, it could be monitored by feature use reports, and yes, it provides an opportunity for education, but isn't it better to just have the option to disable TOTP? Those comfortable with using the feature can use it, and the rest can disable it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    As Ben mentioned already, it's something we can consider.

  • wavesound
    wavesound
    Community Member
    edited November 2019

    Although you can remove the TOTP generator, people can still store their TOTP generator strings in 1Password. I do that for some sites because I treat 1Password as my master repository of security information.

    Practically speaking, there’s really nothing you or 1Password can do about that. As an enterprise, you should consider implementing a more robust multi-factor solution that securely enrolls authenticators if this is an issue. (e.g. RSA, Duo, etc.)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I do think that seems reasonable. :)

This discussion has been closed.