On Mac desktop app, I can open my vault without completing 2FA

kerryg
kerryg
Community Member

I recently enabled 2FA on my 1Password account using a personal computer. I wanted to test the 2FA by logging in to the 1Password app on another machine that had not yet been registered with my auth token.

When I open the 1Password app on the second computer, it prompts me for TouchID (or master password) to unlock the vault as expected. Once I oblige, the vault is opened without a 2FA prompt. After a few seconds, a 2FA prompt appears asking for a 6-digit OTP, but at this point, my vault is already open and I am able to browse my vault freely without ever having completed the second auth step.


1Password Version: 7.2.4
Extension Version: Not Provided
OS Version: 10.13.3
Sync Type: Not Provided

Comments

  • Hi @kerryg,

    I can't quite tell from your description, but it sounds like you had already added your account to 1Password on your second computer, is that correct?

    2FA adds an extra factor when communicating with the 1Password.com backend. So that includes things like syncing changes to and from the server. However, data that was already on your computer before enabling 2FA is not gated by 2FA, which is why you saw data after unlocking 1Password. So (assuming you had previously added your 1Password.com account to the app) we would expect you to be able to see your existing data, but not to be able to sync any new changes without first entering your 2FA code.

    Let me know if that helps explain what's you're seeing.

  • kerryg
    kerryg
    Community Member

    That does clear things up. It sounds like what you’re describing is what I am experiencing.

    I had already added my 1Password account to the second machine prior to enabling 2FA. My assumption was that 2FA would prevent me from accessing my data entirely as opposed to blocking subsequent syncs, but apparently that is not the case! Makes sense.

    Thanks for your reply @ag_andrew !

  • Lars
    Lars
    1Password Alumni
    edited January 2019

    @kerryg - on behalf of ag_andrew, you're quite welcome. Glad he was able to help. To add a bit more detail, 2FA is just what it says: authentication (to the 1Password server). If you already had data locally on your device (because you installed the app and created or synced data previously), you don't need to authenticate to your own device, since the existing data is already there. You do still need to have the Master Password in order to decrypt your data (which is what keeps 1Password secure on your device), but no authentication is required - or even really possible. We could theoretically implement a mechanism within the 1Password interface that would require you to enter a 2FA code in addition to your Master Password before your data could be viewed, but that would amount to what we refer to as "security theater" (the impression of greater security without the reality). Why? Because any adversary who gained either physical or remote access to your Mac would not waste time by trying to guess a 2FA code when the data itself already exists on your device; instead, they would simply extract the raw SQLite database file and run password-cracking software against it, which would entirely bypass that "authentication" gateway in the 1Password software. It's for that reason we don't implement such a thing: because if an attacker can gain physical or remote access to your Mac, such a thing would be entirely useless.

  • kerryg
    kerryg
    Community Member

    @Lars Great background info. Makes perfect sense. Thanks for taking the time.

  • Lars
    Lars
    1Password Alumni

    @kerryg - you're quite welcome! :)

This discussion has been closed.