What is your Setup now that TOTP is integrated

Hi @DaveFL,

I don't know if you follow our blog but we've written about TOTP here: https://blog.agilebits.com/2015/01/26/totp-for-1password-users/

One sentence you might find useful is this: I’ve previously written (at excessive length, in some cases) about TOTP in general, but in each instance pointed out that it is of limited utility to 1Password users. This is because such schemes are of most use to those people who have weak or reused passwords. If you are using a strong and unique password for a site, then many of the gains of two-step (or multi-step) verification are not relevant for you.

Of all my passwords, the only ones that I currently have which are unique are my master password and my dropbox password. Everything else has been generated.

I hope you mean personally created, not unique. Your generated passwords must be unique as well, password reuse is the bigger issue.

Here is my concern about adding two step verification to dropbox. Suppose you are on vacation overseas and you lose access to your phone. What do you do?

That's why sites with TOTP will provide you with a list of one-time passwords that you can print out but then again, you're not going to bring this with you on the trip because what happens if you lose this printout like your lost the iPhone? Don't forget to use Apple's Find my iPhone service if it did happen in real life.

You will have a tough time trying to get access to Dropbox (and 1Password) until you're back home from the trip and use the printout to get back into Dropbox.

What if your Dropbox account were stolen via maybe a Dropbox server breach or you reused the password elsewhere (hopefully not, make sure you check the duplicate password feature) and someone tries to log in with it, wouldn't you rather that they be locked out because they don't have the one-time code? This would be more common than a lost device considering how many breaches we had every year and it seem to be getting worse every year. For many, it is more profitable to breach websites than it is to steal certain high-end mobile devices, especially after the activation requirement for stolen phones.

If you don't reuse your password, use a strong password, and stay up to date on breaches, you generally won't benefit much from a two-step verification.

Is the solution to just carry your dropbox backdoor password or disable two step on drop box when travelling?

In your case, probably not use the two-step option if you're already using a strong unique password but if you're very security conscience about this, you might want to leave it on without bringing anything else with you.

Can you tell me hypothetically what you would do after you lose the iPhone, are you going to go out to get a new iPhone, download 1Password again and log into Dropbox?

@DaveFL your plans sound well thought-out. A couple of notes:

Basically with new Phone. I'd have to login to dropbox using my unique password and one time password (to bypass 2FA). Or I would disable 2FA on dropbox prior to trips (just in case). From here I could get my iOS Password.

This is not a bad idea, although as Mike said, if you have a strong password for it that you can remember, then the benefit of 2FA isn't too big.

I use the same system. I have a very strong password for Dropbox that I thought of myself. This, my 1Password master password, and two other services are the only passwords that I actually remember, the rest is stored in 1Password.

One 2FA provider that I found interesting was DUO as they give you the ability to specify your own one time passwords to bypass 2FA device authentication. These passwords can have an expiration count.

This is essentially the same thing as reset passwords or one-time-password lists that you get from many providers. It's not very practical.

If I can access 1Password via dropbox on the web. Why cant just put this on a USB key and access it with a standard browser?

Probably not possible to do but some form of one time password would be useful. E.g. let me run local app from USB and I can enter password to unlock vault and password expires after usage. Allows me to get to vault on any machine without worrying about keylogger.

For one not many browsers support local file system access. Then you'd also have to trust that particular PC not to have some kind of malware on it which, frankly, you can't be sure about.
The one-time-password via a local app sounds like an interesting premise but you'd be inviting a lot of potential problems with this, not the least being the subversion of the absolute principle of only allowing the user access by entering the master password.

This particular problem might be better solved by keeping a backup of your vault on a USB drive. In the case of a stolen iPhone, you could go ahead and transfer this backup to a new iPhone or new Android-based phone via a PC or Mac.
You'd still be connecting your new device to a strange PC/Mac and that has its own security implications but at least you wouldn't have to enter your master password on a potentially unsafe machine.
Of the two options, this would cause less headaches in my opinion.