Why not use 2 factor authentication to secure my 1Password Vault?

2456

Comments

  • :+1: :)

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thank you. I try, and often fail, but I'm always happy to try again so hopefully we can meet in the middle. :lol:

  • keldvraakjaer
    keldvraakjaer
    Community Member

    2-factor verification to open a vault is essential. But if you are not even thinking about implementing it, I guess I should start looking for other options. In the unfortunate case that my PC or Mac gets a keylogger I will be screwed... because the hacker will get access to everything... that is not acceptable.

  • keldvraakjaer
    keldvraakjaer
    Community Member

    And if you DO consider implementing it, then make sure to use Google Authenticator instead of Authy, because as Coinbase have noted, Authy is tied to your phone number, thus open to phone porting attacks, where Google Authenticator is tied to your device.

  • prime
    prime
    Community Member
    edited June 2017

    @keldvraakjaer I posted I think in this tread that 2SA is not 100%, and it DOES not encrypt your data like the secret Key does. At all.

    I also posted how it was compromised, just look at this whole tread about it. I even held off due to no 2FA and did a lot of research, and the secret key is great. Your passwords are protected by 2 encryption keys, where others just have one. I can give you my master password right now, I bet you can't get in.

    Why would your Mac or Windows computer have a key logger on it? When I set up my Mac, I didn't even have to type the security key, and I still don't. If you have key loggers on your computer, you have more issues then just a password manager.

    If you're worried going on a different computer, it's so easy to change the secret key.

    My issue with 2SA/2FA is, too many people think this is 100% and it's not. I've posted a few times how it didn't help at all.

  • AGAlumB
    AGAlumB
    1Password Alumni

    In the unfortunate case that my PC or Mac gets a keylogger I will be screwed... because the hacker will get access to everything... that is not acceptable.

    @keldvraakjaer: In this scenario, two-factor authentication doesn't protect you. If you use it to access the data, the attacker can perform a person-in-the-middle attack on you, or simply hang out and collect your data as you access it. And if you're not accessing your data, it will be secure, since it's encrypted, and two-factor isn't involved then. We may add additional authentication options in the future, but encryption is what protects your data.

  • alonagar
    alonagar
    Community Member

    I just don't get it!
    You have here people who would be happy to be your customers, all they are asking you to do is implementing 2FA to your system, as a CTO I know that it takes no more than 1 day of work.

    Why are so stubborn about it?
    In business, if your customers want something and are willing to pay for that, you should just give it to them.
    I had chosen your competitors even though I preferred to use your system just because of the lack of 2FA.

    You may even implement it above the master key as an another layer of security, so you are not compromising the security, just adding another level for customers who wants it.

    If I were your shareholder I would give hell to your CEO\CTO for this poor business decision of going against the will of your customers, This long thread amazing me, I had never seen a company so righteous - sometimes it's better to be smart than being right.

    I really hope that you'll change your mind about this issue, and will be happy to be your customer when you'll decide to do so.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I just don't get it! You have here people who would be happy to be your customers, all they are asking you to do is implementing 2FA to your system, as a CTO I know that it takes no more than 1 day of work.

    @alonagar: Easier said than done. And there are a lot of different things to consider as well.

    Why are so stubborn about it? In business, if your customers want something and are willing to pay for that, you should just give it to them.

    If we try to do everything we're asked to, we'll never get anything done.

    I had chosen your competitors even though I preferred to use your system just because of the lack of 2FA. You may even implement it above the master key as an another layer of security, so you are not compromising the security, just adding another level for customers who wants it.

    We don't want to encourage or promote the misconception that multifactor authentication will protect people from having their data stolen if they access it on untrusted computers. But we recognize that some businesses need this to satisfy regulatory or contractual obligations.

    That's a good point about an additional layer though, and that's how the beta Duo authentication feature works in 1Password Teams Pro accounts which have it enabled.

    You're right that my concern is partly that some folks have wanted us to use traditional two-factor authentication instead of the Secret Key. But also using multi-factor authentication of any kind potentially offers not only an additional way for people to secure their accounts (not their data, going back to encryption — a one-time password cannot be used for that, for obvious reasons), but also a way for users to lock themselves out of their data permanently (unless the implementation has an escape hatch, like recovery methods, which could also be exploited by an attacker). So it's something that needs to be managed carefully, both by users and also by us.

    If I were your shareholder I would give hell to your CEO\CTO for this poor business decision of going against the will of your customers, This long thread amazing me, I had never seen a company so righteous - sometimes it's better to be smart than being right. I really hope that you'll change your mind about this issue, and will be happy to be your customer when you'll decide to do so.

    Being smart is also often the right thing to do. We'd rather carefully consider changes that will affect our customers, potentially "leaving money on the table", than have a premature rollout. While I wouldn't encourage you to pay for something based solely on a beta feature which may change or be removed, you can try it for yourself for 30 days for free. Cheers! :)

  • prime
    prime
    Community Member

    @brenty

    We don't want to encourage or promote the misconception that multifactor authentication will protect people from having their data stolen if they access it on untrusted computers. But we recognize that some businesses need this to satisfy regulatory or contractual obligations.

    That's just it. I think people put way too much faith in this. I was one of them, but I researched.

  • I would love for us to be able to implement all of the checkboxes that various companies require in order to adopt software. For some it's 2FA. For others it's another thing like LDAP integration. Others need automation support. Everyone's got their own requirements. There is no shortage of checkboxes out there.

    We're doing our best at managing adding these features responsibly in ways that satisfy the needs of the users. We're a really small team, and we like being small. But it means we need to pick and choose very carefully what we work on.

    Rick

  • adonisk
    adonisk
    Community Member
    edited July 2017

    You have here people who would be happy to be your customers, all they are asking you to do is implementing 2FA to your system, as a CTO I know that it takes no more than 1 day of work.

    Wow really? As a CTO you expect a security feature to be analysed, implemented, reviewed and deployed in 1 day? No offense but if I found out they did anything like this even in the Beta channel I'd cancel my subscription.

    That being said, I'd really love an extra layer of security (preferably hardware) that is neither a long key I have to memorize or have somewhere that could be easily compromised nor a 10-20 character "memorable" password...

  • thiyanesh
    thiyanesh
    Community Member

    Hi Agilebits Team,

    As a user of 1Password cloud based individual account, i wish that 1Password includes 2 factor authentication.

    Sure, any security system can be hacked with enough effort, but please understand that adding 2factor auth will increase the difficulty/complexity.

    With 2factor auth, there will be an assurance(with possibility of MITM attacks, but every system can be hacked and why use password manager at all) of notifications on vault access.

    I sincerely wish you guys put effort into implementing 2factor auth as convincing us why its not needed. Please

    Thanks,
    Thiyanesh

  • Hi Thiyanesh,

    We subscribe to a philosophy of not playing into "security theater." Certainly MFA has some benefits, but it does not protect against the threats that many think it does, and so we feel it is important to educate users on that. That isn't to say that MFA is entirely security theater, if implemented properly, and we may indeed someday add it, but as Rick mentioned here there are a number of things that are ahead of it (or at least on par with it).

    We do already send you a notification whenever a new device is logged into your account.

    Ben

  • thiyanesh
    thiyanesh
    Community Member
    edited July 2017

    Hi Ben,

    Thank you for your response.
    Rick mentioned about various companies having different requirements. It would be really great if the individual users requirements are also considered. I have interacted with few of my friends and the reason they chose other password managers over 1password is mainly because of 2FA.

    Have a great week ahead.

    Thanks,
    Thiyanesh

  • Thanks for the feedback. :)

    Ben

  • prime
    prime
    Community Member
    edited July 2017

    @thiyanesh

    I rather have 2 encryption keys like this set up then rely on a system that isn't 100%.
    Another password manager had it, and hackers were still able to get in.
    http://www.zdnet.com/article/researcher-finds-lastpass-2fa-could-become-1fa/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem:+Trending+Content&utm_content=58f9cb4004d30171c7836127&utm_medium=trueAnthem&utm_source=facebook

    Please research this, because it's not perfect at all.
    More in this thread:
    https://discussions.agilebits.com/discussion/77915/lastpass-in-the-news-again#latest

    You also have this issue:
    http://www.zdnet.com/article/two-factor-security-is-so-broken-criminals-drained-a-persons-bank-account/

    Not having 2FA was one the reasons why I didn't go subscription for a while, and I did a lot of reading and research on this issue.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2017

    Indeed, it's certainly a complex issue.

    I'd like to apologize personally if I've given anyone the impression that we don't care about this. It's because we do that we haven't hastily added two-factor authentication, and that we put a lot of thought into discussions like this one.

    We'll continue to improve 1Password with both security and convenience in mind. You really can't have one without the other, since no one would use it otherwise. Thanks to everyone for the passionate feedback on this! :)

  • Baggins
    Baggins
    Community Member

    just what I logged in to research. I am considering a U2F device so I can stop waiting for (insecure) SMS texts every time I log in to anything, and I wanted to see if One P had any plans, suggestions, etc

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think it's worth mentioning that while we may be able to offer options like this for 1Password.com itself in the future, this isn't possible with the standalone apps as there is no authentication involved; and similarly 1Password won't be able to manage U2F for 3rd party sites any more than it can SMS messages.

    So getting back to 1Password.com, we don't have anything to announce in this area, but it's definitely helpful to know it's a feature you'd like. Cheers! :)

  • [Deleted User]
    [Deleted User]
    Community Member
    edited August 2017

    It would be really awesome if you can add a U2F/FIDO support. I use this key (20+ Google accounts, Facebook, DropBox, GitHub, GitLab and some others) and it's fantastic: https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/

    1. It's a physical key, so it can't be exploited
    2. FIDO is a standard and FIDO 2.0 will be backwards compatible with the current one
    3. You can have more than one key tied to your account, 1 key for active use, the other one hidden somewhere as a backup
    4. U2F is fully supported in Chrome (60% market share) and you can get an open source plugin for Firefox (Will be integrated directly into thee browser soon)
      I know most people would probably prefer 2FA via SMS and/or authentication apps, but I really think U2F/FIDO is the best starting point for you guys.

    Edit: Your competitor, Dashlane, is also using U2F: https://www.dashlane.com/en/fido-u2f

  • prime
    prime
    Community Member

    @smnstrk

    It's a physical key, so it can't be exploited

    I just read last week now these were exploited, I'll see if I can find the article,

  • [Deleted User]
    [Deleted User]
    Community Member

    @prime

    Please find it, because I've just searched everywhere and can't find anything.

    During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the Security Key. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: I'd be interested as well. I don't suppose you can find it in your browser history — although I wouldn't be surprised if you use private browsing and/or clear your data regularly, as many others here seem to. ;)

    @smnstrk: The only thing I'm aware of personally is that some folks are concerned about the inability to specify their device key. I can see both sides of this. My only real complaints about hardware authentication solutions are that they are a usability problem for most people, and that it seems like others expect them to protect against virtually any threat. Those things aside, I think they can be a useful tool.

  • prime
    prime
    Community Member

    @brenty I looked for it the other day, and nothing. I read it from one of the tech sites on Facebook, so it's not in my browser:(

  • Fair enough. :)

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: Ah yeah, Facebook is like a digital black hole. You may never find it again, but if you happen to (or something similar) please post it!

  • thiyanesh
    thiyanesh
    Community Member
    edited August 2017

    Eventually switched to 1Password Team account(BETA) with single member team(only myself) to enable DUO support. I sincerely wish AgileBits team will include this option to individual accounts.

  • AGAlumB
    AGAlumB
    1Password Alumni

    We don't have any plans to do so certainly while it's in beta. If and when it "graduates" to a regular feature, we'll definitely consider our options.

  • thiyanesh
    thiyanesh
    Community Member

    Thank you @brenty

This discussion has been closed.