2FA enabled, but not required?

jaydiculous
jaydiculous
Community Member
edited November 2018 in 1Password in the Browser

I have 2FA enabled, but it never pops up after I insert my master password on 1Password X. Kind of defeats the purpose of 2FA. What's up?


1Password Version: Not Provided
Extension Version: 1.12.3
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • dankyung
    dankyung
    1Password Alumni

    Hi @jaydiculous,

    When you are using 1Password locally, there is no authentication happening. You are merely decrypting your local encrypted data, that means 2FA is not required when entering your master password. 1Password security is based on encryption, not authentication.

    2FA on 1Password only prevents an unauthorized user from logging into your account on a new device.

    Dan

  • jaydiculous
    jaydiculous
    Community Member

    @dankyung I'm coming from a Lastpass world so when ever I logged in, I always had to use 2FA regardless if it was an old or new device. As long as 2FA works for new devices, I'm not that concerned. I thought it was a on at all time function. Any reason why it isn't? I don't think encryption has anything to do with having another layer to login to prove you are who you are.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jaydiculous: I think that's the source of the confusion. What you're describing is unlocking 1Password, which, as Dan mentioned, involves decrypting encrypted data, not authentication. This may help make the distinction clearer:

    Authentication and encryption in the 1Password security model

    When you have unlocked 1Password by entering your Master Password to decrypt your local data, you have not "logged in" to anything. That only happens when you sign into your account to authorize the app/browser initially. After that, you've already proved who you are, and your device already has the data. Requiring you to "log in" after that would either a) be security theater or b) preclude you being able to access your data without an internet connection: the data is still there.

    That's very intentional, as 1Password's security doesn't depend solely on authentication, and, frankly, most people expect to be able to get to their 1Password data when offline. So it's protected using encryption. Otherwise all 1Password users would need to have an active internet connection at all times in order to access their data. No cell service while traveling? You'd be out of luck.

    We don't get a lot of requests to make 1Password "online only" (though we do get a few here and there). And of course in regard to security, though some people want 1Password to "nuke" itself when credentials are changed elsewhere, if someone malicious had the device they could just keep offline to prevent that from happening anyway.

    Hopefully that makes things a bit clearer, but if you have any other questions be sure to let us know! :)

This discussion has been closed.