Why is it a good idea to store 2FA tokens in 1Password?

timwis
timwis
Community Member

I was surprised when I saw haveibeenpwned recommending I store my multi-factor auth tokens in 1Password, and I'm curious for the rationale behind why that would be a good idea. Isn't MFA meant to be "a thing you know" and a "thing you have"? If someone gained access to my 1Password account, they'd be able to get in to all my services because they'd have both the passwords and the "proof" that they "have" my device (via those tokens).

Is the reasoning that in order to get into a 1Password account you need to "know" the password and "have" the security key? If so, why would 1Password offer 2FA to login to it?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Why is it a good idea to store 2FA tokens in 1Password?

Comments

  • peacekeeper
    peacekeeper
    Community Member

    Security wise it is a good idea to use it with in 1PW because it protects you from several attack vectors:

    • If a wifi you're on is compromised and breaking SSL and thus recording passwords you enter you're account is still safe thanks to 2FA since the one-time code is worthless
    • If your password leaks from the service you use itself your password is still safe

    This protection works whether you store the 2FA secrets in 1Password or in another authentication app. It makes no difference. Securing a login with a reused password with 2FA is not a great idea since reusing passwords is a bad idea. Also, reusing passwords is unnecessary anyway when using a password manager so what you need and can protect against with 2FA are mainly the 2 points mentioned above. Storing the 2FA secrets in 1PW gives me the benefit of having them backuped in a good way and synced across my devices. The convenience enables me to mark my devices as "untrusted" with the services since it does not cost me extra-time to enter the 2FA code, making me better protected if my device is, for example, stolen.

    I use the 2FA in addition to secret key and password for 1PW.com because I am
    1. overcautious
    2. Still a have a bit of protection if my Emergency Kit is compromised

  • timwis
    timwis
    Community Member

    Thanks, but what you described is primarily the benefits of 2FA in general -- I'm aware of those and wholeheartedly agree. Personally, I use Authy as my 2FA app and have been considering switching to 1Password (which is what I use for my passwords). But I'm concerned about how wise it is to do that (per my original post).

    Also, regarding using 2FA for your 1Password account -- and this is kind of an aside -- what if your phone and computer are stolen (say, if you're mugged while coming home from work with your laptop)? How would you get in to anything if you need one of them to get in to 1Password?

  • Donaldd
    Donaldd
    Community Member
    edited February 2019

    Hi, @timwis
    IMHO, storing 2FA in 1Pass is a balance between security and convenience. Sure, it is more secure to use another 2FA app such as Authy as it is the "real" second factor, and it is good! However, it also increases the complexity to the average users (setting up another app, keep those backup codes) and people tend to choose the easy way to use their account (password 123456 is still so popular somewhere :( )
    So, if 1Pass is the only app that people should worry about, they may be more willing to enable 2FA and enjoy the benefits that 2FA could offer.

  • peacekeeper
    peacekeeper
    Community Member

    Also, regarding using 2FA for your 1Password account -- and this is kind of an aside -- what if your phone and computer are stolen (say, if you're mugged while coming home from work with your laptop)? How would you get in to anything if you need one of them to get in to 1Password?

    This is very unlikely to happen since I have a separate work Computer and almost never carry my private laptop. I have authy set up on 2 phones (work and private) so if the thief does not know I have 2 phones maybe one will remain with me. If both are gone, I could restore my authy backup to my wife‘s phone. If all devices with my 1PW Secret Key are gone, I go to my bank lockbox where I store my Emergency Kit and an offsite backup of my computer.
    2FA is also one thing that the 1PW support can deactivate in case of emergency.

    My main argument is, the advantages of 2FA do not go away if you generate the codes with 1Password but it‘s much more usable. It‘s even safer of course if you store them separately, but in daily usage this was more inconvenient for me. If the authy setup works for you, there is no need to change it.

  • XIII
    XIII
    Community Member

    Also, regarding using 2FA for your 1Password account -- and this is kind of an aside -- what if your phone and computer are stolen (say, if you're mugged while coming home from work with your laptop)? How would you get in to anything if you need one of them to get in to 1Password?

    To prevent you from getting locked out you could (should?) write the 1Password 2FA set up code on a piece of paper (maybe your 1Password Emergency Kit?) that you store in a safe (place).

  • AGAlumB
    AGAlumB
    1Password Alumni

    Also, regarding using 2FA for your 1Password account -- and this is kind of an aside -- what if your phone and computer are stolen (say, if you're mugged while coming home from work with your laptop)? How would you get in to anything if you need one of them to get in to 1Password?

    @timwis: It's a good question. We definitely don't recommend using 1Password as the sole place to store your TOTP secret to login to your 1Password account. From the 1Password membership two-factor guide:

    Although 1Password can be used to store one-time passwords for other services where you use two-factor authentication, it’s important to use a different authenticator app to store the authentication codes for your 1Password account. Storing them in 1Password would be like putting the key to a safe inside of the safe itself.

    Don't put all of your keys to the safe inside the safe! :fearful: XIII had a good recommendation:

    To prevent you from getting locked out you could (should?) write the 1Password 2FA set up code on a piece of paper (maybe your 1Password Emergency Kit?) that you store in a safe (place).

    That's just one of many options. Really, it's up to you. Just be sure to take the necessary precautions to avoid locking yourself out of your data for good.

    My main argument is, the advantages of 2FA do not go away if you generate the codes with 1Password but it‘s much more usable. It‘s even safer of course if you store them separately, but in daily usage this was more inconvenient for me. If the authy setup works for you, there is no need to change it.

    peacekeeper++ Good advice! Personally, I keep these in 1Password because it's the most secure and available place I have to store these secrets. Much like the keys inside the safe, security doesn't do us much good if we can't get into our stuff when we need to. So I think it's a good balance. But each of us can determine what works best for us. Cheers! :)

  • jimthing
    jimthing
    Community Member
    edited March 2019

    Haven't read the whole thread, but couldn't 1P get around the "keeping all your eggs in one basket" issue, by perhaps having a separate authentication app?

    Say if you had a separate app called "1Password 2FA", or something, with a separate login password (and Face/Touch ID-type "what you are" options).

    I know there are flaws with even this idea, like auto-copy functionality (Face/Touch ID-type things could help with that), but it'd certainly solve the issue of using yet another third-party app to authorise ones' login.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Haven't read the whole thread, but couldn't 1P get around the "keeping all your eggs in one basket" issue, by perhaps having a separate authentication app?

    @jimthing: I guess so, but the logical conclusion to that strategy would be having separate 1Password apps for each individual login...and I'm sure we don't want to do that, even if it would potentially put an end to bad egg/basket analogies*.

    *Not trying to pick on you personally; it comes up a lot. :)

    Say if you had a separate app called "1Password 2FA", or something, with a separate login password (and Face/Touch ID-type "what you are" options).

    I think that there may be an argument for doing that for 1Password accounts...but then again maybe we can come up with something even cooler. :)

    I know there are flaws with even this idea, like auto-copy functionality (Face/Touch ID-type things could help with that), but it'd certainly solve the issue of using yet another third-party app to authorise ones' login.

    I think it's worth considering the actual threat we're trying to protect against before we do anything like that. If it's someone having your device, wouldn't they be unable to access it whether it's in a separate 1Password app or the one we have now? It seems like the best case for having it separate at all is avoiding getting locked out...but if they're both on a same device and it's lost, stolen, or destroyed, you're out of luck anyway. Anyway, different angles to consider.

  • jimthing
    jimthing
    Community Member
    edited March 2019

    @brenty: Yes, I see the arguments you make.

    The last one is similar to the question of the need, or otherwise, for users to store these batches of "backup codes" each login seems to want to give them as a backup for 2FA not being available.

    Maybe an explainer blog post giving insight to ones' thought process, when it comes to the 2FA/backup codes/separate authentication apps issues, may help people further here. As there seems to be a lot of conjecture or lack of understanding in these forums (and elsewhere), from my general reading.

  • Lars
    Lars
    1Password Alumni

    @jimthing - it's kind of a challenge, because people of all sorts of different levels of understanding of security and technology in general come here and read some of our stuff, and we have to make it comprehensible to newer folks without being redundant/remedial for power users. A lot of what's missing is an understanding of the fine differences between authentication and encryption, and in the realm of authentication specifically, between genuine 2FA and 2SV (2-Step Verification). In fact, we get this often enough that I was just asked a couple of days ago right here in the Lounge: https://discussions.agilebits.com/discussion/comment/494920/#Comment_494920

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    At the risk of repeating what my colleagues have already said (because I confess to not reading this thread carefully), the actual security value from something like TOTP is rarely what I call the "second factorness". The security benefits of TOTP are

    1. Long term secret is unique
    2. Long term secret is high entropy
    3. Long term secret is only transmitted once (during set up when you scan the QR code)
    4. Authentication token (the six digit code) is "one time" (that is what the "OTP" part means).
    5. Authentication token does not reveal any (usable) information about the long term secret
    6. Ability to create a correct authentication token is a decent proof of possession of the long term secret
    7. Ability to create a correct authentication token demonstrates control of the factor on which the long term secret is stored.

    Number 7 on that list is the "second factor" part. None of the other security benefits of TOTP require it actually being on a separate factor. If we contrast that list with what traditional password use does, 3–5 represent clear advantages over traditional password authentication, and 1 and 2 are advantages over typical password use.

    You have to be the judge for yourself, but in most situations that most of us encounter, (7) is the least valuable thing about TOTP. It gets overrated because the whole thing is called "second factor authentication", but the security value (in almost all cases) is not coming from the second factorness.

    It's worth noting that when services first started pushing for TOTP they stated1 that their primary concerns were (1). They found that people were reusing passwords, and so accounts were being taken over due to credential stuffing. Of course, if you are using 1Password well, you will have strong and unique passwords for each service, and so you will already have (1) and (2) covered.

    When it comes to logging in to 1Password itself, our authentication system covers all but (7). (And the long term secret isn't transmitted during signup either.) So we achieve many of the real goals of "2FA" (and some additional ones) in our authentication. For a talk I've given on “What does ‘MFA’ mean?”, I produced a table that covers some of the various security properties of different systems.

    Table of authentication scheme security properties

    So anyway, once you get past the name "second factor" and focus on the real security benefits of TOTP, you will be in a better position to judge whether keeping your TOTP secrets in 1Password is right for you. Maybe it is, and maybe it isn't.


    1. Dropbox had a nice blog post about this in 2012, but it appears that the link is dead. ↩︎

  • univbee
    univbee
    Community Member

    I wanted to report on this as i had a breach with 1password on its own, as a computer i was using with it had a keylogger and backdoor installed. Fortunately I came out of it mostly unscathed, although I did have a fun evening of resetting passwords (including regenerating my 1password secret key). It's forced me to change how I use 1password due to the "all your eggs in one basket" issue. I definitely won't be keeping my 2FA emergency stuff in 1password after my experience.

    As an aside, I happened to be screen recording so I got to see exactly what they did. I am extremely lucky that someone with that level of access to my PC had a very poor plan of attack, it easily could have been really bad.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm sorry to hear that. It's definitely going to be a huge hassle to go through and change a bunch of credentials if you've had them stolen that way (or for peace of mind if you suspect they could have been), but it sounds like you kept a level head and did what needed to be done!

  • timwis
    timwis
    Community Member

    @jpgoldberg thanks for that breakdown! I hadn't thought of it that way. So it almost sounds like we'd prefer websites did away with traditional passwords entirely and required OTP instead. And I suppose so long as you never digitise your 1Password master key, access to 1Password itself becomes a sort of proof of having something.

    Still not quite sure I'm sold on the idea of turning on 2FA for my 1Password account itself: (1) in terms of security, the redundancy with the master key reminds me of hashing passwords twice, and (2) to safeguard from the "getting mugged" scenario, you'll need to store the long term secret somewhere safe, so it's essentially like having two master keys, no?

  • gordcook
    gordcook
    Community Member

    @timwis

    So it almost sounds like we'd prefer websites did away with traditional passwords entirely and required OTP instead.

    I won't put words into Jeff's mouth, but I doubt that's what he means.

    Personally, I'd be worried about the case where Bob accidentally leaves his token/phone/whatever on a table and his girlfriend picks it up and uses it to log into Bob's bank account. Or, worse, his Tinder account. :) With 2FA, simple possession of the TOTP long-term secret is insufficient; she would also need the password that only he knows. That said, there might be scenarios where possession "something I have" is sufficient authentication, depending on the level of risk involved. Tapping a debit card without prompting for a PIN is very much like that scenario and that's a cash transaction.

    If I'm understanding the point of view being presented, and probably oversimplifying it:
    1. "something I have": possession of a copy of the vault
    2. "something I know": the master password
    3. "something I am": biometrics such as TouchID or FaceID

    In nearly all circumstances of which I am aware, I would need at least (1) and either (2) or (3) to unlock my vault and all of the secrets that it contains. That's 2FA.

    However, in the case of the Web GUI, I believe that I only need factor #2. In my books, that lowers the entire system down to 1FA since there is a scenario in which the Master Password is the single factor that controls access to everything (if my TOTP secrets are in the vault, which was the original question).

    Have I missed the point? Am I being too black-and-white?

  • gordcook
    gordcook
    Community Member

    I gave it some thought and I think I may have answered my own question. It's not black and white. Where you are willing to sacrifice a small bit of security for the sake of convenience and efficiency, the TOTP secret can be stored in the vault with the login credentials. It's encrypted, it's still time-based, and it's very secure. For high-risk situations where security is paramount, then a separate TOTP generator makes sense. As always, it comes back to our level of acceptable risk and it doesn't have to be all-or-nothing.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gordcook: I think you're right on, at least based on my own interpretation of this conversation. :)

    Regarding timwis 's comments, I think he means that using TOTP as a single factor, instead of a traditional static password, could offer some security benefits. I'm not sure that's worth doing, for a number of reasons, but it's a cool idea. "Other things being equal"*, it has security properties that a traditional password does not. There would be downsides though...

    *©Goldberg 2019

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jpgoldberg thanks for that breakdown! I hadn't thought of it that way.

    @timwis: I found that really helpful too! I guess I am the type of person that really benefits from lists. :lol:

    So it almost sounds like we'd prefer websites did away with traditional passwords entirely and required OTP instead. And I suppose so long as you never digitise your 1Password master key, access to 1Password itself becomes a sort of proof of having something.

    I'm not sure that's such a bad idea, on its face. It's certainly an interesting one. The problem is that the vast majority of users have no idea what TOTP is or how to use it, so having that two-factor authentication be a requirement, or have that as the only factor, is pretty untenable if websites want people to be able to use their accounts.

    Certainly using a secret that is only transmitted during signup and used to generate one-time passwords that expire as the password to login to a site would be feasible for 1Password users, but I'm not holding my breath for this to happen. Nevertheless, fascinating, and not something I'd considered. :)

    Still not quite sure I'm sold on the idea of turning on 2FA for my 1Password account itself: (1) in terms of security, the redundancy with the master key reminds me of hashing passwords twice, and (2) to safeguard from the "getting mugged" scenario, you'll need to store the long term secret somewhere safe, so it's essentially like having two master keys, no?

    So...this is probably a can of worms, but...usability-wise, TOTP is not good. It's open, and really the most accessible two-factor open available to us at this time, so we've gone with that. But still, it can be pretty confusing.

    It could be worse, as we see with other authentication methods, but there's still a learning curve and a technological burden. A person without any kind of computing device can use email on a library computer (I know, I know...) by logging in with their email address and a single static password they need to remember and type (I knowww...) That is a huge advantage of the password paradigm, and the reason it's ubiquitous today: everyone can understand and use it.

    That's a good thing. But actually, that's where we sometimes get into trouble with 1Password! The traditional "password" paradigm has a central authority keeping the password, and then you tell it to them and they verify that it matches what they have. This is not how 1Password works at all, so we cannot, for example, reset anyone's password. So it's understandably a point of confusion. I feel bad about this when someone has locked themselves out of their data, but at the same time I remind myself how important it is that we don't have the keys to it and cannot let anyone in, as that would allow us to give the rightful owner access, but also ourselves or other entities. Not good. I still feel bad that we cause this confusion by changing the password paradigm everyone knows, even though it is for the right reasons.

    So, trying to get back to your point, the Secret Key, while not the same as traditional two-factor, and not really authentication, actually has many of the properties of that. Compared to TOTP, the Secret Key also does the following:

    1. ✅ Long term secret is unique
    2. ✅ Long term secret is high entropy
    3. ✅ Long term secret is only transmitted once (during set up when you scan the QR code)
    4. ❌ Authentication token (the six digit code) is "one time" (that is what the "OTP" part means).
    5. ✅* Authentication token does not reveal any (usable) information about the long term secret
    6. ✅* Ability to create a correct authentication token is a decent proof of possession of the long term secret
    7. ✅* Ability to create a correct authentication token demonstrates control of the factor on which the long term secret is stored.

    *A bit of a cheat because the Secret Key is neither authentication nor one-time, but I would say that our use of SRP results in the Secret Key being used in these ways indirectly. @jpgoldberg may jump in to tell me I have taken the metaphor too far though. :lol: The biggest "no way" though is that the Secret Key does not change, so I wouldn't be comfortable comparing it to a one-time password directly -- though is it really "key" that it is not transmitted, much like the TOTP secret. ;)

    Finally, getting back to your point more directly, regarding whether or not you should use two-factor authentication for your 1Password account, I think we need to look at in a similar way as the single-factor TOTP proposal you made: while you could use TOTP as a single factor, and that could be better (depending on the implementation and use) than a static password, at that point, since you're already asking a lot of the user, I say it's better to use both: static password and one-time password. You get additional security that way, and the static password doesn't really make your life any harder than TOTP alone -- especially if you're using 1Password!

    So, similarly, with your 1Password account, adding TOTP as an additional layer of security helps with certain kinds of threats in addition to those which a long, strong, unique Master Password and super strong and unique Secret Key do -- especially the one-time/time-based aspect of it. So it makes sense for some people. As you alluded though, there is a greater burden placed on the user -- even greater than with TOTP for other accounts, since locking the "keys" to the 1Password vault inside the 1Password vault would be a Bad Thing™. You need a separate app for that, and also should backup the TOTP secret in case of emergency.

    Therefore, I'd say that, for 1Password users, using TOTP for anything other than 1Password is an easy recommendation: 1Password allows you to not only get that additional security, but also keeps track of that for you. Add to that the fact that for many accounts authentication is the only security, there is a lot of upside and really no downside to using it. After all, 99.999999999999% of websites have a way for you to get back in even if you lose your second factor, first factor, and nearly anything else (barring, perhaps, email account). You'd really have to lose access to 1Password itself to lose all of that, and the you have bigger problems.

    But, for a 1Password account, using two-factor authentication has a real tradeoff with regard to the responsibility and effort you need to put in as a user to manage that. And if you lock yourself out, your options are potentially much more onerous and limited (unless you are in a team/family with someone to help you recover). So that's a real downside. And at the same time, there is less upside since, unlike other stuff, 1Password's security is based on encryption not authentication. That's why two-factor authentication is something we added grudgingly, and is is disabled by default and not something we prompt users to enable. :crazy: Whether or not to use that is going to be either a very personal decision, or mandated by a company policy.

  • gordcook
    gordcook
    Community Member

    @brenty

    Regarding timwis 's comments, I think he means that using TOTP as a single factor, instead of a traditional static password, could offer some security benefits. I'm not sure that's worth doing, for a number of reasons, but it's a cool idea.

    I believe I understood. It was why I described Bob's scenario where he loses control of his TOTP authenticator. If that was his sole form of authentication (without another factor) he's compromised. However, TOTP in combination with biometrics would also have some advantages.

    It's just that we've been doing static passwords and PINs for so long that the hoi polloi equate it with authentication and it's hard to break that paradigm. And once you get beyond static passwords, the analogy of putting-the-key-in-the-lock breaks down and it becomes harder to explain to people.

    Imagine you have a keyring with a million keys and you have a lock that changes every 30 seconds. So that key that just worked doesn't work anymore and you have 30 seconds to find the right key.

    How am I supposed to carry a keyring with a million keys on it??
    And who on this green earth is changing my lock every 30 seconds??

    Sigh. Never mind.

    Other Things Being Equal™ :) I bet that's not going away any time soon.

  • Other Things Being Equal™ :)

    :p

    Ben

  • b4Inception
    b4Inception
    Community Member

    Is there a way to have 1Password check existing login records for 2FA again. I believe I turned it off, but would like to turn it on again and have it check my login records for available 2FA so that I can utilize it more fully.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @b4Inception!

    I have just replied to your question in the discussion you have opened here ;)

This discussion has been closed.