2FA Beyond the First Login Option?

Does 1Password intend to a add a 2FA option that requires a code any time you login to the Desktop app? Since 1Password pulled the WLAN sync out of the standalone product(boo) I have been trying to figure out if I should stick with 1Password. I don’t mind paying for the subscription, but the lack of proper 2FA has me looking at LastPass. They seem to do it right. Thanks in advance.

Comments

  • brentybrenty

    Team Member
    edited May 2018

    @Murphdog: I've moved this to the Memberships category since it isn't specific to Windows. Some others have asked for the same thing, and there are a few things I'd like you to consider:

    • 1Password's security isn't based on authentication, but rather, encryption. That's why even a server breach wouldn't expose your data. An attacker who stole the database from us would have only an encrypted blob, and none of the keys to decrypt it; only you have those, and they are never transmitted to us. So, ultimately, two-factor authentication protects account access and authorization, not your actual data. Doing what you ask would give many people a very different impression. Would you be okay with that kind of security theater?
    • 1Password is designed to function offline. If we implement the change you suggest, you would need to be online any time you wanted to access your data. For most users, this is a problem, as they have important stuff stored there — again, encrypted and secure — that they would like to be able to access in situations where they have bad internet or none at all. Would you be okay with giving that up?
    • Even if the above were acceptable/preferable, the fact remains that an acttacker would not be thwarted by an always-online, every-time two-factor requirement; they would simply copy the locally cached data and perform an offline attack outside of the app's enforceable powers.

    So while I understand it's counterintuitive at first, there are a lot of downsides and no real upside to the behaviour you're asking about. Most importantly, even without two-factor as an added security measure against someone signing into your account on a new device, they would still need your 128-bit, randomly-generated Secret Key (something you have, which no one else does) and Master Password (something you know, which no one else does) to either sign into your account on any device or decrypt your data. So whether they steal the database from us or one of your devices, they still don't have what they need to decrypt it; and your data is still more secure than if you were using a local vault with WLAN Server. To be completely clear, local vaults are not insecure, but we've taken the security even further with 1Password.com accounts because of what's at stake.

    I know that's a lot to take in, so please let me know if you have any questions at all. It's definitely a fascinating topic. :)

  • Thanks. I can appreciate some of these points. Where I need the 2FA is on work computers and at home. I'm not worried about someone with the sophistication and resources of a nation or state entity brute forcing the database. I'm worried about the garden variety key logger or shoulder surfer. I had been looking at deploying this to my IT staff (besides my own use) and this is the one feature that is missing. It's an extra step that adds a level of protection that a majority of our other apps have already. I guess if there is a want list add my vote for full time 2FA.

  • brentybrenty

    Team Member

    @Murphdog: Fair enough. But malware capturing your account credentials — including the TOTP code — would allow them to just sign in as you anyway; they would not need to brute force anything. Is there a different threat you're trying to protect against? And, again, would you be okay with an "always online" requirement for 1Password, so that it would actually be feasible to require two-factor for each session? That's pretty crucial.

  • I’m worried about anyone getting access to all my eggs that I now have in one basket. I use it for personal and client infrastucture credentials. Maybe something like using a phone for the 2FA where 1PW pushes the 2FA request to the phone and you acknowledge it in the app with TOTP optional. I understand that always on an internet requirement would be a crutch and may not work out in times of crisis. That can be an issue. I would love to see an offline client that I can use in offline air gapped systems via a flash drive, but that idea got shot down in another thread. I understand my requirements are extreme compared to most of users. I love 1 PW GUI and would find it hard to move to another product.im just looking for enhanced security.

  • @Murphdog I guess it's the perfect time for you to get a 1Password.com subscription. It has 2FA https://support.1password.com/two-factor-authentication/ :)

  • @Manaburner the subscription does, but It doesn’t ask for it after the first login of the app. That’s my issue/question.

  • @Murphdog I missed that, sorry. Although I'm having trouble to understand how it would be beneficial to you to get asked for a TOTP for every single login every time.
    When you first login to a device and provide the proper TOTP, this device is trusted and you are not asked on that again. That's a fair compromise between comfort and security IMHO.

    I would think LastPass is doing that the same way. At least it was like that the last time I tried it.
    Or are you referring to using some hardware tokens like Yubikey?

  • All good points. LastPass allows a variety of methods. My favorite pushes the 2FA auth to the smart phone app for confirmation. This is for access the web and app version. No TOTP needed unless you want it. It does fail my security requirements by having SMS as a back up. Again I’m trying to protect more then the normal user so maybe my requirements are extreme. I hate the LastPass UI and app or I would be using it.

  • BenBen AWS Team

    Team Member

    Hi @Murphdog,

    Duo may be more in line with what your looking for, vs our TOTP solution. Please reach out to our sales team at [email protected] for further information. :)

    Ben

  • Ben-thanks for the information. I started a trial. The only issue I have seen so far is that 1PW only requires the DUO 2FA once a day instead of per login. Any plans to allow per session as an option as opposed to a 24 hour period?

  • brentybrenty

    Team Member

    @Murphdog: We don't currently have plans to do that, as it would require that you be online any time you want to access your 1Password data — and, again, an attacker would not be thwarted by this; they could simply make a copy of the encrypted database and continue offline attacks against it, so this wouldn't protect you the way you seem to think it would. That said, as Ben mentioned earlier, that's exactly the sort of thing the sales team would like to hear about, if you do want an online-only option or other ways to restrict your ability to access your account. Please get in touch with them.

  • Thanks I will check with them. For anyone reading this thread and has the same needs as me...the teams or business model won't work for you either. The 2FA that 1PW has implemented in the 1PW client allows bypass on the "trusted" machine. It prompts you for the Duo 2FA, but you can ignore it and get full access to the passwords. This make no sense. I know another user brought this up already and 1 PW defended it. How you can allow 2FA to be bypassed by closing it baffles me.

  • Ok to be fair to 1 PW after reading https://discussions.agilebits.com/discussion/89963/teams-duo-desktop-2fa-options-why-only-phone-call-and-push#latest I get why 2FA with the app would not stop an attack. Still not sure why it allows bypass(stopping the unskilled) but I wanted to clarify my earlier complaint.

  • brentybrenty

    Team Member

    I'm glad Rick's explanation helped. To be clear, it isn't really a "bypass" for two-factor authentication, as no authentication is happening locally when you already have the app setup with your account. Otherwise you wouldn't be able to do anything with the app without an internet connection. We'll definitely continue to listen to feedback as it may be that this is something people want enough to make that kind of tradeoff though. Thanks for weighing in! :)

  • dummytreedummytree
    edited June 2019

    To be honest I'm a little confused by all of the comments in this thread

    1. Offline capable: Are you claiming that MFA only functions in online only scenarios ? Fairly confident that offline capable MFA exists (like a security key for example using FIDO open standard)
    2. Why would you care about per login MFA ? Exactly what Murphdog has mentioned, if someone gains access to my laptop (perhaps when I'm not at my desk... finds a way into my desktop with basic user privs, perhaps a linux kernel vuln ? Key logger? Video Camera theres so many options here.... Then they can log into 1password. However, implementation of a security key can slow a local attacker down if not prevent them altogether (say I always keep my security key with me despite leaving my laptop behind).

    Murphdogs comments seem fairly valid here, I'm shocked there is no offline capable MFA options used by 1password.

  • brentybrenty

    Team Member

    Offline capable: Are you claiming that MFA only functions in online only scenarios ? Fairly confident that offline capable MFA exists (like a security key for example using FIDO open standard)

    @dummytree: 1Password's security is encryption-based. Authentication is only involved when communicating with the server. Therefore, in order for you do do second-, multi-, or other-factor authentication, you'd need to have an internet connection. The server cannot respond and even try to authenticate you otherwise. :)

    Why would you care about per login MFA ? Exactly what Murphdog has mentioned, if someone gains access to my laptop (perhaps when I'm not at my desk... finds a way into my desktop with basic user privs, perhaps a linux kernel vuln ? Key logger? Video Camera theres so many options here.... Then they can log into 1password. However, implementation of a security key can slow a local attacker down if not prevent them altogether (say I always keep my security key with me despite leaving my laptop behind).

    Indeed. If someone has that kind of access to the machine, none of that will help. You're talking about an attacker inside the system, logging keystrokes, etc. Worst case scenario (for them), they can simply capture the data as you access it at that point. Game over. The only winning move is not tp play: i.e. don't touch the machine, enter your password, access any sensitive data, etc.

  • "Therefore, in order for you do do second-, multi-, or other-factor authentication, you'd need to have an internet connection. The server cannot respond and even try to authenticate you otherwise. "

    what about U2F, the secret is stored on the security key and previously authenticated app instances would have the public key and can verify that the challenge response was signed by the person with the right public key. I don't see how any of that requires online access. Please let me know if I've made a mistake here but I'm fairly confident thats the whole point behind U2F and its benefit over traditional MFA.

    'Indeed. If someone has that kind of access to the machine, none of that will help. You're talking about an attacker inside the system, logging keystrokes, etc. Worst case scenario (for them), they can simply capture the data as you access it at that point. Game over. The only winning move is not tp play: i.e. don't touch the machine, enter your password, access any sensitive data, etc.'

    Not necessarily. Someone could have access to your machine but not have access to your security key. This means even if they couldn't authenticate to 1password. Keylogging is probably bad example because the attack vector would still be remote access which would be prevented using 1passwords current implementation of 2FA. But lets say a sudoer file misconfiguration which allows other users on the same machine to access root privileges still would be unable to access your instance of 1password even if they have recorded your password. There are no server side attacks possible using U2F, and it seems fitting for offline use, so given that 2fa using U2F already exists with 1password it seems unnecessary to prevent users from having the ability to implement this on every login.

    I don't mean any of this in a rude manner... Just really curious here if I have misunderstood something. Pretty sure I haven't.

  • robrob Agile Customer Care

    Team Member

    Hey, @dummytree.

    Yes, an offline app could authenticate you with something like U2F, or even TOTP if we really wanted to. The problem is that it would be meaningless. It would be like this:

    Someone from the official security team may want to chime in, but in the meantime, I can say that the piece you're missing is what 1Password can protect when it's offline. When you're offline, the only thing that can be attacked is the data currently saved on your computer, and the only thing protecting that data is encryption. 1Password cannot keep you from accessing the encrypted data. The link Brenty posted is a really good read if you haven't checked it out yet:

    https://support.1password.com/authentication-encryption/

    If 1Password prompted you for your security key when it was offline, it would just be pretending to deny access to data that the attacker can simply copy off your computer. Authentication protects access to the encrypted data, and that's all it does. Once someone has the encrypted data and your Secret Key, they can start guessing at your Master Password and there is no authentication mechanism that can stop them. Note that all of the above is true even if you are online. Multi-factor authentication only protects the access to data being returned from the server. If an attacker gets access to your encrypted data stored on your computer, MFA won't stop them from guessing your Master Password, whether the computer is online or not.

    We prefer to not perform security theater. It does not protect against a real attacker, and so it lulls a user into a false sense of security where they think they are protected from something that they are not.

    Now, it's possible to make a security key part of the encryption process by storing part of your Master Password there. That would be real protection against offline attacks. But that's not authentication and not what we're discussing here.

  • @brenty @rob - After reading all the comments I have some additional points to consider and if this is available in enterprise I would pay for it w/ my family and move all my employees to this solution.

    Let's forgo the online vs offline debate above and I'd like to ask why we do not have the ability to select certain vaults that never live on any mobile device or web browser cache or plugin store. This vault would require MFA (to the server) on each access and optionally upon access of each credential within the vault. The vault metadata (user customizable pref) could be sent and cached (i.e. entry name, URI, type, etc), but once the full credential is retrieved MFA would be required. This vault would never be downloaded and every credential would have to be requested one at a time, as needed, from the server and allow for granular control of MFA / logging / etc.

    In a yubikey / separate token combination It also has the desired benefit of limiting the loss of extremely sensitive credentials, in the case of mobile compromise, to those actively requested by that device one at a time and still not stored offline. It would prevent the bulk extraction of credentials to those in vaults that have been cached offline and provide an indicator to the user and security team that something is amiss if they received a massive amount of credential authorization requests to the online-only secure vault.

    Not everyone has offline needs for all of their credentials and the capability to have online-only credentials limited by MFA-per-access would make the most paranoid of us sleep better.

  • BenBen AWS Team

    Team Member

    Thanks @wired33. We don't have the ability to offer something like that right now, but perhaps in the future.

    Ben

  • robrob Agile Customer Care

    Team Member

    I'm late here, but yes, @wired33, you're correct that online-only vaults would solve these concerns, and we've definitely considered making that an option. As Ben said it's not available right now, but it may be someday.

  • I am evaluating 1Password for my family's needs right now, and I found this thread while trying to figure out why there is no setting to enable periodic 2FA re-authentication. While I understand that as the 1Password team members have stated throughout, the secrets stored in 1Password are secured by encryption and that re-authentication does nothing to improve that, this assumes that the goal of the attacker is exposure of the secrets. I think this is where your thinking is flawed. An attacker may not care what the password is at all - they may just want access to some specific web site that the password is protecting. For this threat, periodic 2FA re-authentication still serves the same purpose as it did in setting up the app in the first place: it is stronger proof that the person asking 1Password to log you into a site right now is the same person who set up the account in the first place.

    While I also agree that some of your customers have use-cases for offline access to data stored in 1Password, I bet that like me, a big part of your customer base primarily wants to use 1Password to store online credentials, and using those obviously requires connectivity anyway. All of these online credentials can be stored in a vault that required periodic authentication with zero functional loss. For my needs, the lack of this functionality is a huge drawback that will weigh strongly against choosing 1Password as my family's password management solution.

  • brentybrenty

    Team Member

    While I understand that as the 1Password team members have stated throughout, the secrets stored in 1Password are secured by encryption and that re-authentication does nothing to improve that, this assumes that the goal of the attacker is exposure of the secrets. I think this is where your thinking is flawed. An attacker may not care what the password is at all - they may just want access to some specific web site that the password is protecting.

    @jalex000: I don't see where anyone has said that an attacker cares about the password. Of course their goal is to get to whatever the password is protecting, not to know what your password is in the first place; the password is probably (and should be) nonsense anyway. So we have to be realistic.

    Ultimately, it's important to recognize that because the way 1Password works is fundamentally different from nearly any other service you'd need/want to use two-factor authentication for, its function is different as well. Jeff Goldberg, our Chief Defender Against the Dark Arts, gave an excellent overview of this earlier:

    The security value of 2FA

    I can't really say it better than he did, so I'd encourage you to check that out. Cheers! :)

  • The post you have linked provides a good summary of how 2FA enhances typical web service authentication, briefly describes 1Password's use of keys (chosen, generated, and derived), and how that doesn't apply to 1Password's current implementation.

    What is stated in this article is in no way inconsistent with the feature I and others are advocating in this thread. You are all right than enforcing re-authentication does nothing to strengthen core security strategy. The feature that I want is a defense-in-depth strategy addressing the fact that all sufficiently complex secure systems have flaws that have not yet been discovered, and that some of those flaws may be able to trick 1Password into behaving in a way contrary to its design.

    I (and others) would therefore like the option of choosing to sacrifice convenience in order to gain fault tolerance. Specifically, here's what I would like 1Password to do on my behalf:

    • Allow setting a policy that causes a reset of a 1Password app installation to its pre-authenticated state. This could be done with cloud-only storage of a vault, or by automatically destroying the local replica of a vault. There may certainly be more options that are better aligned with your software architecture.
    • I would like one policy option to be inactivity, i.e. I want devices that haven't been used for a few days to trigger this reset and re-authenticate behavior. Others may want to force periodic wall-clock resets.
    • The fact that your design supports multiple vaults already makes it natural to set a different policy on a per-vault basis, so that allows customers to say which passwords get this auto-destroy handling and which act just like they do now.
  • brentybrenty

    Team Member

    @jalex000: As mentioned both in this discussion and the other I linked to, we try to avoid the security theater of depending on "policy" for 1Password's security (or, rather, the perception of security), or pretending to require authentication when none is needed (i.e. the encrypted data is already on the device).

    To address your specific points:

    Allow setting a policy that causes a reset of a 1Password app installation to its pre-authenticated state. This could be done with cloud-only storage of a vault, or by automatically destroying the local replica of a vault. There may certainly be more options that are better aligned with your software architecture.

    This is fundamentally not how 1Password works, as most people expect to be able to access their important data even without an internet connection. And, since 1Password's security is not dependent on authentication or policy, it is possible for us to offer actual security in 1Password without requiring it to be persistently connected to the server.

    I would like one policy option to be inactivity, i.e. I want devices that haven't been used for a few days to trigger this reset and re-authenticate behavior. Others may want to force periodic wall-clock resets.

    That can be thwarted by an attacker taking the device offline and resetting the date/time. I think you you and others would rightly be disappointed if we offered a feature like that, but it could be circumvented in this manner.

    The fact that your design supports multiple vaults already makes it natural to set a different policy on a per-vault basis, so that allows customers to say which passwords get this auto-destroy handling and which act just like they do now.

    Again, there has to be a mechanism to "signal" that this "auto-destroy" must happen. And an attacker will be able to prevent that from happening. If we instead set it up so that 1Password needs to receive a signal not to auto-destroy in order for it to not do so, then we're back to having 1Password require a persistent connection to the server to function, so that the server can enforce this and other policies.

    But we will continue to evaluate feedback from you and everyone else. Perhaps in the future it will make sense to have an "online only" option for 1Password to enable some features like this. Thanks for letting us know your own preferences. :)

This discussion has been closed.