When will 1password prompt for 2fa?

Hey 1password team - we are looking at requiring 2fa for our business account. For browser-based, chrome extension, and Mac-based apps, how often is there a 2fa prompt and what are some of the criteria used for 2fa enforcement?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member
    edited November 2019

    Hi @mh_nerdwallet

    2FA does not have the same level of impact for 1Password as it does for other services. The reason being much of the protection that is in place with 1Password relies on encryption, rather than traditional authentication. We talk about how 1Password does authentication a bit differently in this blog post:

    1Password is LayerUp-ed with modern authentication

    The function of 2FA with 1Password membership accounts is to help protect the device authorization process. Once a device is authorized 2FA is no longer required, unless the device is subsequently deauthorized through the web app, or the browser/app's locally cached copy of the secret is cleared. Essentially 2FA helps prevent a replay attack from authorizing a device. It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline).

    There is some additional context in this thread that may be helpful as well. Please let me know if you have any followup questions. :)

    Ben

  • I hate to bump an older thread (no...really....I do!!), however this speaks to the very thing I'm concerned about.

    You say:
    It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline).

    But isn't that one of the very threats that 2FA was designed for...? If someone steals my laptop while operational, they now have access to my 1P account in full. If they don't have my AuthApp or my Yubikeys and 1P locks after a few minutes, the password alone does them no good.

    I know that in the case of LP it re-requires 2FA each unlock or login. This seems annoying, but also seems far safer?

  • DanielPDanielP

    Team Member

    @Rural_Tax_Wonk:

    This seems annoying, but also seems far safer?

    In reality, it isn't. It might seem like it is adding security, but it really isn't. As my colleague Ben correctly wrote, this is because 1Password is an encryption-based product, not an authentication-based product. And 2FA (as the name 2-Factor Authentication implies) is something that works against the authentication layer of a service.

    When you access your 1Password data with your Secret Key and Master Password, you are not authenticating (like you would do when accessing your emails, for example). You are decrypting your data instead. From the point of view of the end user, the two things might look the same (after all, you are using a "password" in both of these cases), but you are actually doing two different things. In other words, when you are decrypting data, you are not proving someone that you are who you say you are: you are instead proving that you know the secrets require to transform gibberish encrypted data to readable decrypted data.

    If you are interested in reading some more technical details about this distinction, we have written a documentation page about this, which I think is quite interesting. And be sure to ask us any questions you might have about it, we are always happy to discuss these things.

    If someone steals my laptop while operational, they now have access to my 1P account in full. If they don't have my AuthApp or my Yubikeys and 1P locks after a few minutes, the password alone does them no good.

    This is directly connected to what I have written in the first part of my post above, but to address your specific example: the "If someone steals my laptop while operational, they now have access to my 1P account in full." part is true. And it is exactly because of this that 2FA would not protect you in this scenario.

    If someone has complete physical access to your device, they can get a copy of your encrypted 1Password data as well. As I explained above, if you have the Secret Key and the Master Password, you are able to decrypt your data. Remember, your data is not encrypted by your 2FA authentication codes, so in the scenario you described, having 2FA enabled or disabled for your 1Password account would make no difference.

    There are cases where 2FA can help (such as an attacker who somehow got hold of both your Secret Key and Master Password, but not a copy of your data), but in most of the cases, 2FA is security theater when applied to encryption.

    One of the reasons we also try to make sure that the role played by 2FA in 1Password is clear, is because we don't want our users to make false assumptions about their security posture, and therefore putting themselves in a more dangerous position.

    For example, one thing that we are concerned about is users underestimating the importance of their Master Password if they enable 2FA. It is easy to assume that you can use a shorter and weaker Master Password, if you have 2FA enabled. After all, even if an attacker had somehow managed to get your Master Password, you would still be protected by your 2FA codes, right? But in light of what I wrote above, this is not the case. The security of your 1Password data depends first and foremost on the strength of your Master Password (and Secret Key, of course, but that one is randomly generated, and adds the same amount of entropy to every user, so the real differentiator is the Master Password). Adding an additional authentication layer, and mistakenly trusting that it is adding strength to your encryption, could make you lower the complexity of your Master Password, thus directly impacting the security of your data. So something that you thought would make you more secure has the risk of actually having the opposite effect.

    In summary, we prefer to be extremely open in clarifying that 2FA does (and, most importantly, does not do) for 1Password. 2FA is great for your typical online account where encryption is not involved, but its usefulness in encryption-based systems in either null, or much more limited.

    ===
    Daniel
    1Password Security Team

  • Hi Daniel.
    I'd like to see 2FE (two factor encryption 8-) by incorporating a keyfile in addition to the MP for encrypting local (Primary vaults).
    Has anyone discussed this recently?
    I've seen old threads on this but nothing recently.
    I understand KeePass has this option.
    With you being on the security team, I'd be interested in your opinion on this.

    Everyone wants a long, strong random password but no one wants to remember it or type it out. (I guess a static password incorporated on a Yubikey would sort of do the trick but wouldn't technically be 2 factor.)

    So an easy to remember and type password combined with a keyfile for encryption would be a really cool option, IMHO- simultaneous great convenience and security.

    Thanks.

  • DanielPDanielP

    Team Member

    @1pwuser31547:

    That is certainly an interesting idea. Something quite similar to what you are suggesting (although not exactly the same from an implementation perspective) is already available on 1Password.com through the use of the Secret Key (see the sections on two-secret key derivation in our Security White Paper for some more details).

    The way the Secret Key is similar to what you are suggesting is that it strengthens your encryption by adding entropy to your Master Password. However, the Secret Key protects you against a different kind of threat, i.e. if your 1Password data is stolen from our servers, so in that sense it's not exactly the same thing as what you described, since it is not something that is available for local vaults.

    Using a keyfile is certainly an interesting idea, but it opens up a few questions: how would you store it? Its contents would have to be considered secret (it would become half of your Master Password after all), so how do you protect that file? You could technically encrypt it, but at that point you are back to square one :P You could store it on a USB drive, although the same concern would apply (do you encrypt the USB drive)? What happens if this keyfile gets lost? You should probably have backups of it, but it becomes an additional burden (and you would have to protect the backups, of course).

    I fear this might add more complexity than usefulness, at least for the majority of our user base. Especially since we have a solution available already: you can already use a strong Master Password (despite the inconvenience of having to type it in full every now and then), and use Touch ID / Face ID to make authentication painless the following times. So I think we might already have a good balance between security and usability.

  • OK, I see your point.

    Maybe you could consider having 2 password entry fields. The first would be for the MP. The second one could be for a static password-something long and complex with high entropy akin to the Secret Key for accounts.
    This would strengthen encryption for local data like the Secret Key does for accounts.
    One could put this on a Yubikey and have it auto-typed by the Yubikey.
    Users could opt in to fill that 2nd password field or leave it blank.
    You guys already support Yubikey for U2F. So it wouldn’t be much of a stretch for users to employ it’s static password function.
    This set up could still be advertised as “1 Password” since this 2nd password field could be totally optional (left blank) and of course not needed to be memorized due to it’s storage on the Yubikey.
    You would be encouraged to save and secure a (printed) copy of the 2nd PW as you do the Secret Key in the Emergency Kit for accounts.

    You could do all this in the current one password entry field but having 2 entry fields would make it technically easier to use (you could easily see where the cursor is located etc). Additionally it would remind interested users of this “advanced” option.

    Thanks for listening.

  • BenBen AWS Team

    Team Member
    edited January 25

    Thanks for the feedback, @1pwuser31547. One of our goals right now is to focus on making 1Password more accessible. While we've made great strides here secure unique passwords are still out of reach for many people who are less technically inclined. I find I have to do a lot of handholding even with my own family and friends. Of course we're always looking at ways we can increase security, but there is a balancing act at play. The security is currently extremely high. As such barring any shifts in the landscape I envision efforts being expended more so on the other side of the scale for the upcoming development cycles.

    1Password is the strongest link in the chain in the vast majority of setups where it is deployed.

    Ben

  • Hi Ben.
    Thanks for your reply.
    I understand what you’re saying.

    In my opinion one of the main things that makes 1PW unique versus other password managers is this Secret key used for 2 secret key derivation for online accounts (which I also use in addition to local vaults).

    If you could extend that concept to local vaults that would be another security advantage over other password managers that support locally synced data.

    I know of no other major password manager that can offer any solution to strengthening encryption on one’s device beyond having a strong master password, which as you note is a concept and practice with which many users struggle.

    Thanks again for listening.

This discussion has been closed.