When will 1password prompt for 2fa?

Hi @mh_nerdwallet

2FA does not have the same level of impact for 1Password as it does for other services. The reason being much of the protection that is in place with 1Password relies on encryption, rather than traditional authentication. We talk about how 1Password does authentication a bit differently in this blog post:

1Password is LayerUp-ed with modern authentication

The function of 2FA with 1Password membership accounts is to help protect the device authorization process. Once a device is authorized 2FA is no longer required, unless the device is subsequently deauthorized through the web app, or the browser/app's locally cached copy of the secret is cleared. Essentially 2FA helps prevent a replay attack from authorizing a device. It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline).

There is some additional context in this thread that may be helpful as well. Please let me know if you have any followup questions. :)

Ben

@Rural_Tax_Wonk:

This seems annoying, but also seems far safer?

In reality, it isn't. It might seem like it is adding security, but it really isn't. As my colleague Ben correctly wrote, this is because 1Password is an encryption-based product, not an authentication-based product. And 2FA (as the name 2-Factor Authentication implies) is something that works against the authentication layer of a service.

When you access your 1Password data with your Secret Key and Master Password, you are not authenticating (like you would do when accessing your emails, for example). You are decrypting your data instead. From the point of view of the end user, the two things might look the same (after all, you are using a "password" in both of these cases), but you are actually doing two different things. In other words, when you are decrypting data, you are not proving someone that you are who you say you are: you are instead proving that you know the secrets require to transform gibberish encrypted data to readable decrypted data.

If you are interested in reading some more technical details about this distinction, we have written a documentation page about this, which I think is quite interesting. And be sure to ask us any questions you might have about it, we are always happy to discuss these things.

If someone steals my laptop while operational, they now have access to my 1P account in full. If they don't have my AuthApp or my Yubikeys and 1P locks after a few minutes, the password alone does them no good.

This is directly connected to what I have written in the first part of my post above, but to address your specific example: the "If someone steals my laptop while operational, they now have access to my 1P account in full." part is true. And it is exactly because of this that 2FA would not protect you in this scenario.

If someone has complete physical access to your device, they can get a copy of your encrypted 1Password data as well. As I explained above, if you have the Secret Key and the Master Password, you are able to decrypt your data. Remember, your data is not encrypted by your 2FA authentication codes, so in the scenario you described, having 2FA enabled or disabled for your 1Password account would make no difference.

There are cases where 2FA can help (such as an attacker who somehow got hold of both your Secret Key and Master Password, but not a copy of your data), but in most of the cases, 2FA is security theater when applied to encryption.

One of the reasons we also try to make sure that the role played by 2FA in 1Password is clear, is because we don't want our users to make false assumptions about their security posture, and therefore putting themselves in a more dangerous position.

For example, one thing that we are concerned about is users underestimating the importance of their Master Password if they enable 2FA. It is easy to assume that you can use a shorter and weaker Master Password, if you have 2FA enabled. After all, even if an attacker had somehow managed to get your Master Password, you would still be protected by your 2FA codes, right? But in light of what I wrote above, this is not the case. The security of your 1Password data depends first and foremost on the strength of your Master Password (and Secret Key, of course, but that one is randomly generated, and adds the same amount of entropy to every user, so the real differentiator is the Master Password). Adding an additional authentication layer, and mistakenly trusting that it is adding strength to your encryption, could make you lower the complexity of your Master Password, thus directly impacting the security of your data. So something that you thought would make you more secure has the risk of actually having the opposite effect.

In summary, we prefer to be extremely open in clarifying that 2FA does (and, most importantly, does not do) for 1Password. 2FA is great for your typical online account where encryption is not involved, but its usefulness in encryption-based systems in either null, or much more limited.

===
Daniel
1Password Security Team

@1pwuser31547:

That is certainly an interesting idea. Something quite similar to what you are suggesting (although not exactly the same from an implementation perspective) is already available on 1Password.com through the use of the Secret Key (see the sections on two-secret key derivation in our Security White Paper for some more details).

The way the Secret Key is similar to what you are suggesting is that it strengthens your encryption by adding entropy to your Master Password. However, the Secret Key protects you against a different kind of threat, i.e. if your 1Password data is stolen from our servers, so in that sense it's not exactly the same thing as what you described, since it is not something that is available for local vaults.

Using a keyfile is certainly an interesting idea, but it opens up a few questions: how would you store it? Its contents would have to be considered secret (it would become half of your Master Password after all), so how do you protect that file? You could technically encrypt it, but at that point you are back to square one :P You could store it on a USB drive, although the same concern would apply (do you encrypt the USB drive)? What happens if this keyfile gets lost? You should probably have backups of it, but it becomes an additional burden (and you would have to protect the backups, of course).

I fear this might add more complexity than usefulness, at least for the majority of our user base. Especially since we have a solution available already: you can already use a strong Master Password (despite the inconvenience of having to type it in full every now and then), and use Touch ID / Face ID to make authentication painless the following times. So I think we might already have a good balance between security and usability.

Thanks for the feedback, @1pwuser31547. One of our goals right now is to focus on making 1Password more accessible. While we've made great strides here secure unique passwords are still out of reach for many people who are less technically inclined. I find I have to do a lot of handholding even with my own family and friends. Of course we're always looking at ways we can increase security, but there is a balancing act at play. The security is currently extremely high. As such barring any shifts in the landscape I envision efforts being expended more so on the other side of the scale for the upcoming development cycles.

1Password is the strongest link in the chain in the vast majority of setups where it is deployed.

Ben