Feature Request: 2FA Backup Codes

2»

Comments

  • shyzer
    shyzer
    Community Member

    I would absolutely love a concealable multiline textarea as well for the 10 backup codes most sites generate. I've been saving them as plaintext notes in 1Password for ages, but have always hated how they're readily exposed on screen that way.

    Using a custom password field never works since it's limited to one line.

  • Thanks @shyzer. :)

    Ben

  • christiaanb
    christiaanb
    Community Member
    edited May 2020

    I don't save them, and I'm struggling to find a good reason to do so, but I'm also not going to go out of my way to tell people not to.

    I came here looking for this feature too but then I read Ben's comment above and realised I couldn't find a good reason to save them either. What's the point of saving backup codes in 1Password when 1Password already provides backup of your single-use password?

    So wouldn't 1Password be better off officially advising people that there's no point saving backup codes in 1Password?

    If you're going to save them at all then save them somewhere else so that if you lose all access to 1Password for some reason then they actually come in handy. But it seems to me more secure not to save them at all and just make sure you have everything in place to recover access to 1Password if disaster happens.

  • XIII
    XIII
    Community Member

    Unlikely, but (theoretically) possible scenario:

    If something goes wrong with the clock on the server side the 2FA codes that are generated every 30 seconds might not work.

    A one-time back-up code might still get you in then...

  • If something goes wrong with the clock on the server side you are likely not going to be able to connect at all due to SSL errors, with SSL also being a time sensitive protocol. ;) I think the use case is incredibly slim here, but I'll ask our security team to chime in if they have further thoughts.

    Ben

  • johnnywoz
    johnnywoz
    Community Member

    It is always Murphy's Law that catches us when we least expect it. For example, to prevent data loss we exercise good practices of having data backups to our NAS so we have a duplicate copy of our computer data locally, and then backing up critical data to a removable drive that we keep elsewhere like a friend/relative/banksafe, and then utilizing online storage so we can access to our data on a different device in case our computer goes up in smoke and as well backups to an on-line backup service to have the data off-site in case the house burns down. At least that is what we should be doing being the good techies we are ;-) There will always be that situation that is going to catch us off-guard and unprepared, so the more options the better I say. Which is why I'd like to see a more elegant solution to storing the 2FA backup codes, something is going to fail (likely the website or it's security vendor), and having those codes handy (cause 1P would never fail due to AgileBits having he best programmers around) would make life easier when Murphy comes knocking.

  • @johnnywoz

    I think that the point is backing up the TOTP secret, which is stored in 1Password, effectively backs up your 2FA credentials. The backups codes don't seem to serve a purpose. I'm having trouble picturing a scenario where having the backup codes would be as good or better than having the TOTP secret.

    Ben

  • gadget78
    gadget78
    Community Member
    edited May 2020

    was just browsing this, and realised i to have a few accounts which have these saved numbers in "notes"
    so i thought i would do a little digging to see what these codes are ACTUALLY used for, and why i/we are even saving them!...

    these 10 SETS of SINGLE use codes can ONLY be used ONCE in an emergency to get back in ...
    soooo whats the need for ALL 10 of these ?

    IF there was an extreme case that we needed ONE, then why are we saving 10 (TEN) of them ??
    TWO could be good at a push, just in case you fluff the 1st go maybe?...
    but if one didnt work, nor will the other nine !!
    And i dont see 1pass, its backup, 2FA system, time failure, email reset, then 1st code, and the 2nd code, all to fail one after the other !

    so instead of saving 10, i am just going to save 2 sets, under emergency Code 1, and emergency code 2 under a password field ...
    done... saved, safe, concealed, hidden, tidier, ready :)

    EDIT/PS
    just to add, and answer the OriginalPost why would you NOT backup you 2FA codes as a 2FA under the "one-time password" field ???!!

  • christiaanb
    christiaanb
    Community Member
    edited May 2020

    The only reason I can think of to keep one-use 2FA backup codes is to protect against losing all access to 1Password and your devices. You lose all your devices and 1Password is inaccessible for some strange reason (war, plague, etc.). But even then you still need to save the backup codes somewhere other than 1Password and you need to be able to remember your main password for whatever service you're trying to access, or also have that backed somewhere other than 1Password or any of your devices. 😆

    If you deem access to some online service so important that you would want access even in the event that you lose all your devices and 1Password is completely offline for some reason then maybe you should save a copy of your backup codes and the password for that service on paper and put them in a safe. Even better in a safety deposit box too, so as to guard against fire.

    What I do is assume I will always be able to access 1Password within a reasonable amount of time and keep a printed copy of my emergency kit in a safe in case I lose access to all my devices (this has the added benefit of giving my family access to everything in the event that I die). In the event of a fire, I would hope my mobile phone is safe with me.

  • Lars
    Lars
    1Password Alumni

    @gadget78 - I wouldn't put my backup codes in 1Password's one-time password field, because that's not what they are. The one-time password field is specifically for the actual secret that generates the code; it's not a basic text field.

    Having said that, if people do not enjoy the idea of their most-important sites' 2FA backup codes being stored in viewable plain text in the Notes field of a Login item, you could create ten additional password fields, and store the codes there -- these are obfuscated by default, so even if 1Password is open to that item, you'd need to specifically reveal each backup code in order to be able to see/use it. As to why you need ten of them? I've never really understood that myself, but I don't make the rules. ;)

  • Lars
    Lars
    1Password Alumni

    @christiaanb - don't forget, if you use 1Password in a native app (for Mac, Windows, iOS or Android), then the app will have a local cache of the data you store in 1Password. Even if the entire eastern seaboard were nuked and the Amazon AWS datacenters destroyed, you would still be able to access your 1Password data in the app on your device because of that local cache. This is how you can use 1Password without an internet connection, by the way. So, although you can print your backup codes out, you wouldn't need to do such a thing as a result of losing access to your 1Password data. If you only use 1Password in a browser, this might be important, but not if you use the native 1Password apps.

  • gadget78
    gadget78
    Community Member
    edited May 2020

    @Lars i think you miss understood what i was saying, as i was agreeing with you,
    and trying to also make a point in the differences of a 2FA OTP, and a 2FA TOTP type 'passwords'

    people are saving all 10 (TEN) OTP (one time passwords) which are used as a backup access to accounts when other ways fail,
    (of which these failures wont happen now, as passes saved and not forgotten using 1pass)
    which i was trying to convey is that you would NEVER need to save all TEN !
    is good to save 1, or maybe 2, and like you say would be best to just save these under the 'password' field so they are hidden...

    and in the EDIT/PS i was refering to the 2FA TOTP (time based one time password, derived from a "secret") these secrets would be best to just be saved under the 'one-time password' field as it not only backs it up, but can be useful as would also generate the code too
    (and if its not supported, like Steam derived secrets etc (see other thread!) its still backup up)

    2 distinct differences, that i should of made clearer.....

  • christiaanb
    christiaanb
    Community Member

    @Lars the scenario I was thinking of is where you ‘lose all your devices and 1Password is inaccessible‘

  • Lars
    Lars
    1Password Alumni

    @gadget78 - no worries. Just confirming one of the better strategies for concealing important accounts' backup codes. :)

  • Lars
    Lars
    1Password Alumni

    @christiaanb - if you're in a situation where 1Password is inaccessible online AND you've lost all of your own devices on which you had a 1Password app, I suspect you may have larger problems. ;) But if you're anticipating such a possibility, then yes, printing out or writing down such information could be helpful.

  • christiaanb
    christiaanb
    Community Member

    @Lars exactly. My strategy involves assuming 1Password will always be accessible in a reasonable amount of time and/or I still have one of my devices 👍🏼

    I don’t save the backup codes.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for your insight @christiaanb :+1: :)

  • Stevoisiak
    Stevoisiak
    Community Member

    Seconding my support for an option to store backup codes in 1Password.

  • Thanks, @Stevoisiak. :+1:

    Ben

This discussion has been closed.