Can use 1Password without having to enter two factor Key with YubiKey

Hi @mshepard75

I can appreciate the concern, however it sounds as though this is working as designed. Please allow me to explain. 2FA serves a different role with 1Password than it does with traditional authentication based services, because 1Password's security is encryption based.

Authentication and encryption in the 1Password security model

The function of 2FA with 1Password membership accounts is to help protect the device authorization process. Once a device is authorized 2FA is no longer required, unless the device is subsequently deauthorized through the web app, or the browser/app's locally cached copy of the secret is cleared. Essentially 2FA helps prevent a replay attack from authorizing a device. It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline). This is what you're seeing when you say "Mac it ask for it, but I simply can move the two-factor request screen to the side, and use 1Password as if it didn't require the authentification." — You're accessing the offline cache. Without authenticating with 2FA you're not able to download changes from the server, but you can access what has already been downloaded.

Changing this so as to require the 2FA authentication to happen on every unlock would require giving up offline access, which is one of the core functions of 1Password and part of our foundational design. And then there is some question as to the actual protection that these sorts of change would provide compared with the perception of protection, i.e. "security theater."

The Security Key is your best protection against someone who doesn't have access to one of your devices, and your Master Password is your best protection against someone who does.

I hope that helps. Should you have any other questions or concerns, please feel free to ask.

Ben