U2F/TOTP Questions

vzom
vzom
Community Member

I use 1Password on my Android device. I have fingerprint unlock on my Android. I use the fingerprint to unlock my 1P mobile app as well. I consider this next to essential, due to the amount of times I access 1P on my Android on a given day. If I have to enter my Master Password each time I want to use 1P - which I set up to be as entropic(?) as possible while still being memorable - it will be a nightmare, especially on the tiny keyboard.

With this setup however, if my device is stolen and my fingerprint unlock is compromised, so is my 1P. A good Master Password becomes useless, because I am essentially bypassing it.

Therefore, I was looking at getting a U2F hardware key to help with this. I have several questions though.

  1. It appears to me that to use U2F you must first set up 2FA on an authenticator app (TOTP). Is this still the case?

If the answer to #1 is 'Yes', my authenticator app would also be on my Android. If the Android were stolen and compromised to become unlocked, a malicious actor would have access to the authenticator as well.

  1. I see that if you forget your 2FA, you can log into 1P from an 'authorized' device/browser and turn off 2FA. Does my Android become an authorized device as soon as I log in successfully? Would that mean I don't need to use 2FA on subsequent logins? I would want the U2F key to be used each time for my Android.

  2. Can you require U2F for certain devices only and have others only require the master password? Ideally, my desktop wouldn't require it, as I am not concerned with 2FA on my desktop. The likelihood of it be stolen from my home and the OS password compromised is low. In that event, I am fine relying on the Master Password to protect 1P information.

  3. If I must enable TOTP for U2F, what if I were to use 1P to manage the TOTP? I understand that this may be akin to 'locking the keys to the castle inside of the castle'. It would be useless to actually unlock 1P, but I could then rely on an 'authorized device' to turn off 2FA if I were to ever lose/break my U2F key.

My ideal scenario would be:

  • I continue to use password unlock for 1P rather than the master password on my Android.
  • Unlocking 1P on my Android would require the U2F every time, in the event that it gets stolen and is unlockable by an adversary.
  • I would not need TOTP as a backup for U2F as that would be located on my Android.
  • My desktop (which requires Master Password) would be an authorized device and would not require U2F. I could then turn off 2FA should I lose/break my U2F key.
  1. Is my ideal scenario a possibility?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @vzom! Thanks for your questions and especially for taking the time to think strategically about your digital security. Let me answer your questions sort of out-of-order, since some will answer other questions as well:

    I see that if you forget your 2FA, you can log into 1P from an 'authorized' device/browser and turn off 2FA. Does my Android become an authorized device as soon as I log in successfully?

    Yes. All 1Password apps do, and you can use any (signed-in) app to turn off 2FA for your 1password.com account.

    Would that mean I don't need to use 2FA on subsequent logins? I would want the U2F key to be used each time for my Android.

    We only require 2FA (whether TOTP or hardware key) the first time you sign into your 1password.com account from any device where you haven't previously signed in. Why? Because the initial session (after authentication), the 1Password app on your device will download a copy of your entire encrypted 1Password database from the server, and it is that local cache you'll be working with from that point forward. Sync changes will be made (both ways), but that local cache of data is always present. This is how you can access your 1Password data even without an internet connection, such as when in airplane mode or out of reach of a wi-fi or wireless network.

    My ideal scenario would be [...] Unlocking 1P on my Android would require the U2F every time, in the event that it gets stolen and is unlockable by an adversary.

    I hope you see how the above answer affects this: with a local cache of your data present, no authentication (two-factor or otherwise) is even possible, let alone beneficial. 1Password's security, on your device, rests on encryption, not authentication. In fact, this is just as it has always been with 1Password, from the very beginning. Theft or loss of a device is literally one of the scenarios 1Password is designed to defend against. It's also why there is no substitute for a good Master Password: because that's what protects your data from prying eyes if your device falls into unfriendly hands. Even if an attacker obtains your device, they cannot unlock 1Password without your Master Password.

    It appears to me that to use U2F you must first set up 2FA on an authenticator app (TOTP). Is this still the case?

    Yes. This is because not all 1Password apps currently support hardware key ONLY, and so the authenticator app must be the first step in setup. It may be in the future that we're able to offer hardware key-only 2FA for 1password.com accounts, but I don't have any information to share on how quickly you might see such a thing.

  • vzom
    vzom
    Community Member

    Thank you very much for the detailed reply, @Lars. It looks like a U2F token would not be useful for what I was hoping to achieve.

    In that case, I think I will - albeit regretfully - turn off the fingerprint access to 1P on my Android. This will probably lessen the use of 1P on my Andorid, because what makes a good Master Password also makes it a PITA to enter on my phone's keyboard. :p Better to be safe than sorry, however.

    While I won't opt for purchasing a U2F for this purpose, I will set up 2FA for 1P using the authenticator app on my Android, to be used as a second factor for any new devices.

  • ag_ana
    ag_ana
    1Password Alumni

    @vzom:

    This will probably lessen the use of 1P on my Andorid, because what makes a good Master Password also makes it a PITA to enter on my phone's keyboard. :p Better to be safe than sorry, however.

    Using a word-based password should make entering your Master Password easier, especially on a mobile device, while still being random ;)

    How to choose a good Master Password

    While I won't opt for purchasing a U2F for this purpose, I will set up 2FA for 1P using the authenticator app on my Android, to be used as a second factor for any new devices.

    Understood! :+1:

This discussion has been closed.