MFA after first login

We have 1Password for Business, we enabled MFA for our teams and this worked on the first login but after this I cannot get the prompt to be enabled. Is there any way to get MFA to prompt maybe once a day atleast? surely having MFA only prompting at the setup phase and never after isn't great?

We don't want to use Duo as we've moved away from them.

Comments

  • john_m
    john_m
    1Password Alumni

    Hi @OllieV27! 1Password is an encryption based product, not an authentication based product; when you "sign in" to 1Password using your Master Password (and Secret Key on your device), you're not authenticating to 1Password in the way you would to a traditional service like Google or Amazon. Instead, the credentials you provide are used to form an encryption keyset, that is either able to locally decrypt data on your device, or it is not. As such, there isn't generally an authentication step in 1Password's security model.

    When you enable our native two-factor authentication system, this adds an additional authentication step to the sign-in process between the 1Password client and our live service; the challenge is only presented after a valid encryption keyset has already been created. Upon first sign-in to a membership from an unauthorised device, an authentication challenge is shown. If that authentication challenge is successfully passed, then the device is added as an "authorized device" for that user, and the Secret Key for that user is stored in the client. Subsequent sign-ins from that authorised device for that user do not present the authentication challenge; the user must still provide a valid Master Password (a secret that is known only to them and never transmitted).

    I hope that helps to clear things up; let me know if you have any other questions :+1:

  • OllieV27
    OllieV27
    Community Member

    Hi John,

    Thanks for coming back to me so quickly and that all makes sense, we were using Duo before which used to prompt each day/session but as we cannot use that anymore have switched to standard MFA. Do you know why would Duo offer the option of prompting for MFA every day/session if the choice and opinion from 1Password was that you don't need to do that?

    Are they just offering a nice to have feature for the end user or something as opposed to it actually increasing security?

    Thanks,

  • john_m
    john_m
    1Password Alumni

    You're very welcome, @OllieV27! Duo is a third-party organisation, and I wouldn't presume to speak for them or their design goals and objectives... but just speaking personally, I would say that Duo is a generalised third-party two-factor authentication service, which can be used with a wide variety of services and platforms. Many of those services and platforms may be authentication based, and thus could indeed greatly benefit from a two-factor authentication service like Duo prompting for authentication on a frequent basis. 1Password isn't like most services out there - 1Password is encryption based, and so the use cases for traditional two-factor authentication when it comes to 1Password are very different than they would be for an authentication-based service.

    I hope that makes sense - like I say, that's just how I see things! Let me know if you have any other questions, or if there's anything else I can do for you :chuffed:

This discussion has been closed.