1Password for Linux 2FA FAQ

Keychain issues

In order for us to store your two-factor authentication token, we need to access the system keychain. On Gnome, this is Gnome Keyring and on KDE, this is KWallet. Since different Linux distributions vary in their desktop environments, there may be cases where 1Password can’t access this system keychain. For example, if you have your account to login with biometrics, Gnome Keyring will not automatically unlock your system keychain.

If 1Password tries to interact with the system keychain and finds that it is locked, a system prompt will appear, asking you to unlock the keychain. If you dismiss the prompt, 1Password will only be able to hold onto the 2FA token until the app locks.

If your keychain service isn’t running or has problems, 1Password will fallback to a prompt for 2FA. If you find this happening to you, double check that you have a keychain service installed, and the keychain service is running.

If you have multiple accounts with the same password, 1Password will try to unlock both of them. If both of these accounts have 2FA enabled, and if the keychain isn’t currently available or unlocked, then TOTP prompts for both accounts will appear side by side. Our designs do not yet show which account each prompt is for, so the application can get stuck with a 2FA prompt that cannot be closed. To avoid this, please make sure the system keychain is already unlocked, or unlock it when first prompted to do so after unlocking your account(s).

If you run into any issues around 2FA, please leave a comment on this post so we can help out, or contact support.

Snap Issues / Extra setup:

In order for 1Password to store an accounts 2FA token when installed via Snap, an extra permission must be enabled first. This permission allows 1Password for Linux to access the desktop environment’s keychain (Gnome Keyring and KWallet, for example). A reboot may be required after enabling the permission. To do this, please follow the steps below:

Step 1. Open the Snap store and search for 1Password

Step 2. Click on the Permissions button

Step 3. Enable the “Read, add, change, or remove saved passwords” permission. 1Password only interacts with the 2FA tokens that we store in the keychain.

Comments

  • starfox
    starfox
    Community Member

    Hi there,
    I am trying out 1Password beta on openSUSE Tumbleweed with KDE (5.20.5), and I cannot get 2FA to work properly - it seems that 1Password is not registering with KWallet, as it does not appear in the list of authorized/connected applications.

    Using the Snap version, even with the password-manager-service permission enabled, 1Password keeps asking for 2FA codes after each restart.

    Using the AppImage version, 1Password rejects all 2FA codes and login is not possible.

    I'm happy to provide additional information if needed. Thanks in advance :-)

  • Hey there @starfox, welcome to the 1Password Community! :smile:

    Thanks so much for writing in with this error - we're able to reproduce it on our end and are digging into it now. We'll make sure to update the thread with our findings. :+1:

  • starfox
    starfox
    Community Member

    Thanks for the reply @Dayton_ag !
    I have been encountering the same issue with another snap (standard-notes) and it seems to be a common one for KDE/KWallet users. I have started a thread on the snapcraft forum, feel free to comment and relay your findings over there as well :-)

  • @starfox Not a problem! Thanks so much for the additional information, it's very helpful. :smile:

  • Hi, @starfox,

    Thank you again for letting us know that KWallet wasn't working as intended. The ability to use KWallet in pure KDE environments should now be available and fixed in the latest release, 0.9.10. Please let us know if you run into any new issues or if something still isn't working as intended :smile:

  • matija_suklje
    matija_suklje
    Community Member

    I’m on 8.0.30 and can’t figure out how to connect 1Password with KWallet. Is there a tutorial how to do that?

  • Hey there @matija_suklje, welcome to the 1Password Support Community! 🎉

    No problem, I can definitely help out there! When you've entered your two-factor authentication code, 1Password should automatically call Kwallet to create a new wallet to store that 2FA token. Once Kwallet opens, create a new wallet (you'll be asked to choose between blowfish and GPG encryption), and 1Password will automatically store the token within the new wallet.

    Give that a shot, and if you hit any snags I'll be happy to help you through them. :smile:

  • matija_suklje
    matija_suklje
    Community Member

    Ah, got it, thanks @Dayton_ag . I haven’t enabled 2FA (yet), but may do so in the coming days.

    What benefits does it bring to use KWallet (or GNOME equivalent, for that matter) as 2FA, if it’s running on the same machine? Does the desktop keyring/wallet keep 1Password session alive, or what?

  • @matija_suklje:

    KWallet works along with your two-factor authentication method (such as your authenticator app or security key) to store the 2FA token securely on the system. When you provide the 1Password app with your authentication token (the 6-digit code generated by your authenticator app), it uses that token to prove to the server that you are authorized to access your data, and sync can take place. By storing that token in KWallet, 1Password can continually reference it to prove to the server that it's been authorized, without requiring you to input a 6-digit code each time sync needs to occur.

  • matija_suklje
    matija_suklje
    Community Member

    @Dayton_ag , so if I understand correctly – and I apologise for a nobbie question –, if I use 2FA in practical terms, I have two options:

    1) let’s say the second authentication method of 2FA is FreeOTP+ on my mobile phone. So then whenever I need to enter the master password, I am also asked for the 6-digit code generated by FreeOTP+? Or just when it syncs new data?

    2) if I use KWallet (or similar), it stores the 6-digit code for the whole time the KWallet wallet is open, and does not ask me to re-generate the code e.g. by using FreeOTP+ on my phone (as often).

  • @matija_suklje No problem, I'm always happy to help! :smile:

    1) let’s say the second authentication method of 2FA is FreeOTP+ on my mobile phone. So then whenever I need to enter the master password, I am also asked for the 6-digit code generated by FreeOTP+? Or just when it syncs new data?

    By using this method, you'll be required to enter the 6-digit code from FreeOTP+ each time you unlock 1Password. 1Password can continue to sync data to the server for as long as that session is authenticated, but will require the code again the next time 1Password is fully quit and re-launched (thus ending the authenticated session).

    2) if I use KWallet (or similar), it stores the 6-digit code for the whole time the KWallet wallet is open, and does not ask me to re-generate the code e.g. by using FreeOTP+ on my phone (as often).

    Yep! With the key difference that KWallet doesn't store the 6-digit code itself, but stores the authentication token that proves to the server you authenticated successfully. As long as that token is stored in KWallet, 1Password will not require you to enter a the code from FreeOTP+ for the desktop app on that device. This is true even after the authenticated session ends - as long as 1Password can pull that token from the keyring, you won't be required to re-authenticate.

  • matija_suklje
    matija_suklje
    Community Member
    edited March 2021

    OK, I think I got it now, thanks, @Dayton_ag

    But by using KWallet to store the token, I would still need to enter the master password whenever I want to have a password filled into e.g. a website’s login page?

    Are there any extra steps needed for the KWallet 2FA working with 1Password in Firefox?

  • @matija_suklje

    Yes, your Master Password will still be required in order to unlock 1Password - you can then continue to fill credentials from 1Password as long as 1Password is unlocked.

    Are there any extra steps needed for the KWallet 2FA working with 1Password in Firefox?

    Nope! KWallet is not required to store the token for 1Password in your browser.

  • matija_suklje
    matija_suklje
    Community Member

    OK, I think I am well equipped with knowledge now. Thank you so much for bearing with me, @Dayton_ag :)

  • @matija_suklje Any time, it's my pleasure! :smile: :+1:

  • ag_Christian
    edited June 2021

    Hey there, @ryan_i_hate_1pwd_co,

    I tried this out for myself with Fedora 33 Workstation and wasn't able to encounter the same issue. My Login keyring was automatically created. This should be getting created by a combination of gnome-keyring and pam on your system. Would you mind trying out one of the steps the GNOME project recommends for checking if this feature is present and supported? You can find them over here. This is the command of interest from the page: grep -rq pam_gnome_keyring.so /etc/pam.* && echo "Have PAM Support".

    However, I did find that you can manually "regenerate" this login keyring and make GNOME think that its the original one created. Here are the steps I followed, after manually deleting the login keyring that was created automatically for me:

    1. Open up Seahorse and create a new keyring with the exact name of login
    2. Give it the same password that your Linux user account has.
    3. Right click on the keyring in Seahorse and click Set as Default.

    While I have a working gnome-keyring and pam setup on my machine, this regenerated login keyring worked just like the original one and the prompt messaging around it was the same. It even unlocks automatically when you sign into your computer, identical to the keyring that should be automatically generated.

    Please let me know how this goes for you and if I can help more,
    Regards

    EDIT: Your last comment didn't load for me, so I apologize for the seeming re-hash of the "Set as Default" steps. I hope the rest is somewhat useful as well :)

  • stablecat
    stablecat
    Community Member

    Hi, I'm using the 1Password desktop app on Arch Linux (https://aur.archlinux.org/packages/1password/). I am using one account, and it has 2FA set up. When unlocking the app, I am prompted for an OTP, and when I enter the code from my authenticator app, I get a failure message that leads to this thread.
    I use pass as my local keyring/password manager (https://www.passwordstore.org/). Is there a way to integrate 1Password with pass? I'm not sure why my OTP entry is failing, I'm pretty sure it's worked before but I'm not certain.
    Thanks for any help with this.

  • Hi there @stablecat,

    I'm not terribly familiar with pass myself, but what kind of local keyring integrations does it provide? 1Password for Linux attempts to use the KDE Wallet service or the FreeDesktop Secret Service specification over D-Bus to store and retrieve 2FA tokens. If pass doesn't provide either, then it makes sense that nothing would end up stored. If its worked before in the past, a good place to start would be checking the application logs for the string NoDesktopKeyring to see if 1Password is seeing a possible service integration. You can find the logs in ~/.config/1Password/logs.

    Please let me know how it goes.

  • stablecat
    stablecat
    Community Member
    edited October 2021

    Thanks for the quick response @ag_Christian. pass is just a simple password manager that uses GPG to store secrets.
    If you'd like to see an example of how Docker uses it for credential stores, see: https://github.com/docker/docker-credential-helpers/tree/master/pass
    For the time being I may just disable 2FA for my account (as much as it pains me to do so), I'd rather not install KDE Wallet or GNOME Keyring just for this use case.

  • Hey again, thanks for the clarification,

    I took a look at the Docker credential store code you linked and that seems somewhat reasonable to me. I've opened up an internal issue to discuss if this would be something that we would be interested in implementing as a backend for storage of 2FA tokens.

    I'm sorry to hear that the prompt is being annoying to that level though. We've definitely discussed the tradeoffs of requiring a desktop keyring for caching 2FA tokens, but so far we haven't heard many issues with such. So, thank you for mentioning the issue you were having :chuffed:

  • stablecat
    stablecat
    Community Member

    Thanks for opening an issue for this, regardless of whether it ends up being implemented. :)

  • smgt
    smgt
    Community Member

    I just added 2fa to 1password using linux and don't have a keyring. How is the issue with pass going?

This discussion has been closed.