2fa should I use it? Authy is my 2fa of choice any advice?

kram5819
kram5819
Community Member
edited April 2021 in Android

Hello Everyone,
I've been using Google two-step authentication for years, for the past two years I've switched over to Authy from Google authenticator because I like the auto back up feature that Authy has and not having to re-scan any codes if I get a new device.

I've never had an issue. So far I've never locked myself out of any account. IF I have an issue I Wonder how the heck I would get in my 1password account.

I am debating whether or not to continue to use two-step authentication for my 1password account? Or tun it off due to the fear of possibly getting locked out. I have a very strong master password. I am new to using 1password & I'm still trying to figure out the 2 fa code generating option that is offered. It is the feature below. I am a bit confused buy it & don't think I will use it.

**
When setting up two-factor authentication, you’ll be provided with a TOTP secret that you can store in an authenticator app of your choosing.**

Looking at it makes me not want to use it because if somebody would ever get into my 1password account I don't want them to have the automatic codes generated. I would want them to have to log into Authy which they wouldn't be able because they wouldn't know the password to Authy to be able to get into my accounts.

Bitwarden has 2 features I really would like to see 1password offer, I can have an email sent to me with a 6-digit code to get in my account as a 2fa method, or I can use a two-step authentication code from the authenticator I have set up.

I find that handy because IF Authy ever failed, I would be able to log in with my e-mail address sending me a log in code. I wonder if 1password might consider doing something similar.

And the other neat feature is the ability to log into your vault with your password if you choose or a PIN number that you can set up.

I wonder if 1password might consider that as well.

I wonder what your thoughts are on using two-step authentication with 1password

Do you use it if so why? And if not why not?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2fa problem

«1

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    @kram5819 1Password's 2FA protects you against the extreme case that an attacker knows your Secret Key and Master Password, but doesn't yet have a copy of your password database. It is a worthwhile extra security measure, but not essential to securing your 1Password account.

    I use Authy because it is convenient and secure. To avoid being locked out, enable backups and install Authy on at least two devices. When you have added all your devices turn-off "Multi-device" to prevent someone else adding devices.

    Be sure to choose a strong "backups password". It is the most important part of your Authy account security as it is used to encrypt your 2FA tokens. You will need it whenever you need to add a new device or recover your Authy account. So I store it with my 1Password Emergency Kit.

  • kram5819
    kram5819
    Community Member

    Use Authy because it is convenient and secure. To avoid being locked out, enable backups and install Authy on at least two devices. When you have added all your devices turn-off "Multi-device" to prevent someone else adding devices.<<< **yup I did that too 8-)
    **
    Since I have authy already set up , is it possible to set up 1passwords 2fa as well. I don't want to have to re-scan codes again.

    Will I be able to use either 1password or authys 2fa to get in and just pick which one I want and have an extra layer in case one 2fa malfunctions, or will I not be able to use both Authy & 1password?

    will I be able to use either they're 2fa to get in as well as offering and just pick which one I want and have an extra layer in case one goes bad or will I not be able to use authy if I use 1password

  • kram5819
    kram5819
    Community Member

    Since I have authy already set up , is it possible to set up 1passwords 2fa as well. I don't want to have to re-scan codes again.<<<< what I meant by that is if I decide to use the 2fa that one password uses will I have to remove Authy and re-scan it to make it work again if so I don't want to do that Authy is working Flawless right now I've never had a problem I just don't want to have a problem there has to be a better way to get into my account if I ever did.

  • [Deleted User]
    [Deleted User]
    Community Member

    @kram5819 I understand where you're coming from. That's part of the reason my 2FA tokens are still in Authy rather than 1Password.

    Unfortunately you cannot export 2FA secrets from Authy. So if the website/service concerned will not allow you to reveal the existing 2FA secret (most don't) then the only way to have 2FA secrets in Authy and 1Password is to reset them all.

    A half-way house is to leave the 2FA secrets in Authy and store the recovery codes, backup codes, etc in 1Password. Not as convenient, but it gives you additional options.

  • kram5819
    kram5819
    Community Member

    I am on 1password version 1.24.0

  • @kram5819 In reading your original post, it looks like your may be discussing two different ways 1Password supports 2FA. Let me explain.

    First, you can use 1Password as an authenticator so that it generates one-time passwords for other sites. So you can use 1Password in place of or alongside Authy in the same way you currently use Authy.

    Second, you can turn 2FA on for your 1Password account itself. This means that you need to enter your Master Password, Secret Key, and the 2FA code when signing into the account from a new device. Just like the Secret Key, the second factor is only necessary when signing in from a new device or when signing in again after deauthorizing a device.

    If you lose access to your authenticator app, you'll need to turn off 2FA from an authorized device.

  • kram5819
    kram5819
    Community Member

    If I can use both can you send me a link so that I can figure out how to set up the 1password authenticator

    It's something I consider I just don't ever want to get locked out of my account and I've never had a problem with authy in the two years I've used it

  • kram5819
    kram5819
    Community Member

    peri,

    information you gave me I don't think will work with a Chromebook

  • @kram5819 Those steps will indeed work on a Chromebook. However, there's two ways you could be using 1Password on a Chromebook. You can install both 1Password for Android and our browser extension on your Chromebook. If you're using the Android app, you'll follow the steps for Android in that guide. If you're using 1Password in your browser, follow the steps under the To save your QR code using 1Password in your browser section.

  • kram5819
    kram5819
    Community Member

    Thank you I do have 1Password for Android and our browser extension on your Chromebook so will see how it works.

    I just hope I never have issues with Authy 2 fa << so far 2 years and not 1 issue so will see. I am still a bit confused on how I can use 1Password as an authenticator I may skip it because I am familiar with Authy and love it...
    Thanks!

  • I hear you, @kram5819. Authy is a great authenticator. One benefit of using 1Password as your authenticator is that it can fill your one-time passwords as well as your usernames and passwords, so it's a streamlined process. But if you're already using Authy and happy with it, that's certainly fine, too!

  • kram5819
    kram5819
    Community Member

    I appreciate your comment
    what would happen if authy ever failed?and I couldn't get in I to my 1password account?

    it's never happened to me in the two years I've used authy but there's always that first time

    but I definitely want to keep 2fa going because there's just too many crooks out there.

    I wish that one password would offer a secure second step to get in and bypass 2fa if that situation ever happens

  • [Deleted User]
    [Deleted User]
    Community Member

    @kram5819 Remember that with 1Password you only need 2FA when authorising a new device. If you lose access to Authy, but still have access to one of your existing 1Password devices then you can disable 2FA from there. If you still have access to the email account you use for 1Password then the 1Password team can disable 2FA for you after making you jump through some security hoops.

    To reduce the risk of losing access to Authy, you should install it on more than one device and keep a record of your "backups password". They have versions of the app for desktops as well as mobiles.

    If you are concerned about Authy as a service being unavailable then you can disable 2FA on 1password.com, delete the 1Password 2FA token from Authy and set it up again while also doing one or more of the following:

    1. Scan the QR code with an authenticator app which stores then off-line like Yubico Authenticator;
    2. Scan the QR code with an authenticator app on a second device, e.g. an old phone or a friend's device;
    3. Print or save the QR code for scanning later when you need to recover;
    4. Print or save the manual entry long term secret for entering later when you need to recover.
  • @kram5819 Missingbits is correct. Your 2FA code is only needed when signing in from a new device, so if you ever lose the code, you will need to sign in from a browser that's already authorized and turn it off. You can find more on that here:
    https://support.1password.com/two-factor-authentication/#get-help

  • kram5819
    kram5819
    Community Member

    It doesn't look like it's possible to turn off 2fa on my mobile device so when using one password on my Android phone I can't turn off two step authentication there I can only do it on my Chromebook unless I'm missing something and don't see where I can disable it on my mobile phone

  • kram5819
    kram5819
    Community Member

    If I had the ability to turn it off with my mobile device that would help because I never get asked for the codes on my mobile phone unless of course I change to another device

  • [Deleted User]
    [Deleted User]
    Community Member

    @kram5819 You can turn-off 1Password 2FA from the Android app.

    Click on "Settings" -> "1Password accounts" -> [Your account] -> "Turn off two-factor authentication"

  • kram5819
    kram5819
    Community Member

    Thank you very much you're absolutely right you can I see that I can turn it off on my mobile device thank you I've only been using one password for about a week so I'm still getting used to it.

  • kram5819
    kram5819
    Community Member
    edited April 2021

    if I turn off 2 factor authentication from my mobile device will it also turn it off on my Chromebook ? And any other device that I have set up with my 1password account

    or does it just turn it off on my mobile device

  • [Deleted User]
    [Deleted User]
    Community Member

    @kram5819 It turns off 2FA at the account level. So you can add new devices without entering a 2FA code.

    With 1Password, you never need to enter a 2FA code on an already authorised device, whether 2FA is on or off.

  • It looks like you're on fire in this thread, @missingbits. Thanks for all the help!

  • [Deleted User]
    [Deleted User]
    Community Member

    @peri Glad to help :chuffed:

  • ag_ana
    ag_ana
    1Password Alumni

    :+1: :)

  • wallet
    wallet
    Community Member

    Is there a way to always require 2FA when logging in to 1Password? Having it only required the first time on a new device is pretty much the same as turning 2FA off once you are logged in. Maybe deauthorizing devices after a certain time? Or better still would be requiring 2FA for every log in to 1Password.
    I mean if someone sits at my computer and goes to log in and my computer us authorized then 2FA doesn't even factor in to their attempts to log in.

  • ag_ana
    ag_ana
    1Password Alumni

    @wallet:

    Is there a way to always require 2FA when logging in to 1Password? Having it only required the first time on a new device is pretty much the same as turning 2FA off once you are logged in. Maybe deauthorizing devices after a certain time?

    Not at the moment, but you can always deauthorize devices manually if you want.

    Or better still would be requiring 2FA for every log in to 1Password.

    I mean if someone sits at my computer and goes to log in and my computer us authorized then 2FA doesn't even factor in to their attempts to log in.

    Also note that 2FA would not protect you in this case anyway: if you have access to the computer, your 1Password data would be already be on your computer, so you would only need Secret Key and Master Password to decrypt it, 2FA does not have anything to do with encryption:

    Authentication and encryption in the 1Password security model

  • [Deleted User]
    [Deleted User]
    Community Member
    edited April 2021

    @wallet Turning-on 2FA for already authorised devices would increase inconvenience for the legitimate user without increasing security. When you authorise a device, a copy of your 1Password database is downloaded to that device. If an attacker knows your master password then they can use their own decryption software to unlock your 1Password database. They would not be using the 1Password app and so wouldn't be inconvenienced by any additional 2FA steps.

  • wallet
    wallet
    Community Member

    yeah I can see that now. I would prefer that there was an age limit on authorized devices so at least that had to be renewed periodically.

    I do have to say I find the marketing around 2Fa for 1Password is little bit disingenuous, it's not 2FA to protect credentials it's 2FA to protect your 1Password login.

  • ag_ana
    ag_ana
    1Password Alumni

    @wallet:

    it's not 2FA to protect credentials it's 2FA to protect your 1Password login.

    I am not sure I understand this, can you please elaborate?

  • [Deleted User]
    [Deleted User]
    Community Member

    @wallet 1Password 2FA protects against the case where an attacker knows your master password and secret key, but doesn't yet have a copy of your database. If they have access to an authorised device then they have a copy of your database and 2FA has no benefit.

    Password manager apps which need the 2FA to be renewed are just performing security theatre. It would be more convincing if they deleted the local copy of the database pending a successful 2FA check. However, even this doesn't really help, because the attacker would not run the app and probably wouldn't even run the operating system before taking a copy of your database.

This discussion has been closed.