2fa on 1Password start

wright_is
wright_is
Community Member

I did a search, but couldn't find anything related to this.

I switched from LastPass a few months back. I discovered the 1Password podcast a while back - I follow Jack Moore over at eSet and he was a guest - and it sounded like a great company. I've become more and more disillusioned with LP over the last couple of years and I finally decided to make the move...

Anyway, the one thing I miss from LP is the 2FA authentication. Yes, I have an Authenticator app and my Yubikeys registered as 2FA, and, logging onto a new device, I have to provide 2FA to enable the account. What I've not found in the settings is the option to force 2FA when the app or the browser add-in is restarted - E.g. boot PC in the morning and unlock 1Password with 2fa, then, for the rest of the day, just the password to re-unlock. The same for the browser.

For my home PC and my private smartphone, just a password is fine. But I'd prefer the option to force 2FA every start on my work laptop, which is often left in the office over night. There is an option to allow Windows hello, for example to unlock, but no option under security to require 2FA.

Note: This could be a request for 2FA on new start or a 2FA request every 12/24 hours, for example.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @wright_is! Welcome to the forum!

    1Password will require 2FA only the first time you add a new device to your account. Afterwards, you are not prompted for 2FA because it would not help very much you since 1Password data is encrypted by your Master Password and Secret Key, not by your 2FA codes.

    You can read some more details about this here, if you are curious:

    Authentication and encryption in the 1Password security model

  • [Deleted User]
    [Deleted User]
    Community Member
    edited April 2021

    @wright_is I moved over from LastPass laste year and I'm glad I made the move.

    1Password 2FA protects against the case where an attacker knows your master password and secret key, but doesn't yet have a copy of your database. If they have access to an authorised device then they have a copy of your database and 2FA has no benefit.

    When you authorise a device, a copy of your 1Password database is downloaded to that device. If an attacker has access to your device and knows your master password then they can use their own decryption software to unlock your 1Password database.

    They would not be using the 1Password app and wouldn't be affected by any additional 2FA steps added to the app. So turning-on 2FA for already authorised devices would increase inconvenience for the legitimate user without increasing security.

    For more background, you might be interested in the following piece:

    https://support.1password.com/authentication-encryption/

  • wright_is
    wright_is
    Community Member
    edited April 2021

    Okay, thanks for clearing that up. Makes sense. I guess I was just used to how LP worked.

    And thanks for the quick answers!

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome @wright_is! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • dnbrice
    dnbrice
    Community Member
    edited July 2021

    I understand the reasoning behind how this product only uses 2FA for 1st authorized use, but there are security vulnerabilities in not using 2FA for session authentication.

    For example in an office environment, a person my leave their computer unattended to get coffee or go the printer. A lot of people do not lock their computer for what they feel is a short jaunt. Another example is that a lot of IT departments have remote access to computers, including unattended remote control access to the users active session, or if a computer is compromised by bad-actors, During that time, the computer is vulnerable and so is 1Password if it is already authenticated.

    In the environment I work, we use PIV, which is having a physical device (Token or PIV Card, and a pin....Something you have, something you know = 2FA, and supported but the YubiKeys). Every time you have to access something sensitive, you have to authenticate. When that session is closed or idle, you have to re-authenticate.

    From reading previous posts, a lot of people would feel a lot more secure with this product if 2FA was implemented in way to not only authorize the device, but to also authorize the session. I would suggest using the PIV method rather than the master password, as it just as secure, and easier to authenticate.

    Please consider this as a future update.

    Thanks

  • ag_ana
    ag_ana
    1Password Alumni

    @dnbrice:

    Thank you for the feedback! Your database is encrypted with the Master Password and Secret Key however, so once it is downloaded on that device, those are the only pieces of information that you need. It's in this sense that having an additional 2FA code would not protect, since the decryption process does not need it.

This discussion has been closed.