Tw-Factor Authentication

Hi @WAnderson, welcome to the 1Password Support Community. 👋

Great question. After two-factor authentication is enabled for your 1Password account, each user will need to authenticate once on any devices where they're already using 1Password, as well as when setting up the 1Password apps on new devices and new browser sign-ins. They won't be asked to enter their generated 2FA codes again beyond that initial authentication unless they reset the 1Password apps or deauthorize their devices/browser sign-ins.

@WAnderson,

I'm not entirely familiar with Office365's 2FA solution, though I do know many other services rely on authentication-based security models rather than encryption-based ones (like 1Password). Because of this, authentication doesn't play as important of a role in the security of your 1Password data. More on that here.

** We plan on rolling out Duo this week.**

Ah, 1Password does support two-factor authentication with Duo, if you would like to force your users to re-authenticate more frequently (between 1-30 days).

Just to note that enabling Duo for your 1Password account will disable the traditional two-factor authentication for your users; they will no longer be able to use third-party authenticator apps to generate 2FA codes. They'll instead be required to enroll in Duo (if they haven't already), and they'll authenticate as required by the Duo authentication interval as chosen by an administrator.

Use Duo for your team

Hi @MaurizioNatta! :smile:

We'd be happy to assist with this! If you could just reach out to us at support@1password.com using your work-provided email address, we'll be able to take a closer look at any accounts you may have and offer suggestions from there. Feel free to also include a link to your post here for reference.

We'll be on the lookout for your message!

We're more than happy to help, @MaurizioNatta! Once we see your message come in, we'll jump on it as soon as we can. :+1:

Hi @wp_cmentor,

When 2FA is enforced (whether DUO or other) existing users be prompted to set up 2FA at the next login (via app or browser extension)?

That's correct. In the case of native two-factor authentication with a third-party authenticator app, anyone who has not already enabled it will be prompted to set it up the next time they sign in to their account. With Duo they'll also be prompted.

If a user does not have access to any 2FA methods / authorized devices, an Admin will need to start account recovery

The short answer is yes. The longer answer: When native 2FA is enforced for a business account, and if an existing user has lost access to their third-party authenticator app where they saved their 1Password 2FA secret, they will need to sign in to their account on 1Password.com within an authorized browser and replace their 2FA app via the My Profile page, thus revoking the old secret.

If they don't have access to an authorized browser, then you're correct that an administrator will need to start the recovery process for them. This will reset their account details and they'll need to recreate their account password (they can choose the same one previously in use). They'll also receive a new Secret Key. It's worth noting that when 2FA is enforced (including Duo), it won't be possible to disable 2FA at an individual level within the 1Password apps; only an account owner, administrator, or someone with the Manage Settings permission will have that power.

On behalf of Max, you are very welcome :)