To protect your privacy: email us with billing or account questions instead of posting here.

Please help me understand 2FA for my 1Password account

emilesilvis
emilesilvis
Community Member

Hi, I'd like to understand 2FA for my 1Password account (i.e. for the vault itself, not for the secrets managed inside of the vault).

Let's say I use Authy on my phone, but then I lose my phone. This is where my understanding of the process gets unclear and is based on assumptions.

Assumption #1: This is how I assume it works: I can recover my Authy accounts with the Authy backup phrase, but this phrase cannot be held inside my 1Password vault since I don't have access to my vault. So I need to store my Authy backup password outside my vault. Is this correct, or is Authy recovery not based on the backup password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Tertius3
    Tertius3
    Community Member

    1Password requests a 2fa token only, if you log in from a new machine with no cached vault. So if you lose your phone, you only lose the ability to log in from a new machine. If you logged on before on a different machine, your vaults are cached on that machine, and you can start 1Password on that machine and extract whatever you need to recover your phone. You only need your master password but no 2fa code if there is a cached vault on that machine.

  • ag_ana
    ag_ana
    1Password Alumni

    @emilesilvis:

    So I need to store my Authy backup password outside my vault. Is this correct, or is Authy recovery not based on the backup password?

    Whether Authy recovery is based on a backup password or not is a question better addressed to the Authy developers, so I will avoid taking guesses. However, as Tertius wrote, if you have access to a device that already has 1Password data on it, you would be able to unlock it and get the backup password from there:

    You only need your master password but no 2fa code if there is a cached vault on that machine.

    Should you not have any other devices, you can reach out to our security team and they can temporarily disable 2FA for you after answering some security questions :+1:

  • emilesilvis
    emilesilvis
    Community Member

    Thanks @Tertius3 and @ag_ana 👌

  • [Deleted User]
    [Deleted User]
    Community Member

    @emilesilvis In answer to your Authy question, you will always need your backups password when logging in to Authy on a new device.

    You can manage the risk of being locked out of Authy by installing it on more than one device and by keeping a paper record of your Authy backups password. Perhaps you could store it alongside your 1Password secret key?

  • emilesilvis
    emilesilvis
    Community Member

    @rootzero that makes sense, thanks for the suggestion.

  • ag_ana
    ag_ana
    1Password Alumni

    :+1: :)

This discussion has been closed.