Does 1Password customer support have the power to disable Yubikey 2FA?

mackorone
mackorone
Community Member

With the start of the new year, I'm auditing my security practices for potential vulnerabilities. I recently discovered that 1Password customer support has the power to disable 2FA on my 1Password account, which means that an attacker with access to my email account could hypothetically convince customer support to do so. Does the same hold true if I add a Yubikey as an additional 2FA device? If so, what's the point of the additional 2FA device? Is it simply to double the number of compromised 2FA devices required to authorize a new device without tricking customer support? Isn't it overkill at that point?

In short, does adding a Yubikey as an additional 2FA eliminate scenario #1 entirely? Or does it simply add another requirement to scenario #2, namely, that the attacker must also steal the Yubikey?

Scenario #1:

  • Attacker steals my emergency kit containing my secret key
  • Attacker hacks into my email account
  • Attacker convinces 1Password customer support to disable 2FA

Scenario #2:

  • Attacker steals my emergency kit containing my secret key
  • Attacker steals and hacks into my 2FA device (unlikely)

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:yubikey

Comments

  • Thanks for the question here. As it happens, I'm one of the customer support members that you would need to trick in order to bypass two-factor authentication on a given 1Password account. First things first, I think it's important to remember what exactly it is that two-factor authentication does when enabled with a 1Password account:

    1. Your 1Password account password (and the design of our Key Derivation Function) is your defense against an attacker who gets a copy of your local 1Password data from your devices.

    2. Your Secret Key (and to an extent your 1Password account password) is your defense against someone who gets an encrypted copy of your data from our servers.

    3. Our authentication protocol (Secure Remote Password) is your defense against someone who can break TLS and listen to the communication between you and our server when you authenticate.

    4. Two-factor authentication is your defense against an attacker who has somehow acquired both your 1Password account password and Secret Key but has not acquired a copy of your encrypted data. This applies to security keys, as well.

    Essentially, you're adding an authentication-based feature to an encryption-based system, and so the overall benefit is slim, covering only one specific scenario in which both of your encryption secrets have already been discovered by an attacker. With that being the case, you're already in somewhat hot water. But if two-factor authentication has been enabled and you suddenly find yourself in that scenario, you're still protected.

    We then come to the issue of someone having access to your email account on top of that. Someone with that kind of access alone could theoretically bypass your passwords altogether, since many websites and services come with a "forgot my password" function, allowing them to reset your credentials without ever needing to access your 1Password data at all. With that said, I wonder how it might be that someone has access to your 1Password account password, your Secret Key, and your email account without also having access to your 1Password data already, as the credentials for your email account would likely be stored in 1Password, but maybe you've kept those separate and somehow leaked them as well as both of your encryption secrets.

    Once that's all taken care of, we get to someone like myself being tricked. In order to get past me, you'd need to go through a round of verification questions, as you might expect from other services. But when it comes to 1Password, the personal information that we know about you is extremely limited. We're unable to ask identifying questions like your dog's name or the street you grew up on, and so an attacker with access to that information would still be out of luck. Rather, the questions that we ask pertain to the 1Password account itself. So think less "what is your mother's maiden name" and more "how many vaults do you have in your 1Password account."

    These questions are designed so that only you, who created your 1Password account, should know the answers. Some of those answers may be accessible through your email history depending on what's in there, but certainly not all of them. And so I'm unaware of how a potential attacker might be able to acquire all of those things and then trick 1Password support into resetting two-factor authentication for them without having your cooperation in doing so.

    Finally, getting to your question, security keys such as Yubikeys are treated exactly like any other form of two-factor authentication when it comes to 1Password. Again, two-factor authentication is an authentication-based system, and so the scope of what it can protect you from is very limited when added to an encryption-based system like 1Password. If you can think of a scenario in which you think any of this somehow leaves you vulnerable, feel free to let us know and we can dig further into the topic. And actually on that note, it looks like you've already emailed in with some questions, so if you're going to continue asking about security features, I'd suggest keeping things to one communication channel.

  • MerryBit
    MerryBit
    Community Member

    1password customer support also has the power to delete an account. Do the same verification procedures apply to someone requesting account deletion when someone says they've forgotten their account password?

  • Hi @MerryBit

    In Customer Support we actually do not have the ability to directly delete a non-empty account. If the account has items in it, we can trigger an email to be sent to a customer which will allow them to delete their account. We only have the ability to have that email sent to the email address on file, and it would still be the customer's responsibility to follow through with the deletion.

    Ben

  • MerryBit
    MerryBit
    Community Member

    Hi @Ben

    That's actually reassuring to learn you can't delete accounts directly which I did think you were able to do. Thanks for correcting my misunderstanding!

  • @MerryBit

    No worries. We can only delete them directly if they're empty. This is enforced by the server — not just policy. :)

    Ben

This discussion has been closed.