1P 2FA Recovery Codes?
Hi All,
Quick question. I want to enable 2FA on my 1P account but am a bit leery of the possibility that I may one day, or my family should anything happen to me, might get locked out of my 1P. I have 1P setup on several devices so I know it is unlikely for myself (as I believe you can disable 2FA from any device with the application installed?) but it's still a possibility. I know Google allows you to create one-time use recovery codes as a form of 2FA that can be stored in a secure location, much as the SOS printout for 1P. Does 1P offer the creation of recovery codes so I can put that with my SOS doc in a safe location?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Welcome to the 1Password Support Community, @akiss20! It's a question we get asked occasionally - do we have "backup codes" for 1Password's 2FA? (answer: no). Will we have that - is it a feature we'd consider adding? That's a more interesting question. Our Chief Defender Against the Dark Arts, Jeffrey Goldberg, answered it very well back in 2019:
The single biggest reason is that we are desperately trying to get people to make backups of their Secret Keys. We don't want to dilute that message in any way whatsoever, and giving people something else they should save would be diluting it.
The Secret Key is confusing enough on its own, and we don't want to make it easier for people to think that they have it backed up when all they really have are TOTP backup codes.
TOTP back up codes don't really add a lot of value. So we aren't really losing much by not offering them. Sure, it isn't a lot of fun when people write in to tell us that they've lost their TOTP secret, but we can get those sorted out manually after verifying the user. (And as unfun as that process is, it is a picnic compared to when people write in saying they have lost their Secret Keys).
There are (easy?) alternatives to TOTP backup codes. If you want a back up mechanism for TOTP just save the TOTP long term secret or QR code some place. You have ways other than backup codes to back up your TOTP access (which is the one thing we can reset anyway. (Some apps make it hard to do this; others make it easy.)
It's the combination of our ability to manually deactivate 2FA after verifying a customer (something we absolutely, mathematically cannot do for either Account Passwords or Secret Keys) and the fact that there are already ways for users who worry they might lose/damage their devices on which the 2FA app resides to save the long-term secret behind the 2FA code, which makes us think we may not be adding this feature. Hope that's helpful. :)
0 -
Hi Lars,
Thanks very much. I wasn't aware that 1P can de-activate 2FA with a verification process which mostly addresses my concern. I assume that process can extend to family members in the event of something happening? Somewhat morbid I know but go to any technology forum and unfortunately you will see a lot of posts of "my dad died and we can't get into his iPhone with all the photos!". Really wouldn't want that to happen to my family with 1P which has all my credentials for things they will want to access.
In an ideal world I would suggest that the option/ability to create a TOTP backup code might be more hidden feature for advanced users. I totally understand the worry about user confusion and what not. As someone who managed to get my mother onto 1P after much cajoling, one more thing for her (stroke me) to manage would be a hassle.
Thanks!
0 -
@akiss20 If you save/print the QR code or manual entry secret when setting-up your authenticator app then you can always set-up another authenticator app in the future.
0 -
@rootzero thanks! I saw that in Lars' post as well, so I will likely do that when I can and put the QR code with my SOS document. I actually did not realize that the TOTP QR code was persistent prior to this conversation. My level of knowledge in the cryptographic/security world is at the level of "enough to be dangerous" :)
0 -
@akiss20 - the larger issue with the problem of unexpected death or incapacity is not the 2FA, it's the Account Password and/or Secret Key. If that's the way your mind leans (and that is not a criticism; good for you for thinking of your loved ones in what would be a horrible time for them), then make sure you have a copy of your Emergency Kit printed out and your Account Password written on it, somewhere they can find it. Keep it updated if you change either credential (or your email address).
Better yet, if you have a 1Password Families account that you share with family members, make sure at least one other person is a Family Organizer, so they can recover your account if you forget your Account Password or lose your Secret Key or - in conjunction with access to your email account - get into your account in the event of your incapacity.
0 -
Hi Lars,
Yes that was my point. I already have the very handy emergency kit printed and in a safety deposit box which my family would obviously have access to; that was the first thing I did when I got my 1P account. My concern with 2FA was that it depended on something that I thought could not be stored with the emergency kit. I have since learned the QR code for the TOTP is persistent and can be stored with the emergency kit.
Up until recently I was the only one in my family with a 1P account so I had a personal account, not a family one. I have since migrated to a family one and will be sure to also make one of them a family organizer.
Thanks for the help!
0 -
@akiss20 - you're quite welcome. 😃 Just remember to update that precious Emergency Kit every time you change any of your credentials, or you'll be in exactly the situation you've worked so hard to plan in advance to avoid! Stay safe out there, and thanks for the conversation.
0 -
Thanks for all the help and definitely will do. Stay safe!
0
![[Deleted User]](https://wb.vanillicon.com/v2/b2b26d20f9d8e83917f1b2b1645573fc.svg)
