To protect your privacy: email us with billing or account questions instead of posting here.

2FA scare, a potential disaster waiting to happen?

pbhogan
pbhogan
Community Member

So, I just had a really big scare while trying to set up 2FA on my 1Password account, and I wanted to post this here as a cautionary tale and also maybe something the team should consider.

It started during my upgrade to 1Password 8, and I logged into the 1Password for families site to change my password. (The why to that is a separate issue, but the inability to set a local on-device password that is simpler than the account master-password is a real bugbear for me. Yes, yes I know, but it's a trade-off I am comfortable making.)

Anyway, while there, I noticed the 2FA option for the account. So I thought, that's great, I'll set up 2FA to make my simpler password less of an issue.

Of course, I need an authenticator app—and I have one: it's called 1Password. You can probably see where this is going. I put the 2FA code into 1Password and it worked. Great. In the back of my head was a little voice that said, hey, they never gave you any emergency 2FA codes like most services do. Oh well.

Then I changed my account password.

Suddenly, the Mac app and iOS app wanted me to sign in again. I didn't even sign out. It seemed to be automatic. Okay, I'll just sign in with my new password. Then it asked for a 2FA code to complete the sign-in. Only... I couldn't get a 2FA code because I was automatically signed out of all my apps and I couldn't sign in without a 2FA code. And, I didn't have any emergency codes. Uh-oh.

What saved me was the web extension, which thankfully had not yet locked and I was able to coax a 2FA code out of it, signed in and instantly disabled 2FA on my account.

Folks, be super careful with this, and dev team, please consider this scenario. I'd love to use 2FA, but the on-device apps need to be smart enough to not all instantly sign you out on a password change leaving you without your authenticator app in a catch-22. Or, if they do they should not also require a 2FA code. Or maybe have an option to email you a 2FA code. Some way to get out of this potential deadlock.

Also, maybe provide emergency codes?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hey @pbhogan:

    I'm sorry to hear you ran into some trouble here. We actually recommend against storing your two-factor authentication for your 1Password account inside your 1Password account for exactly the reason you've mentioned. Turn on two-factor authentication for your 1Password account

    As for requiring re-authorization, the moment you change your account password, or enable two-factor authentication, all currently active sessions from your 1Password apps are deauthorized, and you have to sign in again. If you've just changed your account password, unlocking the app with your new account password will reconnect the app, however if you've enabled two-factor authentication, this would require entering a two-factor authentication code.

    Our Principal Security Architect, Jeffrey Goldberg, touched on why we don't offer two-factor authentication backup codes back in 2019:

    The single biggest reason is that we are desperately trying to get people to make backups of their Secret Keys. We don't want to dilute that message in any way whatsoever, and giving people something else they should save would be diluting it.

    The Secret Key is confusing enough on its own, and we don't want to make it easier for people to think that they have it backed up when all they really have are TOTP backup codes.

    TOTP back up codes don't really add a lot of value. So we aren't really losing much by not offering them. Sure, it isn't a lot of fun when people write in to tell us that they've lost their TOTP secret, but we can get those sorted out manually after verifying the user. (And as unfun as that process is, it is a picnic compared to when people write in saying they have lost their Secret Keys).

    There are (easy?) alternatives to TOTP backup codes. If you want a back up mechanism for TOTP just save the TOTP long term secret or QR code some place. You have ways other than backup codes to back up your TOTP access (which is the one thing we can reset anyway. (Some apps make it hard to do this; others make it easy.)

    Additionally, I've filed a feature request on changing the way the QR code scanner behaves when on my.1Password.com, to make it harder to be in a situation like the one you've ran into.

    Jack

    ref: IDEA-I-893

  • pbhogan
    pbhogan
    Community Member

    Hey Jack—thanks for the response!

    It might be worth putting a very clear warning on the 2FA setup telling users to NOT put it into 1Password for this reason. Many cloud services allow using their mobile apps as 2FA authenticators, so it's a natural thing to want and expect to be able to do it.

    Ultimately, I only want to use one authenticator app, 1Password. It's kind of the point. Carrying around a second authenticator app to authenticate your primary authenticator app feels silly. [Insert yo dawg, I heard you like 2FA meme here... :)]

    Again, I understand why all this is the way it is, but there is, I think, a desire for some users to only add 2FA to the web login. As we view it, our devices are reasonably secure, both being a physical thing on our person and requiring a password or biometrics to get into, and that's before unlocking 1Password. It's the account access on the public web I'm concerned with securing with 2FA, not so much my personal devices.

    ¯_(ツ)_/¯

  • Hey @pbhogan:

    You're very welcome. As an additional note, 2FA is only required to add your 1Password account to a new device, and isn't required to unlock the 1Password app once you've added your account (which may be more or less what you're looking for when you mention wanting two-factor authentication only for my.1Password.com).

    Jack

  • dozy
    dozy
    Community Member

    Hey @pbhogan, if you're in the Apple ecosystem, you can use the iCloud Keychain to store the 2FA.
    You can easily find the instructions online on how to configure the 2FA code for logins stored in iCloud Keychain.

  • @dozy

    I'll admit that sounds like an interesting idea. That one had never dawned on me. Thanks for sharing.

  • pbhogan
    pbhogan
    Community Member

    That's an interesting idea—thanks! I have extremely low faith in iCloud to actually sync things. But it's an option, especially if I set up another backup 2FA authenticator somewhere else.

  • @pbhogan

    Let us know if you run into any issues or have any other questions. 😊

This discussion has been closed.