Feature Request: True 2FA / MFA

1Password's TOTP implementation works, and it's better than nothing. However, the security geek in me can't help but feel like it's "fake" 2fa. If my 1Password master password and secret key are compromised somehow (e.g. malware), the attacker still gets access to the TOTP secret in my vault.

I think AgileBits knows this, which is why they are careful not to call the TOTP password 2fa or MFA. By syncing the TOTP secret across devices inside the vault, that secret doesn't really qualify as the "something you have" anymore. It's just a second "something you know".

What I'd like instead is an option to keep the TOTP secret stored on the 2fa device itself, inside the 1Password mobile app's storage, not in the vault.

The workflow would be something like this:

  1. The user enrolls for a normal TOTP 2fa setup on a website using the 1Password mobile app with a new "TOTP Push" option, which saves the secret on the device, not in the vault.
  2. Whenever the user selects the TOTP password from a device that does not have the secret installed on it, instead of filling in the password, a push notification from the 1Password mobile app appears on the device that contains the TOTP secret in its local storage.
  3. If the push notification is accepted in the 1Password mobile app, only then is the TOTP code filled into the current website's 2fa prompt on the original device.
  4. If the user selects the TOTP password from the 1Password mobile app on a device that has the TOTP secret installed, then the push notification is skipped and the TOTP code is pasted into the 2fa prompt immediately, just like works now.

Thank you for considering this feature! Please let me know if you have any questions.


1Password Version: 7.9.828
Extension Version: 2.3.4
OS Version: Windows 10

Comments

  • Hey @jkcarter:

    Thanks for your thoughts on this! We actually have a blog post here a bit that touches on this: TOTP for 1Password users

    Additionally, while it's true that someone with access to your account password and Secret Key wouldn't immediately have access to your two-factor authentication codes in that situation, in many cases, it's possible to reset two-factor authentication for services using information that may be stored in your 1Password account that they already have access to. Given this, it would make sense to ensure that your account password and Secret Key remain uncompromised.

    Jack

This discussion has been closed.