How is it recommended to generate the OTP code needed for 2FA logons to the 1Password account_
1Password accounts can have an additional layer of security by enforcing a policy to enter a OTP on every new device. This is fine. The only issue I have with this is that I have gotten rid of Google Authenticator (and Microsoft's version) by moving all OTP generation to 1password. It feels a bit off to re-introduce them just to generate codes. And backup/lost device was always a thing with these. Could always resort to using Authy (which I learned about today from associated discussions), but I feel there must be a better way.
Could not 1Password supply SMS codes or something?
My current approach is actually to have all the account details, including OTP generation, stored in a vault in 1Password. So when logging onto a new computer, I need my phone with 1Password. And I have a copy of that in my work account's private vault and vice versa. This feels a bit hackish/fragile, so would be interesting to know how people do this.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
I still have every OTP generation duplicated in Microsoft Authenticator, in addition to the same within 1Password. I don't like it to put every egg into the same basket. If 1Password fails or is unavailable due to no logged in devices, I still have the codes in the external authenticator app. Lost passwords on websites can be reset by password recovery operations, but not having a OTP code means calling support. I need the Microsoft authenticator anyway for my Microsoft accounts.
Thinking about it, it boils down to the fact that I trust Microsoft and Google authenticator more than 1Password, because these are very simple, much less complex apps, while 1Password is a big complex app that will probably fail with a higher probability than the authenticator apps.
If every single device fails and I lost access to everything, I have the printed QR code for 1Password. I get a new smartphone and create a pristine new Google account for it, so I have a working device. The new account is required to break the chicken-egg problem, because I don't have the Google account credentials yet to login to my existing account. I install Google Authenticator and scan the printed QR code, then enter the printed secret key and master password to login to 1Password. Now I have all my passwords and OTP codes and can setup additional devices. After that, I factory reset the new smartphone and log in to my real Google account, using OTP+password from 1Password from one of the additional devices.
0 -
Hey @fatso83:
Generally speaking we recommend not storing the two-factor authentication secret for a 1Password account inside any 1Password account. While this isn't an official recommendation, I use Microsoft Authenticator for the two-factor authentication for my account.
There's actually a few reasons why we don't offer SMS codes or backup codes for two-factor authentication for 1Password accounts the way other services do. Our Principal Security Architect, Jeffrey Goldberg, has laid out the reasons here: https://1password.community/discussion/comment/524761/#Comment_524761
Great question! Let me know if that makes sense, or if you have any other questions.
Jack
0
