TOTP for 1Password users

1P Pro features1Password 5.2 for iOS and 1Password for Windows are out, and they provide support for using Time-based One Time Passwords (TOTP) in your Logins (note: in iOS, it’s part of our Pro Features). Note that this is not for unlocking 1Password itself, but to aid with logging into sites for which you may be using TOTP, such a Dropbox and Tumblr.

To learn how to have 1Password help you manage your TOTP Logins, go straight to our user guide. If you would like to better understand when and why TOTP is useful for 1Password users, and what to do if you truly want two-factor security, continue reading here.

TOTP countdownI’ve previously written (at excessive length, in some cases) about TOTP in general, but in each instance pointed out that it is of limited utility to 1Password users. This is because such schemes are of most use to those people who have weak or reused passwords. If you are using a strong and unique password for a site, then many of the gains of two-step (or multi-step) verification are not relevant for you.

But “most” is not the same as “all”. There still are some cases where multi-step verification is useful to people using 1Password.

Sometimes you must use TOTP

Sometimes a site or service will simply require that TOTP always be used along with your regular password. Patty (one of my dogs) is working with a research group analyzing the structure of heart worm DNA. When she connects to the lab’s server, she is required to use TOTP.

TOTP example in 1Password for Windows

TOTP example in 1Password for Windows

She has set up an app on her laptop that just constantly displays the current TOTP code. It’s sitting there ticking away all the time her laptop is running. Ideally, it should only be visible when she actually needs it, but she is understandably just trying to save time. Clearly, she could use TOTP more securely if it were available for the Login item within 1Password.

One-timeness? Yes

One-time passwords (the “OTP” in “TOTP”) are useful over insecure networks. Normally, when you submit a password to a site or service, you send the same password each time. Ideally, that connection is well encrypted so that the password cannot be captured when it is in transit. This is why it is very important to:

  • use HTTPS instead of HTTP when doing anything sensitive
  • pay attention to the lock icon in your browser’s address field (indicating HTTPS)
  • heed browser warnings about such connections

But networks are easy to compromise. Recently Molly (my other dog) was at the Barkville Airport. When she connected to Wifi, she saw several open wifi IDs. One was BVT-access, and the other one was “Airport Free Wifi”. As it turned out, BVT-access was the legitimate one, but she connected to Airport Free Wifi. Airport Free Wifi was actually a laptop operated by Mr Talk, our neighbor’s cat.

Mr Talk is using SSL-strip on his rogue wifi hotspot. If Molly isn’t paying close attention to the HTTPS status of her browser’s connection, she can send things unencrypted over Mr Talk’s network while thinking it is a secure connection. I should probably point out that Molly lacks the discipline to pay close attention to anything other than a squirrel or rabbit. This way, Mr Talk can capture Molly’s passwords in transit to the servers and save them for later use.

That is one of several ways that passwords can be captured in transit. The point of one-time passwords is that they are not reusable even if they are captured in transit. In this way, TOTP provides a meaningful defense against plausible attacks even though there is nothing “second factor” about how it is being used.

Second factor? No

We need to make the distinction between one time passwords and second factor security. One time passwords are often part of second factor security systems, but using one time passwords doesn’t automatically give you second factor security. Indeed, when you store your TOTP secret in the same place that you keep your password for a site, you do not have second factor security.

However, you still have the benefits of the one-timeness of TOTP codes.

Systems like TOTP are sometimes used as part of second (or multi) factor authentication systems. But this is far from their only usage. To be truly second factor, the TOTP secret (from which the one time password is generated) must not be stored on the same device that you use the regular password on.

Let’s consider an example. Molly has a Tumblr where she posts pictures of the squirrels she is after. So far, she has been using the Authy app on her phone to manage TOTP. If she never logs into to Tumblr on the same phone, then she is using her phone as a second factor. But if she is also using Tumblr from her phone and has had to use her one time password from there, then there is no second factor.

In general, there is a reason why many services that offer TOTP refer to it as “two-step verification” instead of as “second factor authentication”. The security that such sites seek to gain from this is not in the second-factorness; it is in the one-timeness. In particular, many of the sites and services that offer or require two-step verification with one time passwords are doing so because many of their users have weak or reused passwords. Although that should not apply to 1Password users, there are other benefits to one time passwords as I discussed above.

If you really want true two factor

If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.

Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.

Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.

For everyone else, if you find the one-timeness of TOTP worthwhile on its own (or are required to use it), 1Password’s new support in v5.2 for iOS and v4.1.0.538 makes it easier to use than ever.

28 replies
Newer Comments »
  1. Alex Satrapa
    Alex Satrapa says:

    Doesn’t TOTP at least provide better protection against brute force attacks, replay attacks, and compromise of the password database? Well, assuming the TOTP keys are stored separately to the password database on the host.

    What dangers exist for TOTP stored on 1Password other than theft of the phone, or the computer it’s synced to?

    • David Chartier
      David Chartier says:

      Alex, I think that’s the main drawback to consider when planning one’s strategy, and why Goldberg pointed out the difference between full two-factor security.

      But you’re right in that many popular attacks don’t hit on this front, so it’s still a very secure *and* convenient way to deal with this layer of security. I hope this helps!

    • jpgoldberg
      jpgoldberg says:

      Yes, Alex. The one-timeness of OTPs defend against a variety of attacks like what you list, even if one doesn’t use these for genuine two factor auth. But as you also note, with the OTP secret and the password stored in the same place, we aren’t getting two-factors in the usual sense.

  2. Dumbledore
    Dumbledore says:

    I think it would be better to divide the OTP into two groups of three, just in case someone needs to input the number manually sometimes. It’s easier that way…

  3. Kirk Biglione
    Kirk Biglione says:

    This is great. Having gone through the pain of “re-keying” all of my OTP logins after upgrading my phone I’m not anxious to do that again any time soon. Was considering Authy, but I’d much rather use 1Password.

    Are TOTP keys synced with the desktop version of 1Password?

    • Alex Satrapa
      Alex Satrapa says:

      It looks to me like they are: I’m on the OS X version so all I see is the “One-Time Password” custom password field which contains a URL with all the necessary details. I don’t have the Windows version to test against.

      As this article states, TOTP support is coming to the OS X version Real Soon Now™, so I expect to see the actual OTP and countdown timer there too (eventually).

  4. Chris
    Chris says:

    Hypothetical situation:

    If I restore my iPhone 6+ back to the original factory default IOS software and re-install the 1Password app and sync via iCloud. Will the TOTP information that was saved load back into the app and work? Will I have to regenerate another QR code from those sites for it to work?

  5. maxaudet
    maxaudet says:

    Can 1Password automatically fill the one time password fields when using the Chrome extension or do I have to open 1Password (for Windows) and manually type the OTP?

  6. Linar
    Linar says:

    When we will have ability to use OTP as second factor for acces to 1Password database itself? Or at least some another second factor like keyfile.

  7. Mike Youell
    Mike Youell says:

    If you have an app locker on your text messaging app, or your authenticator app on your phone, then does that make it 2FA (if 1Password app is on that same phone)? As it adds an extra layer of security.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Mike,

      You have hit upon some unresolved questions about what counts as a “factor”. Physical possession of a device (such as a phone) is generally considered a factor. But if you also need a passcode to unlock that device in a way that you can use it as a factor then is knowledge of that passcode also something that should be considered a factor?

      If possession of factor F is needed to authenticate to service S, then should factors that protect F also be considered factors with respect to S? I believe that they must be taken into account when considering the security of the system, but really shouldn’t count as factors themselves. But this is really more an argument over meaning than of substances.

      Consider for example possession of a phone needed authenticate to S. The phone is protected by a passcode, the phone is placed inside a safe with a combination lock, that safe is in a room locked with a physical key, and the location of that room is kept secret. I am inclined to call that a single factor instead of five factors. This is because, as far as S is concerned, it is possession of the phone that matters. From the point of view of the service S the data on the phone is a single authenticator.

      Again, the designers of S may well take into account how that single factor will be handled and protected, but even if it is protected by a dozen layers it remains a single factor by itself.

      I should also say that there isn’t a strong consensus on how to deal with this. I have just described my thinking. Thanks for raising such a tricky question.

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.