TOTP for 1Password users

1P Pro features1Password 5.2 for iOS and 1Password 4.1.0.538 for Windows are out, and they provide support for using Time-based One Time Passwords (TOTP) in your Logins (note: in iOS, it’s part of our Pro Features). Note that this is not for unlocking 1Password itself, but to aid with logging into sites for which you may be using TOTP, such a Dropbox and Tumblr.

To learn how to have 1Password help you manage your TOTP Logins, go straight to our user guide. If you would like to better understand when and why TOTP is useful for 1Password users, and what to do if you truly want two-factor security, continue reading here.

TOTP countdownI’ve previously written (at excessive length, in some cases) about TOTP in general, but in each instance pointed out that it is of limited utility to 1Password users. This is because such schemes are of most use to those people who have weak or reused passwords. If you are using a strong and unique password for a site, then many of the gains of two-step (or multi-step) verification are not relevant for you.

But “most” is not the same as “all”. There still are some cases where multi-step verification is useful to people using 1Password.

Sometimes you must use TOTP

Sometimes a site or service will simply require that TOTP always be used along with your regular password. Patty (one of my dogs) is working with a research group analyzing the structure of heart worm DNA. When she connects to the lab’s server, she is required to use TOTP.

TOTP example in 1Password for Windows

TOTP example in 1Password for Windows

She has set up an app on her laptop that just constantly displays the current TOTP code. It’s sitting there ticking away all the time her laptop is running. Ideally, it should only be visible when she actually needs it, but she is understandably just trying to save time. Clearly, she could use TOTP more securely if it were available for the Login item within 1Password.

One-timeness? Yes

One-time passwords (the “OTP” in “TOTP”) are useful over insecure networks. Normally, when you submit a password to a site or service, you send the same password each time. Ideally, that connection is well encrypted so that the password cannot be captured when it is in transit. This is why it is very important to:

  • use HTTPS instead of HTTP when doing anything sensitive
  • pay attention to the lock icon in your browser’s address field (indicating HTTPS)
  • heed browser warnings about such connections

But networks are easy to compromise. Recently Molly (my other dog) was at the Barkville Airport. When she connected to Wifi, she saw several open wifi IDs. One was BVT-access, and the other one was “Airport Free Wifi”. As it turned out, BVT-access was the legitimate one, but she connected to Airport Free Wifi. Airport Free Wifi was actually a laptop operated by Mr Talk, our neighbor’s cat.

Mr Talk is using SSL-strip on his rogue wifi hotspot. If Molly isn’t paying close attention to the HTTPS status of her browser’s connection, she can send things unencrypted over Mr Talk’s network while thinking it is a secure connection. I should probably point out that Molly lacks the discipline to pay close attention to anything other than a squirrel or rabbit. This way, Mr Talk can capture Molly’s passwords in transit to the servers and save them for later use.

That is one of several ways that passwords can be captured in transit. The point of one-time passwords is that they are not reusable even if they are captured in transit. In this way, TOTP provides a meaningful defense against plausible attacks even though there is nothing “second factor” about how it is being used.

Second factor? No

We need to make the distinction between one time passwords and second factor security. One time passwords are often part of second factor security systems, but using one time passwords doesn’t automatically give you second factor security. Indeed, when you store your TOTP secret in the same place that you keep your password for a site, you do not have second factor security.

However, you still have the benefits of the one-timeness of TOTP codes.

Systems like TOTP are sometimes used as part of second (or multi) factor authentication systems. But this is far from their only usage. To be truly second factor, the TOTP secret (from which the one time password is generated) must not be stored on the same device that you use the regular password on.

Let’s consider an example. Molly has a Tumblr where she posts pictures of the squirrels she is after. So far, she has been using the Authy app on her phone to manage TOTP. If she never logs into to Tumblr on the same phone, then she is using her phone as a second factor. But if she is also using Tumblr from her phone and has had to use her one time password from there, then there is no second factor.

In general, there is a reason why many services that offer TOTP refer to it as “two-step verification” instead of as “second factor authentication”. The security that such sites seek to gain from this is not in the second-factorness; it is in the one-timeness. In particular, many of the sites and services that offer or require two-step verification with one time passwords are doing so because many of their users have weak or reused passwords. Although that should not apply to 1Password users, there are other benefits to one time passwords as I discussed above.

If you really want true two factor

If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.

Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.

Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.

For everyone else, if you find the one-timeness of TOTP worthwhile on its own (or are required to use it), 1Password’s new support in v5.2 for iOS and v4.1.0.538 makes it easier to use than ever.

28 replies
« Older Comments
  1. Chris L
    Chris L says:

    I think I gain an additional layer of security by keeping my TOTP secret out of 1password in scenario- albeit a worst case scenario. That doomsday scenario is this: what if my 1Password keychain -kept on 1Password sync service in the cloud- is somehow compromised via the cloud? In that case I will be happy that my most sensitive accounts require TOTP and my TOTP secrets are on my iPhone and not in my 1password keychain. Does this make sense?

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Yes, that makes sense, Chris. For those who share your threat model.

      What you are doing is akin to, say, putting part of each password into 1Password, while keeping some other part of each of those stored elsewhere. Of course that would be extremely annoying to manage and would make using 1Password painful. But your scheme doesn’t have those drawbacks and so it is a reasonable approach for someone with your evaluation of the threats.

      One thing to keep in mind, however, is that a lot of services offering 2FA have work-arounds for people who lose their second factors. And so you should find out what each service using TOTP actually means by “MFA” to see if you are getting the desired security value. Many services also aren’t really going after the “two-factor-ness” and so the security properties of their 2FA may not be the security properties that you are thinking of when you design your use of it.

      I’m not saying that you shouldn’t use TOTP in the way you propose, but I do want you to be aware that you may not always be getting the security properties that you think you are getting.

      Anyway, thanks for the very interesting question.

  2. G
    G says:

    I see this feature was implemented on the Windows version of 1Password 3 years ago.. and has not been added to Mac yet.. Whats up with that?

    Reply
    • Dave Teare
      Dave Teare says:

      Good morning, G! ☀️

      I’m not sure if I’m following you 100% as we’ve had support for Time-based One-Time Passwords for a very long time now on Mac. You can see Use 1Password as an authenticator for sites with two-factor authentication for details.

      Perhaps you are running an older version of 1Password on your Mac? You can check in the 1Password > About 1Password window. You should be on version 6.8 at the moment.

      I hope that helps. Please let me know.

      ++dave;

« Older Comments

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.