Multi-Factor Authentication in 1Password

The more the merrier, my mother likes to say. And why shouldn’t that apply to authentication factors? You have your Master Password and Secret Key, and they’re combined to be one amazingly strong factor via Secure Remote Password. We’ve added two more to the guest list, and you get to invite whichever you’d like.

Two-Factor Authentication

Two-factor authentication in 1Password is implemented with Time-based One-Time Passwords. Time-based One-Time Passwords is a mouthful, so forgive me for abbreviating it to TOTP from here on out. TOTP is a widely adopted standard and it’s a great way of adding a familiar additional factor to your authentication process.

When setting up two-factor authentication, you’ll be provided with a TOTP secret that you can store in an authenticator app of your choosing. 1Password has been a TOTP authenticator for years now and storing it there is very convenient, but we recommend also storing it in an authenticator app like Authy. Ideally you’d store it in both so you have access to it when needed. When it comes to backups, the more the merrier, just like Mom said! 🙂

Any time you sign in to your account from a new device you’ll be prompted for a one-time password. Use the authenticator app to get the current one time password, punch it in and you’re off to the races.

Turning on two-factor authentication is a breeze. All you need to do is go to My Profile, choose ‘More Actions’ on the action bar on the left, then ‘Turn On Two-Factor Authentication’. From there instructions will have you set up in no time. Just make sure that you keep your TOTP secret safe as it’s going to be required any time you sign in from a new device.

Duo Security

Duo Security is a slightly different approach to protecting accounts and has been available as a beta feature in 1Password for a number of months. The feedback we’ve gotten from it has been unanimously positive, and Duo is now available for anyone using 1Password Teams or 1Password Business. The best part of Duo is that once configured by an administrator it will automatically apply to all members of the team.

When you sign in to 1Password, you’ll be prompted to send a push notification to your mobile device where you can either allow or deny the request to sign in.

Duo + 1Password for Mac

Duo is a great option if you’re looking to enforce the use of an additional factor across a whole team.

Another Layer of Protection

The awesome part about these additional factors during authentication is that they get to stand on the shoulders of Secure Remote Password. The SRP handshake needs to occur and all additional factor requests get the benefits of that secure channel. Without SRP the same attacks that could disclose your password to an attacker eavesdropping on a connection could also disclose your additional authentication factor. SRP protects both your password and the additional factor. This also means that enabling two-factor authentication or Duo does not mean that you can have a weaker Master Password. They protect against very different things, and your Master Password is ultimately what’s protecting your data.

Supported Across All 1Password Apps

We’ve rolled out support for both Duo and TOTP in all of our apps. Windows, Mac, iOS, Android, Web, and Chrome. We’ve even added both to our 1Password CLI tool, and it’s pretty amazing to have a terminal emulator trigger a push notification to my iPhone. Just make sure that you’re using the latest versions of our apps and you’ll be set.

 

52 replies
Newer Comments »
    • Kate Sebald
      Kate Sebald says:

      Hey, Luis! It’s not possible to save them simultaneously, but you can certainly take the time to set up both apps. You’ll see a QR code to scan when you’re first setting things up. Scan this QR code into Authy, then swap to 1Password and add an OTP to your 1Password account Login item so you can scan it there as well. Save that Login item and then I’d recommend double-checking that the code displayed in 1Password matches what you see in Authy. The next step after you’ve scanned that code will be to enter your OTP in your browser to confirm it’ll be accepted and everything is set up properly before 2FA is activated. You can’t go through this process twice, so knowing both apps are on the same page will ensure this confirmation step is valid for both. 🙂

    • Kate Sebald
      Kate Sebald says:

      No plans at present. TOTP is something many of our customers will be familiar with, so we decided it was the best path to offering 2FA everywhere. It also provides some flexibility by allowing folks to choose their authenticator app, so folks already using Authy or another app to store OTPs aren’t required to install something new. That said, Duo is great for businesses since administrators can require it be enabled organization-wide and we knew that would be an option many wanted. Given it was already being beta tested for 1Password Teams as well, it seemed a wise decision to keep it around even after we built our own solution. I’d encourage you to give TOTP a try, if you haven’t already, but I’ll certainly let the team know you’d like to see Duo as an option for families as well. 🙂

    • Tucker Perry
      Tucker Perry says:

      I too would very much like to see Duo supported for families. My father is far more likely to be successful signing into 1P with a Duo push than he will be at digging out a rarely used TOTP app and finding the code. Anything I can do to continue to drive him toward using it goes a long way.

    • Kate Sebald
      Kate Sebald says:

      Hey, Tucker! I definitely understand that struggle. My dad is also not terribly tech-savvy and about the only way I’ve managed to get him to use 2FA anywhere is because I’ve already put in the legwork of getting him to use 1Password. I can set up 2FA on his accounts for him with his TOTP secret in 1Passsword and the only additional thing I have to teach him to do is press Ctrl + V when prompted for his TOTP code. Setting up TOTP for our 1Password account would certainly involve some extra time explaining, but one thing that’s a bit different about 2FA for 1Password and 2FA for other accounts is you will only be prompted for 2FA for your 1Password account when adding a new device. This means you (and your dad) shouldn’t need to dig up that TOTP code too terribly often, so hopefully it’s not too much of a struggle for him, but I’ll certainly pass your feedback along to the team. 🙂

  1. Jeff Laing
    Jeff Laing says:

    Sorry, perhaps I’m not understanding – does the TOTP kick in when I try to open 1Password on my phone, or just when I try to connect to an AgileBits website? The former is insane, the latter .. fine.

    Since I use 1Password as my authenticator for about thirty other websites, having to have a separate app (Authy) just so I can open 1Password seems crazy. And if I’ve moved devices from one phone to another, you are hoping that I managed to port Authy across first, making me rely on some other products syncing/backup solution.

    Since AgileBits are proud of how secure their vault storage is, this really sounds to me like something that can blow up in your face big time. Are you sure you have considered all the failure paths here?

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Jeff,

      I’m sorry that I wasn’t more clear: TOTP would kick in whenever you try to sign in to a 1Password.com account on a new device. In other words, no it wouldn’t bug you for TOTP every time you open 1Password on your phone.

      These additional authentication factors do not change our vault storage at all. Your data is encrypted using a key derived from your Master Password and nothing about that has changed. It may seem like I’m splitting hairs, but what happens when you unlock your vault in 1Password isn’t authentication, and so adding a second factor wouldn’t apply there. When doing a sign-in with our servers there’s a process that actually does qualify as authentication, and so it’s more appropriate to this kind of add-on.

      You could store the TOTP secret in both 1Password and Authy so that as long as you setup your new phone before getting rid of the old phone you can use the old phone to generate the one-time password needed for the new phone.

      I hope this helps.

      Rick

    • Jeff Laing
      Jeff Laing says:

      So, here’s the scenario I am concerned about.

      My laptop, iPad and iPhone, all of which of which have 1Password, are all in my briefcase which is lost/stolen. None are recovered. I am confident that my passwords are all safe in my 1Password.com account but as far as I can tell, I can never access them because I no longer have access to an authenticator.

      There is no mechanism for me personally to authenticate a new client.

      (As it happens, I am the administrator of my 1Password Family, as is my wife, so she can probably unlock my account sufficiently (can she?), but if I had not set things up like that, I would be hosed)

      Unless Authy, a 3rd party product, has a recovery strategy for me. Hopefully you can see why I don’t see this as being the Agile Bits go-to answer.

    • Rick Fillion
      Rick Fillion says:

      It’s great that you’re thinking about that kind of scenario. It’s actually a scenario that fair number of users are in today regardless of TOTP. If the 1Password apps are the only location that’s storing your Secret Key and you lose all of your devices you end up in a state where your data is unreachable. That’s why I love 1Password Families so much: another admin (family organizer) can help recover your account. This was true of the Secret Key scenario and is also true for losing your two-factor authentication secret. So in your scenario you’d have to lose your laptop, iPad, iPhone as well as all devices your wife has in order to be locked out. If your wife initiates recovery for your account, two-factor authentication will automatically be disabled for you.

      Rick

    • Jeff Laing
      Jeff Laing says:

      Originally I wrote:

      “I think your equivalence with master secrets is flawed. I followed what 1Password describes as sensible practice, I printed out my recovery sheet and my lawyer has a copy along with my will (yes, I seriously use 1Password for pretty much every important account detail) and the other half (the master password) is with my executors – in a problem scenario, I can get them both back. Printouts can be sliced up and distributed a finite number of times to reduce the loss-risk. You can’t print out the OTP secrets …”

      but I’ve just discovered what you probably thought everyone knew, that 1Password does in fact make visible the URL’s of all the OTP entries (if you edit them), so they can be retrieved and printed for safe keeping. Till now I did not realize that the OTP secrets were in fact copy/pasteable. That changes things considerably, though I would now recommend that 1Password get stronger export support for those things. In fact, I’ve asked before for ‘in-the-box’ categorisation of entries that have one-time-password fields associated with them, rather than requiring people to manually tag things…
      In theory, the only OTP entry that I need to be rebuildable is the one for 1Password, since the rest will still be safely stored in my vault. Perhaps 1Password might want to have a special-case entry for itself…

    • Kate Sebald
      Kate Sebald says:

      Hey, Jeff! I would certainly have made that assumption, so I’m sorry we didn’t make it clearer you can get your OTP secrets out of 1Password. Indeed, one thing we put a lot of focus on is ensuring your can always access any data you enter into 1Password in its raw form and get it out, if needed, so anything you save in 1Password should be easily accessible. Exports are designed specifically for moving 1Password data elsewhere, so that’s where the focus is there. If you’re wanting to save something like your OTP secret as a backup for your own use, jotting it down on your Emergency Kit (or saving it in a second authentictor app) are the better bets there.

      As for auto-tagging things, we tend to shy away from that. Y’all each have your own way of organizing your data. One might say your tags reflect your particular mindset around organization. In my case, I have very few tags, which pretty clearly indicates I’m not the most organized person. 😉 If we start auto-tagging certain things, some folks will be quite pleased while others will be grumpy we are adding an unneeded tag to their well-oiled organizational machine. Search may serve you well here, though. Labels are part of our organizational habits and all of my OTP fields are called just that – OTP. So, if I search for OTP in 1Password for Windows, for example, all of my items with OTP fields show in the results. Since those three letters can show up in my titles as well, it’s not quite perfect, but it gets close in my case. Hopefully your habits allow you to do something similar. 👍

    • Jeff Laing
      Jeff Laing says:

      Yes, I already have mine tagged as Two Factor so I can get to them – but the tags list is growing (mainly because of serial#s being tagged with the bundle they came with), and OTP passwords strike me as being such a special case that I think 1Password should be able to filter them out without a tag. After all, it can filter out “old” passwords.

      In your comment to Thomas, you suggest that the OTP Secret is immediately visible, but I don’t get that – I had to edit the entry and dig it out of the URL on both iPhone and iPad – haven’t checked the other yet, but it was very unwieldy. I would suggest making it a separate button somehow.

    • Kate Sebald
      Kate Sebald says:

      Hey Jeff! In my reply to Thomas, I was talking about the codes displayed in his authenticator app, not the secrets saved when you add an OTP to 1Password itself. These are distinct things and I should be more careful – sorry! Indeed, you would need to edit to see the secret itself in 1Password, but like other authenticator apps, the code is displayed by default. Command-E can make that process a bit easier, but I can see the appeal in a reveal button or similar and will certainly pass your feedback along to the team.

      As for sorting them out, it’s a difficult UI problem, because where is this option going to go? If it goes in the sidebar, it’s essentially a tag with all the pitfalls of automatically tagging things in the first place. That said, we do have a number of default search options in 1Password for Mac specifically that cover a few of these sorts of use-cases. OTPs are unique in that they have their own field type. Regardless of what label you may give your OTP fields, their type will remain the same. We don’t yet have field type searches as an option, but it’s something I feel could be interesting.

      When I (or any of us for that matter) provide less-perfect suggestions to arrive at your desired ends, it’s not at all meant to say we’ll never introduce something better. Far from it – we have a lot of ideas in our heads about ways to improve this sort of stuff and we’d love to see some of them make their way into the apps – but I do know something like this isn’t on the immediate road map. So, my hope is that search may serve you a bit better than tags for now, but we will certainly keep this trouble in mind as 1Password 7 continues to grow. 🙂

    • Jeff Laing
      Jeff Laing says:

      As to UI, the desktop app already has “SECURITY” in the sidebar with a bunch of special cases. “Entries with OTP” isn’t that big a stretch for that topic – though I note that list is not visible on the mobile devices either – that feels like another omission.

      If it were possible to edit a tag name (say, to put a leading “!” in it so it sorted to the top), I would be fine. But I currently have a bunch tagged with “Two Factor” which falls well down the list of tags now.

      Actually it looks like you have fixed the Windows client, so I can “select everything with the old tag, right-click and apply a new tag with a more prominent name, then delete the old tag” so I guess I can achieve a rename via brute force.

    • Kate Sebald
      Kate Sebald says:

      Hey Jeff! That “Security” section is actually slated for a bit of a overhaul. No spoilers, but expect some changes down the road. 😉 As for tags, you can do that in 1Password 7 beta for Windows, and you can do something similar in 1Password 7 beta for Mac. On Mac, you can click the tag in the sidebar to edit it, rather than replacing it, if you’d like. 👍

  2. Swanny
    Swanny says:

    Hey guys, love the article! Curious, is Android going to get the feature to copy the OTP to your clipboard automatically anytime soon, like with Windows and iOS? Really missing that feature from Windows and iOS, and it’s a bit awkward still when autofilling that you need to go back into the app just to copy the OTP to your clipboard.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Swanny! I don’t know when it might arrive or what form it will take, but improving OTP filling on Android is definitely something we’d like to work on. Ideally this would be done via autofill or the accessibility service, but we’re still exploring options. I just got a new Android phone myself and, while I still marvel at how easy signing into everything is with 1Password instead of me trying to remember passwords I haven’t used since I last got a new phone, having to copy OTPs does disrupt my flow quite a bit, so I’m right there with you and will certainly pass your feedback along to the team. 🙂

    • Kate Sebald
      Kate Sebald says:

      Hey Carlos! Your entire family can certainly use 2FA, but one family organizer turning it on won’t enable 2FA for everyone else. Each of your family members will need to decide for themselves whether to use 2FA (or be convinced by you that they should 😉) and enable it if they want it. 🙂

    • Kate Sebald
      Kate Sebald says:

      Hey, Thomas! 2FA is an extra step when adding new devices and does require some setup, but we hope it’s fairly easy to enable. You can find a guide to setting up here, if you’re interested. And, of course, if 2FA is a bit much for you, it’s wholly optional. If you don’t do anything, your account and apps will continue to unlock with your Master Password (and Secret Key on new devices) same as they always have. It’s up to you! 🙂

    • Kate Sebald
      Kate Sebald says:

      Hey, Anthony! I’m glad you’re excited! We know this has been a common request, so we’re stoked to finally be able to share it with all of you. 🙂

    • Rick Fillion
      Rick Fillion says:

      This is something we’re still considering and haven’t made any changes to yet. There are good arguments on both sides. There’s nothing stoping you from writing down the TOTP secret on your emergency kit if you’d like to do so.

      Rick

  3. Leonardo
    Leonardo says:

    Great feature! One question: what happens if you lose access to the Authenticator app? For example, if you get your phone with Google Authenticator stolen or you can’t access your Authy for any reason?

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey, Leonardo! As Rick touched on in some previous replies, 2FA is only required when setting up a new device. You can unlock your authorized devices (including the web app in authorized browsers) without 2FA, allowing you to disable 2FA in the case that you lose access to your authenticator app. In addition, some authenticator apps either allow a secure backup of your 2FA secrets so that you can restore them on a new device (Authy does this) or sync your data between devices (like 1Password). While we don’t recommend exclusively storing your 2FA secret for your 1Password account in 1Password itself, having your secret in your 1Password account in addition to Authy (or whatever app you might choose) can serve as a nice backup since it syncs that secret to other devices. Finally, initiating account recovery, if you have a family account, will also disable 2FA.

      So, in short, there are a few options for recovery, but it’s definitely important to consider the possibility and plan appropriately. From storing your 2FA secret multiple places to writing it down on your Emergency Kit, backup plans are great. Just like Rick’s mom said, the more the merrier. 🙂

    • Kate Sebald
      Kate Sebald says:

      It’s not trouble at all, Leonardo! It’s always great to plan ahead, so I’m glad that’s something you were thinking about and happy to have helped. 🙂

    • Sebastian
      Sebastian says:

      Would it be an option to add support for one time recovery codes like most other services for 2FA have? Thanks.

    • Kate Sebald
      Kate Sebald says:

      Hey, Sebastian! It’s possible we may decide to go that route, but it’s not on the road map at the moment. Instead, we’d recommend making use of account recovery should you lose access to your authenticator and storing your OTP secret in multiple places as Rick noted in this post to ensure you don’t lose access. Keep in mind, too, that unlike many services used with 2FA, your OTP won’t be required every single time you access 1Password. It’s only requested when signing in from a new device. So, unlike with other services where losing your authenticator alone spells disaster, your disaster scenario with 1Password would only arise if you lost every last one of your devices as well as your authenticator all at once. 👍

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *