Forum Discussion

mrdlcastle's avatar
mrdlcastle
New Member
18 hours ago

Feature Request: Better security for MFA codes in records...

I posted this at 1Password at home, but I actually think this would be well suited for at home users or at work.  So I post here as well - -

Currently, storing both a password and its corresponding Multi-Factor Authentication (MFA/TOTP) seed within the same 1Password item creates a "single point of failure." If a device or 1Password session is left unlocked, an unauthorized user gains immediate access to both factors.

I am requesting a feature that allows administrators (or individual users) to require a secondary validation (such as re-entering the Master Password, using Biometrics, or confirming a 1Password-level MFA prompt) before 1Password will reveal or autofill specific TOTP codes.

The Problem

While storing MFA codes in 1Password is incredibly convenient, it inherently violates the core principle of MFA (combining something you know with something you have). If an attacker gains access to the 1Password vault, the security benefit of MFA is effectively neutralized for that account.

Proposed Solution

Introduce a Step-Up Authentication / Conditional Access policy specifically for MFA fields.

  • MFA Vault Lock: When a user attempts to copy, view, or autofill a TOTP code, 1Password should challenge the user for authentication.
  • Customizable TTL (Time-to-Live): Users or admins should be able to configure how often this challenge occurs. Options could include:
    • Every time the MFA code is accessed.
    • Once per session / Once a day.
    • After X minutes of inactivity.
  • Administrative Control (1Password Business): Enforce this via Policies in the Admin Console, allowing organizations to mandate that all stored MFA codes require a secondary check, mitigating the risk of compromised employee endpoints.

Use Case Example

  1. An employee opens a shared vault to log into a critical infrastructure tool.
  2. 1Password autofills the username and password normally.
  3. When the employee clicks the MFA field to copy the token, a biometrics prompt (Touch ID/Face ID) or a 1Password MFA prompt appears.
  4. Once validated, the token is revealed/filled, and the validation remains active for the next 8 hours (or whatever limit the admin set).

Benefits

  • Enhanced Security: Preserves the integrity of two-factor authentication even when stored in a single password manager.
  • Enterprise Compliance: Helps businesses meet strict compliance frameworks (like SOC2 or ISO 27001) that frown upon storing passwords and MFA tokens together without isolating controls.
  • User Flexibility: Maintains the convenience of 1Password's autofill while adding a vital speedbump for sensitive data.
authentication
feature request
No RepliesBe the first to reply