Itβs Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
 Forum Discussion
pauljanssen
8 months agoNew Contributor
1Password not asking for 2nd factor code or device
Hello, I set up 2nd factor authentication in 1Password (both an authenticator app and a Yubikey). Setup was successful, I even received an email confirming this, but when I log on to 1Password.com or the 1Password app on my PC, 1Password never asks for the second factor; all I need is my password to get in. What am I missing? Thanks for your help.
4 Replies
- pauljanssenNew ContributorHi Dave, Thanks for that additional information. You said that the intruder could just "grab the local encrypted vault itself from my device" without using 2FA. Please confirm that you meant "decrypted vault" (otherwise it would make no sense to me). And why not improve application security by decrypting the vault in memory only, while the vault is open, after the user provides 2FA, leaving it encrypted on the local device storage at all times? Even with thousands of passwords in the vault, the volume of data is low so would not take a large amount of memory or time to decrypt, when the vault is opened only. Please let me know your thoughts; thank you. 
- 1P_DaveModerator Hello pauljanssen! π Thank you for reaching out! Two-factor authentication is an additional layer of protection when you sign in to 1Password on a new device or browser. When turned on, 1Password will require a second-factor (such as an authenticator app or security key) after you enter your account password and Secret Key. You can read more here: Protecting your 1Password account with multi factor authentication You can test to see if two-factor authentication is enabled by adding 1Password to a new device or browser (or you an open an Incognito/Private window in your existing browser and sign in to 1Password.com there). You won't be prompted for 2FA on existing devices and browsers where you're already authenticated. If you're not being prompted for your security key on new devices/browser then let me know. -Dave - pauljanssenNew ContributorHi Dave, Thanks for that suggestion. I was expecting 2FA to work every time I unlock the 1Password vault(s). Many other software applications work that way, and it is designed to prevent an intruder who gains access to your device (a PC in this example) from opening the app without proper authorization (and in case of 1Password, be able to see all of someone's secrets). I have a highly secure password for 1Password but that does not mean it cannot be hacked. My banking apps require 2FA every time I log on, my pharmacy app works that way, my health provider portal works that way, basically any app (and corresponding website) that provides access to protected personal information. The 2FA-protected passwords for those critical apps are also stored in my 1Password vault. Therefore, by not requiring 2FA every time a user unlocks their 1Password vault, 1Password bypasses the security of ALL of those banking and health apps. I would argue there is significant liability here for 1Password. Please pass this message on to 1Password management. Moreover, I wish to urgently put in an enhancement request for the 1Password application to provide a configurable option to unlock vaults only when providing 2FA. Since this mechanism is already integrated into the software, it should be fairly easy to implement. Please advise; thank you. Sincerely, Paul Janssen - 1P_DaveModerator 1Password's security works differently from other apps or services that you may use since other apps only rely on authentication to protect your data. The reason why you're only prompted for your second factor when you add your 1Password account to a new device or browser is because of the role that encryption plays in your use of 1Password. When you first setup your 1Password account on a new device, and authenticate using your account credentials and second factor, 1Password will download a copy of your data locally to the device that doesn't require an ongoing connection to 1Password.com for you to use. It's why you're able to access your passwords and other items even without internet access. This local data is protected using encryption, not authentication, and 1Password requires a specific secret to decrypt that local data: your account password. At this point, requiring your second-factor again would just be security theatre since an attacker with access to your device could just grab the local encrypted vault file itself from your device without needing to provide a second factor to the app for authentication even if we added an option to have the app require it. This means that your account password is your protection against local attacks on your device and you need to make sure that you choose a strong and unique account password: 
 You can read more about authentication vs encryption here: Authentication and encryption in the 1Password security model-Dave 
 
 
