It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
 Forum Discussion
pauljanssen
8 months agoNew Contributor
1Password not asking for 2nd factor code or device
 Hello, I set up 2nd factor authentication in 1Password (both an authenticator app and a Yubikey). Setup was successful, I even received an email confirming this, but when I log on to 1Password.com or...
pauljanssen
8 months agoNew Contributor
Hi Dave,
Thanks for that suggestion. I was expecting 2FA to work every time I unlock the 1Password vault(s). Many other software applications work that way, and it is designed to prevent an intruder who gains access to your device (a PC in this example) from opening the app without proper authorization (and in case of 1Password, be able to see all of someone's secrets). I have a highly secure password for 1Password but that does not mean it cannot be hacked. My banking apps require 2FA every time I log on, my pharmacy app works that way, my health provider portal works that way, basically any app (and corresponding website) that provides access to protected personal information. The 2FA-protected passwords for those critical apps are also stored in my 1Password vault. Therefore, by not requiring 2FA every time a user unlocks their 1Password vault, 1Password bypasses the security of ALL of those banking and health apps. I would argue there is significant liability here for 1Password.
Please pass this message on to 1Password management. Moreover, I wish to urgently put in an enhancement request for the 1Password application to provide a configurable option to unlock vaults only when providing 2FA. Since this mechanism is already integrated into the software, it should be fairly easy to implement. Please advise; thank you.
Sincerely,
Paul Janssen
1P_Dave Moderator
Moderator
8 months ago1Password's security works differently from other apps or services that you may use since other apps only rely on authentication to protect your data. The reason why you're only prompted for your second factor when you add your 1Password account to a new device or browser is because of the role that encryption plays in your use of 1Password.
When you first setup your 1Password account on a new device, and authenticate using your account credentials and second factor, 1Password will download a copy of your data locally to the device that doesn't require an ongoing connection to 1Password.com for you to use. It's why you're able to access your passwords and other items even without internet access.
This local data is protected using encryption, not authentication, and 1Password requires a specific secret to decrypt that local data: your account password. At this point, requiring your second-factor again would just be security theatre since an attacker with access to your device could just grab the local encrypted vault file itself from your device without needing to provide a second factor to the app for authentication even if we added an option to have the app require it. This means that your account password is your protection against local attacks on your device and you need to make sure that you choose a strong and unique account password:
You can read more about authentication vs encryption here: Authentication and encryption in the 1Password security model
-Dave
