Forum Discussion

kmtharakan's avatar
kmtharakan
New Contributor
5 years ago

2FA

I've been told that I should use a third-party app like Authy for 2FA authentication instead of leaving that in 1Password as well. i.e., don't leave all of your eggs in 1 basket. Can someone tel...
windows
Jack_P_1P's avatar
Jack_P_1P
Icon for 1Password Team rank1Password Team
5 years ago

Hey kmtharakan:

Great question! What my colleague Blake wrote here is a fantastic answer as to why, as well as has some additional discussion about this very topic:

Short answer: I would recommend keeping your 2FA codes within 1Password. Then focus on keeping your 1Password account secure (i.e. don't share your Master Password with anyone or anything). To that end, if you're feeling fancy, you can enable two-factor authentication on your 1Password account, keeping the convenience of having your 2FA codes autofilled by 1Password and restoring the true two-factorness.

Slightly longer answer: The most important part of securing your online accounts is using strong, unique passwords for each sites (for which 1Password is perfect). The next most important part is code-based 2FA, which brings two main advantages:

  • "One-timeness" - a password is the same every time you use it, meaning if it's compromised in transit (like if you're on a non-HTTPS site and an unsecured WiFi network), it's useful to a potential attacker until you change it. The one-time passwords of 2FA change every 30 seconds following a pattern only you and your authenticator app know, so a potential attacker intercepting your network traffic now has an extremely limited window of usefulness on the captured information.

  • "Second factor" - If you keep a password for an account on one of your devices, and only sign in to that account on that device, while your 2FA codes are stored on a separate device, you have a true second factor. A potential attacker would need both devices to access your account, hence the two of two-factor authentication.

TL;DR? Keeping your 2FA codes with your passwords in 1Password removes the true second factor aspect of 2FA. But it retains the one-timeness, which makes the theoretical "weak link" your 1Password vault. Which is a pretty sweet weak link, if you ask me. 😉

If you're up for a more in-depth read on this particular topic, our very own Head of Security, @jpgoldberg covers this pretty well over on this blog post.

If you've got any further questions, let me know and I'd be happy to help you out!

Jack