Forum Discussion

bthom's avatar
bthom
New Contributor
22 days ago

2FV Questions

Hello,

Just switched from LastPass to 1Password and liking the experience so far. I'd like to be able to have a similar 2FV setup though, and I can't figure out if this is possible in 1Password from the online documentation. In particular, at LastPass, I could link 2 different authenticators to my LastPass account, and either one would verify me. Moreover, they had an emergency phone call option, which I chose to go to my land line, which has been useful on occasion. Is this possible when I set up 1Password 2FV on my account? 

From my limited knowledge, this seems to me like a best practice, so also appreciate comments on that, especially since the platforms underlying security models and recovery code schemes are quite different.

Thanks.

best practices

3 Replies

Sort By
  • 1P_Dave's avatar
    1P_Dave
    Icon for Moderator rankModerator
    19 days ago

    Hello bthom! 👋

    Welcome to 1Password! You can use multiple two-factor authenticator apps with 1Password by scanning the QR code that appears when you setup two-factor authentication for your 1Password account using both authenticator apps. If you've already setup two-factor authentication then you can replace the current authenticator app and setup 2FA again: 

    Moreover, they had an emergency phone call option, which I chose to go to my land line, which has been useful on occasion. Is this possible when I set up 1Password 2FV on my account?

    Can you tell me a little more about the "emergency phone call option"? I know that certain other password managers allow you to add SMS text as a second factor (which 1Password doesn't due to the insecure nature of SMS text) but I'm not personally aware of a phone call option and I would love to learn more. 

    -Dave

    • bthom's avatar
      bthom
      New Contributor
      4 days ago

      Dave,

      I live where cellular doesn't work and sadly cellular-over-wifi is unreliable. Should my authenticator for some reason fail, I thus liked having another way of getting a OTP code to verify myself when I logged into LastPass in an emergency. I had to do this on occasion when internet was down. They offered 2 ways to receive such a code, either SMS or phone call. I chose the land line. 

      If you could provide a link to a discussion about why SMS as a 2nd factor is unreliable, I'd appreciate it. I ask b/c various other firms that deal w/financials offer this and I want to better understand the weakness. I'd like to think land line is more secure, as long as you trust the folks living in your house who might pick up the phone, but am unsure. 

      Since you have the recovery option w/in trusted family members (that disables 2FV), and a recovery code (presumably also disabling 2FV), my worries about backups is a bit less than it was before I discovered these options.

      My experience so far is: I'm impressed; you make a nice product and it is way more pleasant to use than LastPass was.

      • 1P_Dave's avatar
        1P_Dave
        Icon for Moderator rankModerator
        2 days ago

        bthom​ 

        Thank you for the reply and for those details. SMS-based MFA (and voice-based MFA is vulnerable to the same issues) is discouraged by cybersecurity bodies such as National Institute of Standards and Technology (NIST). You can read more in a blog that we published earlier this year: The urgent need to replace SMS-based MFA

        Adding another family organizer who can help you recover access to your account, if necessary, is a great backup. When a family organizer recovers your account, your two-factor authentication will be reset. Saving a recovery code is also a good idea in case your lose your account password or Secret Key but a recovery code won't reset two-factor authentication. 

        Remember that you're only prompted for two-factor authentication when you first sign into your 1Password account on a new device or in a new browser. And, as long as you have access to 1Password on one of your devices, you can turn off two-factor authentication from there if you lose your authenticator app. Authenticator apps using the TOTP standard (used by 1Password) don't require internet access to generate the one-time password. 

        Let me know if you have any other questions. 

        -Dave