Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Disable OTP codes for certain devices?
I read a recent horror story how someone had all their information stolen from their computer (using dashlane). Basically, the user had installed a trojan, which keylogged their master password, and ...
1P_Dave
Moderator
ModeratorHello @schveiguy! 👋
Thank you for the feedback! Before I respond to the TOTP suggestion I wanted to touch upon 1Password's security. 1Password has various protections to keep your data safe but, as you noted, it can't protect you from malware once it has already infiltrated your system and gained full access to your Mac. The following principles will help to keep your data safe:
- Only download official versions of software from a developer's website or from a reputable app/web store.
- Keep operating system protections against malware turned on. For example, on macOS make sure that Gatekeeper is set to only allow applications from the "App store and identified developers".
- Keep your system updated and don't run old unsupported versions of software. This is especially important for browsers, operating systems, and 1Password itself.
It's also important to remember that 1Password's architecture differs from other password managers in that the account password is only part of the picture. Your data is also protected using your Secret Key and you can further protect your account by using two-factor authentication: Turn on two-factor authentication for your 1Password account
Regarding brute force attacks: our team is continually evaluating how we can better protect your data locally on your device. We recently increased PBKDF2 hashing to 650,000 which helps protect you from a brute force attack that tries to guess your account password. And we use the native security features of each platform, such as Secure Input on macOS, to further protect your data as much as possible from malware and keyloggers.
I'm wondering, for 2fa OTP codes, since those are basically just stored in the vault it kinda defeats the purpose of having 2fa. Would it be possible to store only the OTP codes on certain devices?
It seems to me that it would be very confusing for folks to remember two different passwords and keep track of two different Secret Keys which is what would be required to store TOTP codes completely separately. However I'll pass the idea along to our Product team for consideration. Have you considered using a security key, such as a YubiKey, as a second-factor for your accounts instead of TOTP? A security key would provide a true second-factor for your accounts.
Regarding the safety of storing TOTP codes in 1Password, we have a great blog article here: 1Password & 2FA: Is it Safe to Store Passwords and 2FA Codes Together?
-Dave
ref: 34605315
