It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Solved
I am still confused about 2FA and need help.
I use a Mac computer, iPad and iPhone. I've been a 1Password user for eleven years. Question #1: Do you really need more security other than the passwords generated by 1Password? Question #2: If t...
Hello jazzman! 👋
Thanks for the ping! The purpose of two-factor authentication is to prevent someone from signing in if they've somehow stolen, discovered, or guessed your password. There are many different forms of two-factor authentication such as:
- A one-time password generated by an authenticate like 1Password. This is normally referred to as Time-based One-time Password or TOTP.
- A one-time password sent by a website as a SMS text message to your phone.
- A push notification sent by a website to a dedicated app that you'll tap on to approve the login.
- A physical hardware security key that you need to plug into your device.
- A passkey.
Which method is available for a particular website is controlled by that website's developers. SMS is considered to be the least secure option for 2FA. You can read more here: The urgent need to replace SMS-based MFANow onto your specific questions:
Question #1: Do you really need more security other than the passwords generated by 1Password?
If you're already using 1Password generate strong and unique passwords for all of your accounts then that's a great first step! Turning on 2FA adds additional protection if someone were to intercept or steal a password for a website: 1Password and 2FA: Is it wrong to store passwords and one-time codes together?
Question #2: If the answer to #1 is yes, on my Mac many websites use different types of 2FA. Some use SMS while others use a Passkey. Some incorporate biometrics. I'm really having trouble making sense out of all this. I've read where SMS isn't safe. So, what to do? Please give me some advice as I am so confused about 2FA and kind of stuck at the moment.
Which 2FA options exist for a particular website depend on that website and the choices made by their development team. This isn't something that 1Password controls. You might find that one website only offers SMS 2FA while another gives you several different options including SMS, TOTP, or a hardware security key.
The easiest option is to use 1Password to save a one-time password (TOTP) using this guide (as long as the website supports it): Use 1Password as an authenticator for sites with two-factor authentication
If a website offers the option to use a passkey for login instead of a password then that would be the most secure option. Passkeys can provide the same level of security as password + two-factor authentication, with a lot less friction. It isn’t necessary to use a separate multi-factor authentication solution on top of a passkey. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.
Question #3: My IOS devices are totally different. I use biometrics on apps most of the time, and they log me right in. In that case, does that mean they bypass the username and password, or do they use both? Do I still need additional security on each app in addition to that? I have around 15 apps that I use, and each one has its own type of 2FA. It seems really complicated. Once again, I'm kind of stuck regarding those apps and 2FA. Please give me some advice.
Once you've signed into an app on your iOS device using a password or passkey that app might allow you to sign in using biometrics in the future. This usually means that the app has saved a "token" on your device that it will use to sign you in once you've provided your fingerprint or face. This is generally a convenience feature so that you don't have to enter your password each time to sign in.
Since each app can work differently, I recommend reaching out to the specific developer of an app to learn more about how they secure that app and their recommendations regarding 2FA.
-Dave
1P_Dave
Moderator
ModeratorHello jazzman! 👋
Thanks for the ping! The purpose of two-factor authentication is to prevent someone from signing in if they've somehow stolen, discovered, or guessed your password. There are many different forms of two-factor authentication such as:
- A one-time password generated by an authenticate like 1Password. This is normally referred to as Time-based One-time Password or TOTP.
- A one-time password sent by a website as a SMS text message to your phone.
- A push notification sent by a website to a dedicated app that you'll tap on to approve the login.
- A physical hardware security key that you need to plug into your device.
- A passkey.
Which method is available for a particular website is controlled by that website's developers. SMS is considered to be the least secure option for 2FA. You can read more here: The urgent need to replace SMS-based MFA
Now onto your specific questions:
Question #1: Do you really need more security other than the passwords generated by 1Password?
If you're already using 1Password generate strong and unique passwords for all of your accounts then that's a great first step! Turning on 2FA adds additional protection if someone were to intercept or steal a password for a website: 1Password and 2FA: Is it wrong to store passwords and one-time codes together?
Question #2: If the answer to #1 is yes, on my Mac many websites use different types of 2FA. Some use SMS while others use a Passkey. Some incorporate biometrics. I'm really having trouble making sense out of all this. I've read where SMS isn't safe. So, what to do? Please give me some advice as I am so confused about 2FA and kind of stuck at the moment.
Which 2FA options exist for a particular website depend on that website and the choices made by their development team. This isn't something that 1Password controls. You might find that one website only offers SMS 2FA while another gives you several different options including SMS, TOTP, or a hardware security key.
The easiest option is to use 1Password to save a one-time password (TOTP) using this guide (as long as the website supports it): Use 1Password as an authenticator for sites with two-factor authentication
If a website offers the option to use a passkey for login instead of a password then that would be the most secure option. Passkeys can provide the same level of security as password + two-factor authentication, with a lot less friction. It isn’t necessary to use a separate multi-factor authentication solution on top of a passkey. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.
Question #3: My IOS devices are totally different. I use biometrics on apps most of the time, and they log me right in. In that case, does that mean they bypass the username and password, or do they use both? Do I still need additional security on each app in addition to that? I have around 15 apps that I use, and each one has its own type of 2FA. It seems really complicated. Once again, I'm kind of stuck regarding those apps and 2FA. Please give me some advice.
Once you've signed into an app on your iOS device using a password or passkey that app might allow you to sign in using biometrics in the future. This usually means that the app has saved a "token" on your device that it will use to sign you in once you've provided your fingerprint or face. This is generally a convenience feature so that you don't have to enter your password each time to sign in.
Since each app can work differently, I recommend reaching out to the specific developer of an app to learn more about how they secure that app and their recommendations regarding 2FA.
-Dave
