It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Solved
I am still confused about 2FA and need help.
I use a Mac computer, iPad and iPhone. I've been a 1Password user for eleven years.
Question #1: Do you really need more security other than the passwords generated by 1Password?
Question #2: If the answer to #1 is yes, on my Mac many websites use different types of 2FA. Some use SMS while others use a Passkey. Some incorporate biometrics. I'm really having trouble making sense out of all this. I've read where SMS isn't safe. So, what to do? Please give me some advice as I am so confused about 2FA and kind of stuck at the moment.
Question #3: My IOS devices are totally different. I use biometrics on apps most of the time, and they log me right in. In that case, does that mean they bypass the username and password, or do they use both? Do I still need additional security on each app in addition to that? I have around 15 apps that I use, and each one has its own type of 2FA. It seems really complicated. Once again, I'm kind of stuck regarding those apps and 2FA. Please give me some advice.
Hello jazzman​! 👋
Thanks for the ping! The purpose of two-factor authentication is to prevent someone from signing in if they've somehow stolen, discovered, or guessed your password. There are many different forms of two-factor authentication such as:
- A one-time password generated by an authenticate like 1Password. This is normally referred to as Time-based One-time Password or TOTP.
- A one-time password sent by a website as a SMS text message to your phone.
- A push notification sent by a website to a dedicated app that you'll tap on to approve the login.
- A physical hardware security key that you need to plug into your device.
- A passkey.
Which method is available for a particular website is controlled by that website's developers. SMS is considered to be the least secure option for 2FA. You can read more here: The urgent need to replace SMS-based MFANow onto your specific questions:
Question #1: Do you really need more security other than the passwords generated by 1Password?
If you're already using 1Password generate strong and unique passwords for all of your accounts then that's a great first step! Turning on 2FA adds additional protection if someone were to intercept or steal a password for a website: 1Password and 2FA: Is it wrong to store passwords and one-time codes together?
Question #2: If the answer to #1 is yes, on my Mac many websites use different types of 2FA. Some use SMS while others use a Passkey. Some incorporate biometrics. I'm really having trouble making sense out of all this. I've read where SMS isn't safe. So, what to do? Please give me some advice as I am so confused about 2FA and kind of stuck at the moment.
Which 2FA options exist for a particular website depend on that website and the choices made by their development team. This isn't something that 1Password controls. You might find that one website only offers SMS 2FA while another gives you several different options including SMS, TOTP, or a hardware security key.
The easiest option is to use 1Password to save a one-time password (TOTP) using this guide (as long as the website supports it): Use 1Password as an authenticator for sites with two-factor authentication
If a website offers the option to use a passkey for login instead of a password then that would be the most secure option. Passkeys can provide the same level of security as password + two-factor authentication, with a lot less friction. It isn’t necessary to use a separate multi-factor authentication solution on top of a passkey. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.
Question #3: My IOS devices are totally different. I use biometrics on apps most of the time, and they log me right in. In that case, does that mean they bypass the username and password, or do they use both? Do I still need additional security on each app in addition to that? I have around 15 apps that I use, and each one has its own type of 2FA. It seems really complicated. Once again, I'm kind of stuck regarding those apps and 2FA. Please give me some advice.
Once you've signed into an app on your iOS device using a password or passkey that app might allow you to sign in using biometrics in the future. This usually means that the app has saved a "token" on your device that it will use to sign you in once you've provided your fingerprint or face. This is generally a convenience feature so that you don't have to enter your password each time to sign in.
Since each app can work differently, I recommend reaching out to the specific developer of an app to learn more about how they secure that app and their recommendations regarding 2FA.
-Dave
7 Replies
Been in the same spot with multiple devices and apps. Passwords from 1Password are solid, but adding 2FA adds an extra layer in case something leaks. I mix passkeys and biometrics for apps that support them, and for a few others I use SMS tested through https://sms.to just to make sure messages get through. The biometrics usually just unlock the stored credentials, so you’re still protected, but having a second factor feels safer, especially across all those apps.
- 1P_Dave
Moderator
Hello jazzman​! 👋
Thanks for the ping! The purpose of two-factor authentication is to prevent someone from signing in if they've somehow stolen, discovered, or guessed your password. There are many different forms of two-factor authentication such as:
- A one-time password generated by an authenticate like 1Password. This is normally referred to as Time-based One-time Password or TOTP.
- A one-time password sent by a website as a SMS text message to your phone.
- A push notification sent by a website to a dedicated app that you'll tap on to approve the login.
- A physical hardware security key that you need to plug into your device.
- A passkey.
Which method is available for a particular website is controlled by that website's developers. SMS is considered to be the least secure option for 2FA. You can read more here: The urgent need to replace SMS-based MFANow onto your specific questions:
Question #1: Do you really need more security other than the passwords generated by 1Password?
If you're already using 1Password generate strong and unique passwords for all of your accounts then that's a great first step! Turning on 2FA adds additional protection if someone were to intercept or steal a password for a website: 1Password and 2FA: Is it wrong to store passwords and one-time codes together?
Question #2: If the answer to #1 is yes, on my Mac many websites use different types of 2FA. Some use SMS while others use a Passkey. Some incorporate biometrics. I'm really having trouble making sense out of all this. I've read where SMS isn't safe. So, what to do? Please give me some advice as I am so confused about 2FA and kind of stuck at the moment.
Which 2FA options exist for a particular website depend on that website and the choices made by their development team. This isn't something that 1Password controls. You might find that one website only offers SMS 2FA while another gives you several different options including SMS, TOTP, or a hardware security key.
The easiest option is to use 1Password to save a one-time password (TOTP) using this guide (as long as the website supports it): Use 1Password as an authenticator for sites with two-factor authentication
If a website offers the option to use a passkey for login instead of a password then that would be the most secure option. Passkeys can provide the same level of security as password + two-factor authentication, with a lot less friction. It isn’t necessary to use a separate multi-factor authentication solution on top of a passkey. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.
Question #3: My IOS devices are totally different. I use biometrics on apps most of the time, and they log me right in. In that case, does that mean they bypass the username and password, or do they use both? Do I still need additional security on each app in addition to that? I have around 15 apps that I use, and each one has its own type of 2FA. It seems really complicated. Once again, I'm kind of stuck regarding those apps and 2FA. Please give me some advice.
Once you've signed into an app on your iOS device using a password or passkey that app might allow you to sign in using biometrics in the future. This usually means that the app has saved a "token" on your device that it will use to sign you in once you've provided your fingerprint or face. This is generally a convenience feature so that you don't have to enter your password each time to sign in.
Since each app can work differently, I recommend reaching out to the specific developer of an app to learn more about how they secure that app and their recommendations regarding 2FA.
-Dave
Hi 1P_Dave​!
Thank you so much for your terrific answers, Dave. I think they clarified things for me and helped me make some decisions going forward. I appreciate your prompt and thorough responses to my questions.
- 1P_Dave
I'm happy to help! 🙂
-Dave
Dave, what's your take on this?
I'm sorry but my question is directly related to how to use 1Password. Up until now, my experience has been to set up 2FA for each site and app that I use. This is complicated and tedious. I was just wondering if there was a more streamlined approach available. I.e., is some secure 2FA available that can be used in conjunction with 1Password that would make the process easier? In addition to that, I have used SMS for 2FA on some sites but, based on research, I don't believe it is secure. Thank you for your assistance.
I don't use a Mac, iPad, or iPhone, but use a variety of devices, platforms, and applications including the 1Password browser extension for which you tagged this post.
- Despite there being nowhere near enough context to make this question meaningful, I'll say yes, I do need more security other than passwords, whether generated by 1Password? or not.
- While I know nothing about web sites on your Mac, web sites in the Internet use a wide range of identification and authentication methods which change from time to time and often confuse and confound all of us.
I advise that as a 1Password user, you can easily store usernames, passwords, TOTP keys and passkeys, where TOTP is used as a second factor and passkeys may be a first-and-only or second factor, so use passkeys when available, else use TOTP, storing these in 1Password. - We know nothing of your apps on your iOS (not Cisco's IOS) devices, how they use biometrics, or how this relates to 1Password.
I advise focusing your questions here on how to use 1Password.
There isn't and never will be one right way to approach identification and authentication, either for each of us or the various sites, services, applications, platforms, or devices which we use. The fact that we use a pretty good tool for storing and retrieving secrets which also generates long random passwords gives us a big advantage in that we can easily choose options which maximise the "security" of many of our things. Nevertheless, we are still left with some challenges such as how to store the recovery/backup codes when setting up TOTP [See e.g. danielrosehill​ 's suggestion].
