Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Login with QR - a risk?
Hello, I have a concern on the login with QR. I’ve read how it securely sends my secret key and master password and how I need to verify on the approver device but if someone had my passw...
Hello security1010! 👋
Thanks for the question! Signing in to 1Password with a QR code is secure, you can find more information here:
If someone gets access to your 1Password account then they would have access to all of your items even without the QR code feature. They could take screenshots of your items and save those without you knowing. The best way to protect yourself is to make sure that 1Password is locked when you're not using it: How to set 1Password to lock automaticallyYou can also enable two-factor authentication using a security key for your account. When enabled, you'll still need to provide your security key even when signing in using a QR code (this does not apply to two-factor authentication using a TOTP authenticator app for family/individual accounts): Turn on two-factor authentication for your 1Password account
Once you sign in to a new device using a QR code, you'll receive an email letting you know that your 1Password account has been accessed from a new device, and you'll see that new device listed on your profile (in the top right corner) when logging into and accessing 1Password on the web.
I hope that helps.
-Dave
Thanks1P_Dave
So sounds like 2FA is a must.
Interesting it wasn’t on/required to setup by default from the start.
All clear though. Thanks.
1P_Dave
Moderator
ModeratorI believe that most services allow customers the choice of whether to enable two-factor authentication due to the additional work and maintenance of the second factor that is required. That being said, 1Password Business does include an option for administrator to require two-factor authentication for all team members.
Enabling two-factor authentication using a hardware security key is a great step to take if you'd like that additional protection. You can read more on our blog: Protecting your 1Password account with multi factor authentication
Let me know if you have any other questions in the future.
-Dave
I just tested this on a laptop - I opened a browser in incognito - was able to sign in, no 2FA needed.
- 1P_Dave
Thanks for the reply, there was a detail that I missed (that I've now added to the previous posts): when using a QR code to sign in, you won't be prompted for 2FA if you're using an authenticator app but you will be if you're using a hardware security key. One of my colleagues went into more detail about intent behind this design here: https://www.reddit.com/r/1Password/comments/1d2msjc/comment/l66gd4h/
Are you using a security key or a TOTP authenticator app for two-factor authentication? If you're using a TOTP authenticator app then is a switch to force 2FA even after signing in using a QR code something that you'd like to see added as an option?
-Dave
#26692
1P_Dave - you said there is a switch to force 2FA - yes I would like that, how is that done?
