Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Login with QR - a risk?
Hello, I have a concern on the login with QR. I’ve read how it securely sends my secret key and master password and how I need to verify on the approver device but if someone had my passw...
Hello security1010! 👋
Thanks for the question! Signing in to 1Password with a QR code is secure, you can find more information here:
If someone gets access to your 1Password account then they would have access to all of your items even without the QR code feature. They could take screenshots of your items and save those without you knowing. The best way to protect yourself is to make sure that 1Password is locked when you're not using it: How to set 1Password to lock automaticallyYou can also enable two-factor authentication using a security key for your account. When enabled, you'll still need to provide your security key even when signing in using a QR code (this does not apply to two-factor authentication using a TOTP authenticator app for family/individual accounts): Turn on two-factor authentication for your 1Password account
Once you sign in to a new device using a QR code, you'll receive an email letting you know that your 1Password account has been accessed from a new device, and you'll see that new device listed on your profile (in the top right corner) when logging into and accessing 1Password on the web.
I hope that helps.
-Dave
1P_Dave
Moderator
ModeratorThanks for the reply, there was a detail that I missed (that I've now added to the previous posts): when using a QR code to sign in, you won't be prompted for 2FA if you're using an authenticator app but you will be if you're using a hardware security key. One of my colleagues went into more detail about intent behind this design here: https://www.reddit.com/r/1Password/comments/1d2msjc/comment/l66gd4h/
Are you using a security key or a TOTP authenticator app for two-factor authentication? If you're using a TOTP authenticator app then is a switch to force 2FA even after signing in using a QR code something that you'd like to see added as an option?
-Dave
#26692
1P_Dave - you said there is a switch to force 2FA - yes I would like that, how is that done?
- 1P_Dave
To clarify, a switch of this sort isn't currently available for QR code sign-ins however I've filed a feature request with our product team to let them know that you'd like to see it added in the future. 🙂
For the time being, using a hardware security key for two-factor authentication will enforce MFA on each sign-in using a QR code.
-Dave
PB-50257186
So when is 2FA actually enforced ? Only in the case of not logging in with a QR code?
- 1P_Dave
Thanks for the question. When signing into an individual or family account with your account password and Secret Key, you'll be asked for either a one-time password from your authenticator app or for your hardware security key if either option is enabled for 2FA.
When signing in with a QR code, you'll be asked for your hardware security key if you've added a security key to your account.
-Dave
