Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Login with QR - a risk?
Hello, I have a concern on the login with QR. I’ve read how it securely sends my secret key and master password and how I need to verify on the approver device but if someone had my passw...
Hello security1010! 👋
Thanks for the question! Signing in to 1Password with a QR code is secure, you can find more information here:
If someone gets access to your 1Password account then they would have access to all of your items even without the QR code feature. They could take screenshots of your items and save those without you knowing. The best way to protect yourself is to make sure that 1Password is locked when you're not using it: How to set 1Password to lock automaticallyYou can also enable two-factor authentication using a security key for your account. When enabled, you'll still need to provide your security key even when signing in using a QR code (this does not apply to two-factor authentication using a TOTP authenticator app for family/individual accounts): Turn on two-factor authentication for your 1Password account
Once you sign in to a new device using a QR code, you'll receive an email letting you know that your 1Password account has been accessed from a new device, and you'll see that new device listed on your profile (in the top right corner) when logging into and accessing 1Password on the web.
I hope that helps.
-Dave
I'm trying to understand the security implications of using the QR code to authenticate a device.
Is there anything there to prevent an attacker from loading 1password on their device, copying the QR code, creating a phishing site, and getting me to scan it?
If I understand, FIDO2 devices like Yubikey will verify the origin, so it should not fill in the details to the phishing site. Passkeys also verify the origin.
However, if I scan a QR code, no TFA is presented and it is up to me to verify that the website is actually valid.
I understand the risk is relatively low since I rarely need to authenticate a new device, but the QR code seems inherently riskier than using a password / security key / FIDO2 device.
- 1P_Dave
Moderator
Signing in to your 1Password account using a QR code is secure. Even if someone were to take a screenshot of the QR code the following protections apply:
- They have to convince you to open the 1Password app on a device that you're already signed in and use that app to scan a QR code. Just using the normal camera app won't work.
- The QR code is time-bound and regularly invalidated so taking a screenshot and then trying to trick you later won't work. Any attack would have to happen in real-time.
- You have to enter a confirmation code or accept a prompt after scanning the QR code in order to confirm sign-in. At this point you'll also be told information about the device that you're signing into. Just scanning the QR code won't automatically sign you in.
That being said, different people have different threat models. If you add a security key to your 1Password account then that security key will always be required when signing into a new device using a QR code: Use your security key as a second factor for your 1Password account-Dave
Thanks for the information. I tried it again. I think it is still a phishing risk. I wasn't able to confirm the information about physical security key as 2FA.
I have a 1password account with 2FA
- Authenticator App
- Yubikey physical security key
The App is installed on my phone.
Steps
- Visit 1password.com in an private mode window on a computer
- Go to the login page
- Scan the QR code on my phone
- The phone App provides browser, city, and country
- Accept the authentication
- I'm logged in
I never was asked to use my physical security key. I wasn't asked for the Authenticator app either. So, no 2FA on the computer browser. Authenticating into the App was all that was required.
All of the information provided through the QR code process is phishable and requires human verification.
- The malicious website can proxy (in real time) the QR code
- The malicious website can transmit all the data from the victim when they visit a malicious site to the attacker's system. This includes the browser information (user agent) and IP address or location (if the user provides permission). The IP can provide a close enough match to a city. This is the same information that 1password displays in the app and it gets it the same way an attacker could.
So, this means the user has to hand-verify the URL. If they type 1password in incorrectly, use a malicious link, etc, they are phished.
The phishing resistance of FIDO2 and passkeys comes from the automation of the URL / origin verification. And that is left to the user here.
Am I missing something / misunderstanding?
Based on my testing, I should really only ever authenticate a device with my physical key if possible.
If I were to use the physical key, I need to provide the username and secret manually (both phishable), but then the physical key will refuse to authenticate.
I have 2FA with an authenticator app as a backup in case the physical key is lost or breaks. If I choose to use the QR code or authenticator app, I open myself up to phishing.
- 1P_Dave
Thanks for the reply. You’re right, security keys offer a unique level of phishing resistance. In your case, you currently have both a TOTP authenticator app (which can be phished) and a security key (which cannot).
If you want to benefit from the full protection your security key provides, you’ll need to make it the only second factor on your 1Password account by removing the authenticator app. Once it’s removed, your security key will be required whenever you sign in using a QR code, ensuring you’re getting the strongest possible protection.
Note: I recommend that you add multiple security keys to your account (at least two) in case you lose one.
-Dave
Issue=GA-75416
