Forum Discussion

thinbread's avatar
thinbread
New Contributor
4 months ago
Solved

Not prompted for 2FA when login from browser

I set up 2FA with hardware keys (Yubikeys) many moons ago, as well as with an Authenticator app, and these have worked previously when logging into the 1Password app either on my Macbook or iPhone. I...
best practices
discussion
macos
  • 1P_Dave's avatar
    1P_Dave
    4 months ago

    thinbread​ 

    Thanks for the reply. 1Password is only designed to be used on a device that you trust and that is free of malware. The second-factor is used to authenticate your account on that device when you first sign into the account but after that the device is considered trusted and linked to your account. If you choose to sign in to your 1Password account on a device then an attacker with access to that device, and who knows your account password, will be able to access both your items as well as account management tools. 

    The concern is, now that 1Password has deemed the hardware second factor is no longer needed because it has chosen its own locally stored copy of encrypted 1Password data to be the only 2nd factor required for login

    The locally stored data isn't a second factor, it's an stored session that you've authenticated using your account credentials along with your second factor. It sounds like you might be look for the following option:


    If you click this option then you'll be prompted for your account information, along with 2FA, each time that you access your data on 1Password.com.

    Alternatively, you might wish to take a look at our passkey unlock beta. You can store the passkey used to unlock 1Password on a physical security key and use that to unlock 1Password each time: Add additional passkeys or security keys (Note: passkey unlock for 1Password is currently only available in beta and requires creating a new test account.)

    -Dave

1P_Dave's avatar
1P_Dave
Icon for Moderator rankModerator
4 months ago

Hello thinbread​! 👋

Welcome to the community! Two-factor authentication is an additional layer of protection when you sign in to 1Password on a new device or browser. When turned on, 1Password will require a second-factor (such as an authenticator app or security key) after you enter your account password and Secret Key. You can read more here: Protecting your 1Password account with multi factor authentication

You won't be prompted for 2FA on existing devices and browsers where you're already authenticated since 1Password's security works differently from other apps or services that you may use since other apps only rely on authentication to protect your data which 1Password uses encryption to protect your data locally. You can read more here: Authentication and encryption in the 1Password security model

Once you sign into 1Password in a browser using your sign-in credentials (including your second-factor) the authentication process with the 1Password.com server is complete and a copy of your encrypted vault is downloaded locally to your device. After that, you're not authenticating with our server all over again and instead you're using your password to decrypt (or unlock) the locally downloaded vault on your device. 

If you uninstall the 1Password browser extension and you clear your browser's history/cookie/cache then you'll be prompted for your second-factor when you log in to your 1Password account on 1Password.com.

-Dave

  • thinbread's avatar
    thinbread
    New Contributor
    4 months ago

    Thanks Dave for the response and the links. After reading through and a bit of consideration, i think the information provided, though very useful -- thanks! -- just confirms a concern of mine, but I'll share some context first to make sure I'm being clear about the scenario in question:

    Let's say for the sake of this discussion that I'm not asking about the security of my vault data (and yes, I'm familiar with the distinction between authentication and encryption). My focus for the moment is on the non-vault data tied to my 1Password account and the account-based capabilities or functionality that 1Password offers through the browser -- such as  'Manage Two-factor Authentication' (adding or removing second factors, such as hardware keys) or   Unlinking devices/sessions that are linked to my account -- both of which  (and more) are accessible when logging into an account on the 1Password.com website via a browser where the following are true:

    1. The account has previously been logged into via that same browser - so the account password was presented, the secret key presented, and the authentication was accomplished solely by virtue of having presented a second factor of hardware (YubiKey)
    2. Account/vault information has been transferred from 1Password to my browser instance and is now stored locally on my computer, along with the secret key, in one form or another on the local filesystem.
    3. The 1Password browser extension has NOT been installed (by choice)
    4. The hardware second factor is no longer required to authenticate and log in, because #1 & #2

    The concern is, now that 1Password has deemed the hardware second factor is no longer needed because it has chosen its own locally stored copy of encrypted 1Password data to be the only 2nd factor required for login, it seems possible if not plausible that a malicious actor who has ...

    (a)  acquired the account password, and

    (b)  exfiltrated a copy of all 1Password-related data and/or session or state data persisted by the browser (e.g. cookies or other ephemeral data) that had been downloaded and persisted by my browser

    ... could log into my 1Password account (via another browser) and take any number of actions such as

    (c)  unlink my devices/sessions, or

    (d)  remove registered all second authentication factors , or

    (e)  delete the account entirely.

    Could they not take such actions?  I'm not saying it would be trivial, but if it's NOT possible, why is that?

    In any event, if the response to this concern is something along the lines of 'The use case you've described, thin bread, can only occur if you're *not* using the 1Password browser extension, but is indeed addressed by using the 1Password browser extension and that is because __________ , "  then OK, good!  Would be glad to hear that. I might then reconsider my choice to not use the browser extension, and give it a go ... except for this other caution from 1Password about use of its browser extension :

    • Limit your use of other browser extensions. A malicious or badly made browser extension could interfere with 1Password or attempt to expose your data. If you need to use untrusted extensions, consider using a separate browser profile just for 1Password.

    From:

    https://support.1password.com/1password-browser-security/

    Which brings me back at my original concern: not being able to use the hardware 2nd factor already registered with 1Password  for any login subsequent to the initial site login /  authentication attempt, because 1Password trusts the presence of previously locally stored 1Password data as a 2nd authentication factor over and above the existing registered and previously required hardware 2nd factor device. It's interesting that is the case, since 1Password has declared what sounds like a resounding Yes to the value of using MFA:

    "With MFA enabled, the attacker would still need your second factor – which you can choose to be a code from an authenticator app or a hardware security key – to sign in and unlock 1Password."

    https://blog.1password.com/should-protect-1password-with-2fa/

    Yes, exactly. I agree, and don't understand why the chosen implementation of hardware-based MFA support doesn't match what's being publicly asserted.

    Thanks, again, for your consideration and guidance.

    • 1P_Dave's avatar
      1P_Dave
      Icon for Moderator rankModerator
      4 months ago

      thinbread​ 

      Thanks for the reply. 1Password is only designed to be used on a device that you trust and that is free of malware. The second-factor is used to authenticate your account on that device when you first sign into the account but after that the device is considered trusted and linked to your account. If you choose to sign in to your 1Password account on a device then an attacker with access to that device, and who knows your account password, will be able to access both your items as well as account management tools. 

      The concern is, now that 1Password has deemed the hardware second factor is no longer needed because it has chosen its own locally stored copy of encrypted 1Password data to be the only 2nd factor required for login

      The locally stored data isn't a second factor, it's an stored session that you've authenticated using your account credentials along with your second factor. It sounds like you might be look for the following option:


      If you click this option then you'll be prompted for your account information, along with 2FA, each time that you access your data on 1Password.com.

      Alternatively, you might wish to take a look at our passkey unlock beta. You can store the passkey used to unlock 1Password on a physical security key and use that to unlock 1Password each time: Add additional passkeys or security keys (Note: passkey unlock for 1Password is currently only available in beta and requires creating a new test account.)

      -Dave

      • thinbread's avatar
        thinbread
        New Contributor
        4 months ago

        Dave, thank you very much for the clear and concise response to my meandering question. I'm better informed now because of it and will reset my expectation as appropriate, and will make use of that 'Is public or shared computer' checkbox. Thanks again!