Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Set 2FA every login
Hi,
I use a YubiKey NFC.
For example, I can deauthenticate my MacbookPro and request a 2FA for the next login.
Is it possible to request this for every login so that a login is only possibl...
1P_Dave
Moderator
ModeratorHello Former Member! 👋
Two-factor authentication (when using something like an authenticator app or YubiKey) only prevents others from adding your account to a new device. Once an account is added to a device you'll need to use your account password (or biometrics) to unlock the app and decrypt your data: Authentication and encryption in the 1Password security model
Are you looking for the ability to always be prompted for your YubiKey, in addition to the account password, before 1Password unlocks? Can you tell me a little more about what kind of attack you're trying to protect against?
I look forward to hearing from you. 🙂
-Dave
The reason I would like to be prompted for 2FA at each login is that I am sometimes using a shared PC.
- 1P_Dave
I recommend that you only use 1Password on a device that you trust. If you do need to use 1Password on a shared device then you can lock 1Password manually before stepping away. You can also adjust your auto-lock preferences to be more strict:
Once 1Password locks, the only way to unlock the app is to type in your account password (or biometrics if you've set those up).-Dave
Thanks for your response. Then it seems there is not a way to require 2FA at every login. I'm not technical, but it seems that it would be possible to offer an option for a user to choose to use 2FA at every login, or not, depending on a user's preferences. I'm using a software authenticator and am considering using a Yubi Key. Even with the Yubi Key option, I believe I would still not have the option to require additional 2FA authentication at every login. Is there a reason, other than assuming a user would prefer the convenience of not needing to use 2FA, that this option is not offered? Thanks.
- 1P_Dave
There isn't a way to require 2FA on every login because it wouldn't add any meaningful additional security to your 1Password account after you've already authenticated it on a device where you're using the app.
1Password's security works differently from other apps or services that you may use since other apps only rely on authentication to protect your data. The reason why you're only prompted for your second factor when you add your 1Password account to a new device or browser is because of the role that encryption plays in your use of 1Password.
When you first setup your 1Password account on a new device, and authenticate using your account credentials and second factor, 1Password will download a copy of your data locally to the device that doesn't require an ongoing connection to 1Password.com for you to use. It's why you're able to access your passwords and other items even without internet access.
This local data is protected using encryption, not authentication, and 1Password requires a specific secret to decrypt that local data: your account password. At this point, requiring your second-factor again would just be security theatre since an attacker with access to your device could just grab the local encrypted vault file itself from your device without needing to provide a second factor to the app for authentication even if we added an option to have the app require it. This means that your account password is your protection against local attacks on your device and you need to make sure that you choose a strong and unique account password:
You can read more about authentication vs encryption here: Authentication and encryption in the 1Password security model
-Dave
