Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Set 2FA every login
Hi,
I use a YubiKey NFC.
For example, I can deauthenticate my MacbookPro and request a 2FA for the next login.
Is it possible to request this for every login so that a login is only possibl...
The reason I would like to be prompted for 2FA at each login is that I am sometimes using a shared PC.
1P_Dave
Moderator
ModeratorI recommend that you only use 1Password on a device that you trust. If you do need to use 1Password on a shared device then you can lock 1Password manually before stepping away. You can also adjust your auto-lock preferences to be more strict:
Once 1Password locks, the only way to unlock the app is to type in your account password (or biometrics if you've set those up).
-Dave
Thanks for your response. Then it seems there is not a way to require 2FA at every login. I'm not technical, but it seems that it would be possible to offer an option for a user to choose to use 2FA at every login, or not, depending on a user's preferences. I'm using a software authenticator and am considering using a Yubi Key. Even with the Yubi Key option, I believe I would still not have the option to require additional 2FA authentication at every login. Is there a reason, other than assuming a user would prefer the convenience of not needing to use 2FA, that this option is not offered? Thanks.
- 1P_Dave
There isn't a way to require 2FA on every login because it wouldn't add any meaningful additional security to your 1Password account after you've already authenticated it on a device where you're using the app.
1Password's security works differently from other apps or services that you may use since other apps only rely on authentication to protect your data. The reason why you're only prompted for your second factor when you add your 1Password account to a new device or browser is because of the role that encryption plays in your use of 1Password.
When you first setup your 1Password account on a new device, and authenticate using your account credentials and second factor, 1Password will download a copy of your data locally to the device that doesn't require an ongoing connection to 1Password.com for you to use. It's why you're able to access your passwords and other items even without internet access.
This local data is protected using encryption, not authentication, and 1Password requires a specific secret to decrypt that local data: your account password. At this point, requiring your second-factor again would just be security theatre since an attacker with access to your device could just grab the local encrypted vault file itself from your device without needing to provide a second factor to the app for authentication even if we added an option to have the app require it. This means that your account password is your protection against local attacks on your device and you need to make sure that you choose a strong and unique account password:
You can read more about authentication vs encryption here: Authentication and encryption in the 1Password security model
-Davesince an attacker with access to your device could just grab the local encrypted vault file itself from your device
Do you mean "decrypted" here? If someone would grab an encrypted vault and try opening it on another device, I wouldn't mind if it's protected by the masterkey, password and 2FA.
I get the difference between autentification and encryption but it fails to give an answer to the situation if someone knows your password (I don't even think that's far-fetched as this could be any person that's close to you, that you gave to password once to grab a password,...)
As an example:
A friend knows my password and steals my device.
On a laptop, he would have immediately access to my vault. There's no additional layer of protection there.
On a phone, he would have the 2FA codes, yes, but if you would be able to make login with fingerprint a requirement, he still couldn't access the vault without me.
In fact that's the only benefit I see in 2FA (or biometrics). When my password get's compromised, there's still no access without a re-genereating code (or unique identifiers) that I need to have access to first.So the unanswered question for me still is: how would you protect your vault if the registered device is stolen and the person knows you password?
I wouldn't call that possibility a security theater.How would you act in such a situation?
The only "solution" I see there, is of course disabling the stolen device in the web interface, hoping that the person didn't log in and exported the data yet. But hoping doesn't feel really secure to me.
