Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Forum Discussion
Set 2FA every login
Hi,
I use a YubiKey NFC.
For example, I can deauthenticate my MacbookPro and request a 2FA for the next login.
Is it possible to request this for every login so that a login is only possibl...
Thanks for your response. Then it seems there is not a way to require 2FA at every login. I'm not technical, but it seems that it would be possible to offer an option for a user to choose to use 2FA at every login, or not, depending on a user's preferences. I'm using a software authenticator and am considering using a Yubi Key. Even with the Yubi Key option, I believe I would still not have the option to require additional 2FA authentication at every login. Is there a reason, other than assuming a user would prefer the convenience of not needing to use 2FA, that this option is not offered? Thanks.
1P_Dave
Moderator
ModeratorThere isn't a way to require 2FA on every login because it wouldn't add any meaningful additional security to your 1Password account after you've already authenticated it on a device where you're using the app.
1Password's security works differently from other apps or services that you may use since other apps only rely on authentication to protect your data. The reason why you're only prompted for your second factor when you add your 1Password account to a new device or browser is because of the role that encryption plays in your use of 1Password.
When you first setup your 1Password account on a new device, and authenticate using your account credentials and second factor, 1Password will download a copy of your data locally to the device that doesn't require an ongoing connection to 1Password.com for you to use. It's why you're able to access your passwords and other items even without internet access.
This local data is protected using encryption, not authentication, and 1Password requires a specific secret to decrypt that local data: your account password. At this point, requiring your second-factor again would just be security theatre since an attacker with access to your device could just grab the local encrypted vault file itself from your device without needing to provide a second factor to the app for authentication even if we added an option to have the app require it. This means that your account password is your protection against local attacks on your device and you need to make sure that you choose a strong and unique account password:
You can read more about authentication vs encryption here: Authentication and encryption in the 1Password security model
-Dave
since an attacker with access to your device could just grab the local encrypted vault file itself from your device
Do you mean "decrypted" here? If someone would grab an encrypted vault and try opening it on another device, I wouldn't mind if it's protected by the masterkey, password and 2FA.
I get the difference between autentification and encryption but it fails to give an answer to the situation if someone knows your password (I don't even think that's far-fetched as this could be any person that's close to you, that you gave to password once to grab a password,...)
As an example:
A friend knows my password and steals my device.
On a laptop, he would have immediately access to my vault. There's no additional layer of protection there.
On a phone, he would have the 2FA codes, yes, but if you would be able to make login with fingerprint a requirement, he still couldn't access the vault without me.
In fact that's the only benefit I see in 2FA (or biometrics). When my password get's compromised, there's still no access without a re-genereating code (or unique identifiers) that I need to have access to first.So the unanswered question for me still is: how would you protect your vault if the registered device is stolen and the person knows you password?
I wouldn't call that possibility a security theater.How would you act in such a situation?
The only "solution" I see there, is of course disabling the stolen device in the web interface, hoping that the person didn't log in and exported the data yet. But hoping doesn't feel really secure to me.- 1P_Dave
Welcome to the community! You wrote:
So the unanswered question for me still is: how would you protect your vault if the registered device is stolen and the person knows you password?
I wouldn't call that possibility a security theater.Your account password is what encrypts and decrypts your data locally on your device. If someone has both your device, where your encrypted vault is stored, and your account password then they'll be able to access your data. It's why it's important to:
- Only use 1Password on devices that you trust and know are safe to use.
- Keep your account password secret.
- Use a strong, random, and memorable account password: How to choose a good 1Password account password
Let me know if you have any questions.-Dave
Hi Dave, thanks for you reply.
So you acknowledge, there's no further protection against my example other than preceding best practices?
But at the same time you call the possibility of having additional 2FA activated a security theatre.What I (especially for mobile devices) and others would like to have, is the choice of having additional safety measures as a 'last stand'. It's not about forcing every user to use this but the possibility to enable such a feature as 2FA as a whole.
At the moment, there's no real patch that fixes this not even too far-fetched most basic security vulnerability. I hope, you follow my thought process in that matter.
I see value in such a feature.
That's an opinion of course, you don't have to agree with.
Thanks, that was a great explanation. I'll read about it in the link provided. I learn something new. Always good.
- 1P_Dave
I'm happy to help!
-Dave
Thanks, that is a great explanation. I will read more about it in the link you provided. I learn something new. Always good.
