I'm really liking the OTP feature in 1Password... I didn't grasp that it could totally replace my other authenticators... but I'm looking at my 1Password credential itself, and I'm wondering if it's a good idea to migrate that to 1Password. There seems to be a potential for a "Catch-22" circular dependency whereby "I can't get into 1Password to get my OTP therefore I can't can't get into 1Password to get my OTP can't get into 1Password to get my OTP can't get into 1Password to get my OTP can't get into 1Password to get my OTP "... etc. Any thoughts? 1Password Version: 8.9.14 Extension Version: Not Provided OS Version: Windows 10 Browser:_ Firefox Referrer: forum-search:https://1password.community/search?Search=one%20time%20password%20otp

@Peter_Wang I store all of my OTP keys in 1Password and use 1Password for autofill the codes. This makes the mfa codes available on my desktop PC without me requiring to look on my smartphone. However, I also store some of my OTP keys in Microsoft Authenticator - the ones I need to access my vital services, such as 1Password itself. This way I don't get any circular dependency. I need Microsoft Authenticator anyway for my Microsoft account and its push authentication. If you don't like Microsoft Authenticator, consider Google Authenticator. That one is completely independent from any online service and a standalone app. In case you don't know how to duplicate the OTP keys: you can always scan the QR codes as often as you want. When you sign up for mfa on some service, scan the QR code with 1Password and at the same time with the authenticator app.

I just ran into a possible circular dependency myself. I added another account to the 1Password Android app, and at the end it asked "please enter OTP". I added it from Authy, but I can see problems if all OTPs were on 1Password then if 1Password were to start interrogating me to get the OTPs from 1Password; you can't look pass or through the window demanding the OTP. I have Google Auth, thanks, it's fine. Authy I use for work stuff.

oooohhh... Google Authenticator is not backed up to the Google Cloud. Not nice!

Hello @Peter_Wang, Thanks for your message and questions about using 1Password to store the OTP for your 1Password account. Former Member is correct (thanks as always 😀), you shouldn't store your account's OTP in 1Password itself. As mentioned in the guide below, this would be akin to storing the key to your safe in the safe. Our guide, Turn on two-factor authentication for your 1Password account, includes more details. If you have any question about using 1Password as an authenticator for sites with two-factor authentication, this guide is great place to start. We'll be hear to help if you have any other questions or concerns. Have a great day!

Mike, it would great if the 1Password app would flash up a warning message should you try to add OTP keys to the app for a 1Password account: "Don't store your 1Password One Time Password in 1Password, you could get locked out!" To me, the greatest risk is that I break or lose my phone. They I guess I'm back to using just the username, password, and Secret Key to get back in? Can I keep another seperate TOTP authenticator on my laptop, will my 1Password account use more than one TOTP code? (codes not the same at any point in time). If I'm traveling, my laptop will be cabled up or in the room safe. If I lose the phone, I'm OK. If I lose the laptop to theft or breakage, I most probably did not also lose the phone at the same moment in time. I always think in layers of security.

Should I use 1Password to manage the OTP for 1Password?

13 Replies

ag_mike_d
1Password Team
3 years ago
Hello NickOg,

Welcome to the 1Password Support Community!

That's correct, when you Use 1Password as an authenticator for sites with two-factor authentication, the allows you to either scan the QR code or paste the alphanumeric code into the OTP field:

Save your QR code in the 1Password apps

Thanks for your comments!
NickOg
New Contributor
3 years ago
re 'and the same time do screen captures of the QR codes and save all of those as a backup."

Most sites seem to offer an alphanumeric code as well as a QR code. I have found that to be a simpler alternative that storing the screen image. 1Password and (I suspect) most other authorisers will accept that code or the QR code.

I am new around here. :)
Nick
Former Member
3 years ago
I agree with Netpog this highly valueable service is hidden. It's hidden in the software, in the documentation, it certainly never gets talked about in the media. Even the company name "1Password" is obsolete and in a way obscures that TOTP are also handled, and passwords are a dying-out thing anyway, right? What if I had a steak and lobster dish on the menu and it just said "SURF (and shhh.... something)".

Former Member I think I'm going to re-do all of my authentication scanning and and the same time do screen captures of the QR codes and save all of those as a backup. What a great idea to scan them multiple times. I guess I don't really have to be afraid about keeping 1Password TOTP in 1Password, so long as it's also somewhere else! Keys to the safe in the safe and buried under the string bean plot, I guess... Scanning the QR is a way to backup Google Authenticator. Also Microsoft Authenticator is backed up to Microsoft, so that's good...
ag_mike_d
1Password Team
3 years ago
Hello @peter_wang,

Thanks for getting back to us with this feedback and that adding your daughter as another family organizer. I've provided our guide there for others that may be interested in learning more.

Netpog, thanks for your feedback about the location of the 1Password account 2fa setting. I agree that this is a very important setting and some improvements could be made to help better identify this setting's location on 1Password.com and in the app. I've included your feedback for the Product team. Thanks!

ref: 30960653
ref: 30960794
Netpog
Dedicated Contributor
3 years ago
ag_mike_d, thanks for the link to that helpful Guide on protecting 1Password with 2FA. I admit: I had not been aware of this important feature, in part because it's hidden so obscurely. And I generally review all the settings in every app, because I'm that kind of nerd.

Problem is, I would expect to enable 2FA via "Settings" (in the right-side navbar under the account's name). I don't think of this as an attribute of my "Profile", and even if I did, I'd never think of it as an "Action". It's a security setting.

Even if I'm wrong (or weird) with that expectation, I suggest that this is important enough to put on the main page, rather than behind a "more stuff" link.

As for the app, I do appreciate that it would be a challenge to make this more obvious there, because the app supports multiple accounts, and thus its "Settings" feature is not specific to any one account. (Although that could be changed with a drop-down menu, I can't see that significant task getting high priority.) Even so, I'd expect "manage accounts" to be in the main menu, rather than behind my list of vaults/collections.
Former Member
3 years ago
Pursuant to my concern about losing the mobile device, I think it makes good sense to implement a hardware key, not phone-based MFA. It's easy for the key to live in the home safe, or a hotel safe and just come out rarely to let me back into 1Password if I have a new device or a new browser.

No reply needed... I think I have it all figured out. I just had to think through it out loud.
Former Member
3 years ago
Ah, I know what I need... I need to make a daughter a Family Organizer so she can let me back into the account if I ever have a real disaster.
Former Member
3 years ago
Mike... I opened a private browsing Window, and tried to sign in with my username, password, and Secret Code, but then 1Password still demanded my OTP. What do you do if the device producing the OTP is broken / lost / stolen?

I guess in the hypothetical situation of my phone is toast I have to immediately get to 1Password on my laptop and turn off MFA (temporarily) until I have a new mobile device ready to go, then turn MFA back on again?

I guess that's fine for most cases. But what if the sitation is worse... let's say I lose BOTH my mobile device and my laptop. Earthquake. Fire. Flood. My dwelling gets taken out. Or it gets broken into and both of those things go. Then what's my recourse?

I guess I'd really like a set of maybe 5 or 10 one-time use recovery codes that would stand in place of the MFA. I'd keep those printed off. Google does this. Thanks.
Former Member
3 years ago
Mike, it would great if the 1Password app would flash up a warning message should you try to add OTP keys to the app for a 1Password account:

"Don't store your 1Password One Time Password in 1Password, you could get locked out!"

To me, the greatest risk is that I break or lose my phone. They I guess I'm back to using just the username, password, and Secret Key to get back in?

Can I keep another seperate TOTP authenticator on my laptop, will my 1Password account use more than one TOTP code? (codes not the same at any point in time). If I'm traveling, my laptop will be cabled up or in the room safe. If I lose the phone, I'm OK. If I lose the laptop to theft or breakage, I most probably did not also lose the phone at the same moment in time. I always think in layers of security.
ag_mike_d
1Password Team
3 years ago
Hello @Peter_Wang,

Thanks for your message and questions about using 1Password to store the OTP for your 1Password account. Former Member is correct (thanks as always 😀), you shouldn't store your account's OTP in 1Password itself. As mentioned in the guide below, this would be akin to storing the key to your safe in the safe. Our guide, Turn on two-factor authentication for your 1Password account, includes more details.

If you have any question about using 1Password as an authenticator for sites with two-factor authentication, this guide is great place to start.

We'll be hear to help if you have any other questions or concerns. Have a great day!