Should I use 1Password to manage the OTP for 1Password?

Hello NickOg,

Welcome to the 1Password Support Community!

That's correct, when you Use 1Password as an authenticator for sites with two-factor authentication, the allows you to either scan the QR code or paste the alphanumeric code into the OTP field:

Save your QR code in the 1Password apps

Thanks for your comments!

re 'and the same time do screen captures of the QR codes and save all of those as a backup."

Most sites seem to offer an alphanumeric code as well as a QR code. I have found that to be a simpler alternative that storing the screen image. 1Password and (I suspect) most other authorisers will accept that code or the QR code.

I am new around here. :)
Nick

I agree with Netpog this highly valueable service is hidden. It's hidden in the software, in the documentation, it certainly never gets talked about in the media. Even the company name "1Password" is obsolete and in a way obscures that TOTP are also handled, and passwords are a dying-out thing anyway, right? What if I had a steak and lobster dish on the menu and it just said "SURF (and shhh.... something)".

Former Member I think I'm going to re-do all of my authentication scanning and and the same time do screen captures of the QR codes and save all of those as a backup. What a great idea to scan them multiple times. I guess I don't really have to be afraid about keeping 1Password TOTP in 1Password, so long as it's also somewhere else! Keys to the safe in the safe and buried under the string bean plot, I guess... Scanning the QR is a way to backup Google Authenticator. Also Microsoft Authenticator is backed up to Microsoft, so that's good...

Hello @peter_wang,

Thanks for getting back to us with this feedback and that adding your daughter as another family organizer. I've provided our guide there for others that may be interested in learning more.

Netpog, thanks for your feedback about the location of the 1Password account 2fa setting. I agree that this is a very important setting and some improvements could be made to help better identify this setting's location on 1Password.com and in the app. I've included your feedback for the Product team. Thanks!

ref: 30960653
ref: 30960794

ag_mike_d, thanks for the link to that helpful Guide on protecting 1Password with 2FA. I admit: I had not been aware of this important feature, in part because it's hidden so obscurely. And I generally review all the settings in every app, because I'm that kind of nerd.

Problem is, I would expect to enable 2FA via "Settings" (in the right-side navbar under the account's name). I don't think of this as an attribute of my "Profile", and even if I did, I'd never think of it as an "Action". It's a security setting.

Even if I'm wrong (or weird) with that expectation, I suggest that this is important enough to put on the main page, rather than behind a "more stuff" link.

As for the app, I do appreciate that it would be a challenge to make this more obvious there, because the app supports multiple accounts, and thus its "Settings" feature is not specific to any one account. (Although that could be changed with a drop-down menu, I can't see that significant task getting high priority.) Even so, I'd expect "manage accounts" to be in the main menu, rather than behind my list of vaults/collections.

Pursuant to my concern about losing the mobile device, I think it makes good sense to implement a hardware key, not phone-based MFA. It's easy for the key to live in the home safe, or a hotel safe and just come out rarely to let me back into 1Password if I have a new device or a new browser.

No reply needed... I think I have it all figured out. I just had to think through it out loud.

Ah, I know what I need... I need to make a daughter a Family Organizer so she can let me back into the account if I ever have a real disaster.

Mike... I opened a private browsing Window, and tried to sign in with my username, password, and Secret Code, but then 1Password still demanded my OTP. What do you do if the device producing the OTP is broken / lost / stolen?

I guess in the hypothetical situation of my phone is toast I have to immediately get to 1Password on my laptop and turn off MFA (temporarily) until I have a new mobile device ready to go, then turn MFA back on again?

I guess that's fine for most cases. But what if the sitation is worse... let's say I lose BOTH my mobile device and my laptop. Earthquake. Fire. Flood. My dwelling gets taken out. Or it gets broken into and both of those things go. Then what's my recourse?

I guess I'd really like a set of maybe 5 or 10 one-time use recovery codes that would stand in place of the MFA. I'd keep those printed off. Google does this. Thanks.

Mike, it would great if the 1Password app would flash up a warning message should you try to add OTP keys to the app for a 1Password account:

"Don't store your 1Password One Time Password in 1Password, you could get locked out!"

To me, the greatest risk is that I break or lose my phone. They I guess I'm back to using just the username, password, and Secret Key to get back in?

Can I keep another seperate TOTP authenticator on my laptop, will my 1Password account use more than one TOTP code? (codes not the same at any point in time). If I'm traveling, my laptop will be cabled up or in the room safe. If I lose the phone, I'm OK. If I lose the laptop to theft or breakage, I most probably did not also lose the phone at the same moment in time. I always think in layers of security.

Hello @Peter_Wang,

Thanks for your message and questions about using 1Password to store the OTP for your 1Password account. Former Member is correct (thanks as always 😀), you shouldn't store your account's OTP in 1Password itself. As mentioned in the guide below, this would be akin to storing the key to your safe in the safe. Our guide, Turn on two-factor authentication for your 1Password account, includes more details.

If you have any question about using 1Password as an authenticator for sites with two-factor authentication, this guide is great place to start.

We'll be hear to help if you have any other questions or concerns. Have a great day!