Forum Discussion

RCxRC's avatar
RCxRC
New Contributor
3 years ago

Windows and Android both suddenly enable 2FA without being asked? Now locked out of account.

Recently I read the widely-circulating 1PW article refuting LastPass's "million years to crack" claim. I took the hint and decided I was going to login to my account and change my password to a randomized 12 digit one, as seemingly recommended in article.

The layout of the website landing page(s) seem to have changed completely from my last visit a couple of weeks ago. Now, instead of needing just my email and my Master Password, I was also asked for my Secret Key. On top of all that, I was then also asked to provide a 6-digit code from an Authenticator app. Previously I only needed my email and Master Password.

I never turned on these extra steps / 2FA requirements (requiring the Secret Key as well as an Authenticator app code). Did 1PW just decide to enable them for everyone after what recently happened to LP?

The problem with getting back into my account is that I do not see 1PW in my MS Authenticator app on my phone. I tried recovering any possibly saved MS Authenticator app settings/files from my cloud backup file(s), as well as deleting and re-installing the MS Authenticator app in order to see if re-installing a clean copy would recover / re-install any previously saved account(s). Neither worked.

I still can access the basic password app settings on both my laptop and my phone, but I cannot log into my actual account itself in order to change anything, such as the Master Password I was attempting to change in the first place to make it more "safe".

I clicked through on "having trouble on signing in", verified my email address, and received the link on how to recover accounts, but nothing listed there applies. I am the only account holder / administrator.

Why in the world would everything needed to get into one's account that they would have hard-copies of at home then hinge completely on access to a mobile phone Authenticator app code ( such as knowing the initial laptop or phone login, account email address, full Secret Key, the Master Password) ? Something that could easily go wrong, for a variety of reasons (unfamiliarity with using the Authenticator app, your kid accidentally deleting it while trying to install something new on your phone, change of phones / transfer of data to new phone, etc)? And from everything I have been reading on this forum as well as the Reddit 1PW forum I am essentially screwed and have to delete the entire account and start over from scratch (thankfully I backed up my laptop's browser saved passwords and other data). Since I cannot get into the 1PW account, HTH can I get a code or QR code to install 1PW on the Authenticator app with? It's a circular argument. (entering the 1PW "Secret Key" for the "Secret Key" code asked for inside of the MS Authenticator app when trying to manually enter the info into the app to create an account there doesn't work either)

What just happened? Why no other recovery options (text message code/link, phone call, customer service, anything)? The whole thing just seems nuts. Even a second "Really, Really Secret Key" would be a better option than this weak link. And I never set 2FA up in the first place.
What happens when someone has their only phone stolen or damaged (with the Authenticator app installed), and cannot get the backup file(s) to re-install on a new phone? What if you're travelling and need to login to someone else's computer (at the travel agent's, or the police to track your phone) and need access to 1PW stored PW's? And a myriad of other worst-case scenarios. And it wouldn't even matter if you carried along on printed papers with all of the login info & codes you needed to get into your account, solely b/c you cannot access an Authenticator app.

RC

Background:

I first installed 1PW one month ago on my laptop. I set everything up at the 1PW website, exported all of my saved PW's from my Edge browser over to 1PW with just a few hiccups, deleted PW's and other saved data from the Edge browser, and everything seemed to work fine. A couple of weeks ago I then installed on my Android phone. I cannot remember clearly (it has been an extraordinarily busy month), but I vaguely recall needing to install the MS Authenticator app and enter an approval code in order to install the 1PW app. That was the last time I was logged fully into the 1PW website and my account.

Over the past two weeks, business as usual, with both the laptop and phone seeming to work just fine. Every time I have re-booted my laptop, I have to enter my Master PW the first time I try to auto-fill a PW on a website, but then for the rest of the session no issues. Also no issues on the phone, until today....

Added note: I did connect my new phone to my old phone a couple of times with Samsung Smart Switch to move text messages and other data over to the new phone. I have no idea if that may be part of the issue (moving data over from the old phone).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

windows
  • RCxRC's avatar
    RCxRC
    New Contributor
    3 years ago

    Problem solved.

    I still do not know exactly how 2FA become enabled on the account in the first place. I do think the issue of being asked to enter the Secret Key is likely due to my clearing out the Edge browser Cache and Data files recently (while trying to figure out a DNS issue I've been having with Spectrum recently, with constant page loading delays necessistating multiple page reloads due to a DNS_PROBE_FINISHED_NXDOMAIN problem, which was resolved by switching to Google DNS Servers). Hence why I would need to then include the Secret Key along with normal username and password to get the whole thing initiated for website login (at least initially). Although this raises the question of: If the Secret Key needed to be entered due to whatever I did on the laptop to clear the memory, then why also be asked for it on the phone?

    The explanation of how this was fixed is below. Again, not concerned about looking like a fool for not exploring the in-Windows app update and discovering that the steps necessary to make the change were right there, just under a slightly different menu layout, as a result of the change from version 7 to 8. Thankfully the app itself was always logged into on my laptop.

    Thank you Mycenius for your input. It is entirely likely that I did exactly that. I also learned from my extensive browsing of the subject today that changing the 2FA setting on one device changes the default on other devices. Again, not intentionally in my case.

    __Hello Taylor,

    Thank you for your response. I have spent most of today working on trying to fix this. Between multiple times deleting and re-installing both the 1PW app and the MS Authenticator app on my phone, repeatedly trying to access various backup sites for my phone cloud accounts where the previous settings might have been, etc.

    I literally had just found the answer when you emailed me back. It took some digging. Even after several deep dives looking through the Windows app I could not find the solution, until someone in another similarly titled thread commented that if one was still logged into the app (at least as far as the app as installed in Windows) and could see the website password info included within the 1PW app (vs actually being logged into the 1PW website itself), then they had a chance of getting to and turning of 2FA from there.

    This change in the menu directions to get to this feature in Version 8 is less intuitive than it was in Version 7. At least the setting was right there when you get to the menu to choose your account, not "hidden" behind the three-dot menu.

    I really thought I would have to delete this account and start over.

    Thank you again,

    I will update my thread in the 1PW Community Windows Forum regarding this issue. Hopefully it will help someone else who is having a similar problem and just needs to not get exhausted with the initial setup process and follow-through on understanding how the ENTIRE process works (phone and Windows apps included). I don't mind looking like and playing the fool for not doing so myself...

    __

    From: 1Password Security Support

    Subject: Re: [#XXXXXXXXXXXX] Question about 1Password

    Hi there,

    Thank you for taking the time to contact us. First things first, if you've added your 1Password account to the 1Password 7 app on one of your devices and you still have that 1Password 7 app installed and are still signed into it, and you can still unlock the 1Password 7 app on that device, you can turn off 2FA there.

    **== 1Password 8 for Windows or Mac ==

    Open and unlock 1Password.
    Click your account or collection at the top of the sidebar and choose Manage Accounts...
    Select ⋮ > Turn off two-factor authentication**

    == 1Password 8 for iOS ==

    Open and unlock 1Password.
    Tap the 1Password icon at the top left of the screen and choose Manage Accounts...
    Select … > Turn off two-factor authentication

    **== 1Password 7 for Windows ==

    Open and unlock 1Password.
    Choose Accounts > [your account name] > Turn off two-factor authentication**

    == 1Password 7 for Mac ==

    Open and unlock 1Password.
    Choose 1Password > Preferences > Accounts.
    Select your account > Turn Off Two-Factor Authentication.

    == 1Password 7 for iOS or Android ==

    Open and unlock 1Password.
    Tap Settings > 1Password Accounts.
    Tap your account > Turn Off Two-Factor Authentication.

    If you still have access to your 1Password account in a web browser you've already signed into it with, you can sign in to your account (you'll just need your 1Password account password), click your name in the top right of the page, and choose “My Profile” from the account menu. Then, click “More Actions > Manage Two-Factor Authentication > Turn Off Two-Factor Authentication” from the menu.

    If that doesn’t help and you are a part of a 1Password Business or Family account, you should contact the account owner or the person responsible for creating your user account, because they can recover your user account by following the instructions in our https://support.1password.com/recovery guide, which will disable Two-Factor Authentication for you in the process (if this is a Family account and you have another family member who is set as an Owner/Admin, they can also do this for you). This should then allow you to set it back up afterwards, by following the steps in our https://support.1password.com/two-factor-authentication guide.

    (Info on steps involved in having to remove / re-set the account removed)

    Thanks.

    Taylor D.
    Customer Support @ 1Password
    https://support.1password.com/

  • Mycenius's avatar
    Mycenius
    Super Contributor
    3 years ago

    You will always need your Secret Key the first time you log in - resetting your password will trigger this I believe - as I just did similar myself today (although not because of the LastPass debacle) - it was just time (18 months use) for my reasonably high entropy 18-character password to be refreshed & updated (to a more secure 33-character passphrase one). :-)

    The 2FA will (or should) only enable if you have successfully entered the code at the time of activating it - you didn't inadvertently take the wrong option and scan a 2FA authenticator QR Code did you, rather than a 1PW Setup one? I can't imagine it's just turned itself on on it's own...

  • RCxRC's avatar
    RCxRC
    New Contributor
    3 years ago

    Afterthought: Does the act of using a scanned code to install 1PW on a new device (in this case, a cell phone) in and of itself "turn-on" two-factor authentication from then on out...?