1Password and 2FA: Is it wrong to store passwords and one-time codes together?

The addition of TOTP storage lets you use 1Password as an authenticator for websites that support two-factor authentication (2FA). As 2FA became increasingly common, even required in many cases, people started to question the safety and security of using 1Password to store TOTP instead of an authenticator app that exists solely for that purpose.

It remains a fairly common question — and a great one.

The short answer is that storing your TOTP in 1Password is safe. It’s also faster and more convenient than using a separate, dedicated app.

The rest of this article is the nuanced (and far less brief) answer. It addresses what dedicated authenticator apps provide (and don’t provide), and how you can 2FA the right way. ¹

A little two-step

Let’s create a (theoretical) account to illustrate the authentication process – and it is a process – then dive into those infamous factors and what we need from them for true 2FA.

The process starts with the question “Who are you?” You’d probably identify yourself with your name in person; online identification typically takes the form of an email address. But identification is only a claim. You can provide any email address you want — it means nothing unless you can verify ownership.

Verification comes next and asks “Are you really who you say you are?” The server sends a unique code to the email address you entered as identification. If you provide the right code, you verify you own (or have control of) the email address. Verification is important — it establishes trust. And that trust allows you to secure the account with a secret: a password of your choice.

You corroborate your verified identity each time you want to access the account.

Verification generally happens once, as part of account creation, then you corroborate your verified identity each time you want to access the account. This step is known as authentication, and it’s successful if you can enter that shared secret — your password.

Proving you know a shared secret is only one of three authentication factors. If you’ve read our blog, you may recognize the factors as something you know, something you have, and something you are. In short: knowledge, possession, and inherence.

There’s a (significant) caveat when it comes to multi-factor authentication: Each factor must be separate and distinct to be valid.

And that, my friends, is part of the reason we’re here today. That separation and distinction of factors is critical, and directly impacts the outcome of the 1Password vs dedicated authenticator app debate.

Each factor must be separate and distinct to be valid.

For many of us, signing in to an account protected by 2FA means using 1Password to fill our password (verification), then proving we possess something to authenticate. That something is usually a second shared secret called a TOTP. We switch to our preferred TOTP-storage app, copy the one-time code, paste, and submit. Authentication is successful and we’re in. Sound familiar?

That process is two-step verification (2SV).

While you turn on the 2FA setting in your account, and subsequent sign-ins require your password and a TOTP, you lack a true second factor when both secrets originate from the same device. And that means you have the same level of protection whether you store your TOTP in 1Password or an authenticator app (on the same device).

Two’s a crowd

It’s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier regardless of TOTP location.

But there’s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app may offer additional protection. If an attacker got ahold of your 1Password login information (and your 2FA secret if you’ve added that layer of protection to your 1Password account) but didn’t have control of your device, the separation between your passwords and TOTP could prove useful.

To my knowledge, there’s no authenticator app or password manager that can protect data from an attacker who has compromised the device itself.

I hedged with may and could because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there’s no authenticator app or password manager on the market that can safeguard data on a compromised device.

So, I’ve addressed 1Password and authenticator apps but does any of this information matter when neither option offers true 2FA?

It takes two

I’ll explain why it matters.

We established that a true second factor is a device other than the one used to store your password — it might be a Yubikey, Titan, or an old device you use primarily for authentication. But that fact is secondary (appropriately) to a more important message:

There’s no wrong way to increase account security.

For every person who’s unwilling to storing their TOTP in 1Password for fear they’d keep all their (secret) eggs in one basket, there’s another person who decides to store their TOTP in 1Password in an effort to decrease their personal attack surface. ²

Storing your TOTP in 1Password rather than a separate app is a perfectly safe and reliable option. You’ll perform 2SV rather than 2FA, and those two steps will be faster and easier with your passwords and TOTP stored together — especially when 1Password is set up to fill TOTP automatically. The convenience will usually outweigh the fairly negligible amount of security that may be sacrificed.

The correct choice is the one that works best for you.

For the majority of people, storing TOTP in 1Password is well within their risk tolerance. There will always be those of you who will trade that convenience because you want or require the added protection of true 2FA. And to those faithful hardware key crew members: Think of your true second factor as less “extra layer of security,” and more granular protection that will apply only if you’re subject to certain forms of attack.

Security guidance is largely straightforward — X is bad, do Y instead — but two-factor security is a rare case in which the correct choice is the one that works best for you. It’s not the mechanism that matters. When 2FA is enabled, your account is safer, and that is 2FA the right way.

Megan Barker

Security Scribbler