Multi-Factor Authentication in 1Password
by Rick Fillion on
The more the merrier, my mother likes to say. And why shouldn’t that apply to authentication factors? You have your Master Password and Secret Key, and they’re combined to be one amazingly strong factor via Secure Remote Password. We’ve added two more to the guest list, and you get to invite whichever you’d like.
Two-factor authentication in 1Password is implemented with Time-based One-Time Passwords. Time-based One-Time Passwords is a mouthful, so forgive me for abbreviating it to TOTP from here on out. TOTP is a widely adopted standard and it’s a great way of adding a familiar additional factor to your authentication process.
When setting up two-factor authentication, you’ll be provided with a TOTP secret that you can store in an authenticator app of your choosing. 1Password has been a TOTP authenticator for years now and storing it there is very convenient, but we recommend also storing it in an authenticator app like Authy. Ideally you’d store it in both so you have access to it when needed. When it comes to backups, the more the merrier, just like Mom said! 🙂
Any time you sign in to your account from a new device you’ll be prompted for a one-time password. Use the authenticator app to get the current one-time password, punch it in and you’re off to the races.
Turning on two-factor authentication is a breeze. All you need to do is go to My Profile, choose ‘More Actions’ on the action bar on the left, then ‘Turn On Two-Factor Authentication’. From there instructions will have you set up in no time. Just make sure that you keep your TOTP secret safe as it’s going to be required any time you sign in from a new device.
Duo Security is a slightly different approach to protecting accounts and has been available as a beta feature in 1Password for a number of months. The feedback we’ve gotten from it has been unanimously positive, and Duo is now available for anyone using 1Password Teams or 1Password Business. The best part of Duo is that once configured by an administrator it will automatically apply to all members of the team.
When you sign in to 1Password, you’ll be prompted to send a push notification to your mobile device where you can either allow or deny the request to sign in.
Duo is a great option if you’re looking to enforce the use of an additional factor across a whole team.
The awesome part about these additional factors during authentication is that they get to stand on the shoulders of Secure Remote Password. The SRP handshake needs to occur and all additional factor requests get the benefits of that secure channel. Without SRP the same attacks that could disclose your password to an attacker eavesdropping on a connection could also disclose your additional authentication factor. SRP protects both your password and the additional factor. This also means that enabling two-factor authentication or Duo does not mean that you can have a weaker Master Password. They protect against very different things, and your Master Password is ultimately what’s protecting your data.
We’ve rolled out support for both Duo and TOTP in all of our apps. Windows, Mac, iOS, Android, Web, and Chrome. We’ve even added both to our 1Password CLI tool, and it’s pretty amazing to have a terminal emulator trigger a push notification to my iPhone. Just make sure that you’re using the latest versions of our apps and you’ll be set.