Protecting your 1Password account with multi factor authentication

But should that include your 1Password account?

1Password is secure by design and provides strong protections against a variety of threats. But if you want to further fortify your account (and why wouldn’t you?) we recommend enabling multi-factor authentication (MFA) on top of your account password and Secret Key. Turning on MFA will increase your protection against select types of cyberattacks and give you extra peace of mind.

In the following sections, we’ll explain how MFA works and how your data is protected by 1Password’s security model, helping you make an informed decision about what’s right for you.

What is multi-factor authentication?

Multi-factor authentication increases your online defenses and makes it tougher for criminals to gain access to accounts that are otherwise only protected by a username and password.

For example, imagine a criminal managed to find or guess the password to one of your social media profiles. With MFA enabled, they wouldn’t be able to sign in to the account because the service would ask them to either:

• Enter a one-time code. When you set up MFA, most services will let you choose whether the code is sent via email, generated via an authenticator app, or similar.
• Confirm a push notification. These are usually produced by an authenticator app installed on one of your devices, and saves you having to paste or fill a one-time code.
• Present a hardware security key. These USB dongles are a second factor because they prove you own something (i.e. a “possession factor”) in addition to knowing your login credentials.

You can use 1Password as an authenticator for sites that support MFA. That means you don’t have to waste time opening your email or a standalone authentication app to sign in to your online accounts. 1Password will also autofill these codes in any browser, saving you precious time each day.

Finally, you can use 1Password to save and sign in to accounts using passkeys. These passwordless credentials are a more secure alternative to passwords, and come with MFA built right in.

How 1Password is secure by design

In a moment, we’ll dive into the benefits of protecting your 1Password account with MFA. But first let’s recap how 1Password is built from the ground up to give you and your data the security it deserves.

All of your private information is protected by:

• Your 1Password account password. You choose this password. We don’t know it, and it’s never stored on our servers. You use your account password to unlock 1Password and set up your password manager on new devices.
• Your Secret Key. This is a unique part of 1Password’s security model. The Secret Key is a long series of randomly-selected letters and numbers, separated by dashes. It’s generated locally on your device when you set up your account, and just like your account password, is never sent to us in full.

Without both pieces, an attacker has no chance of reading your data. Full stop.

But our security model doesn’t stop there. We also go to great lengths to make sure your data is protected when you add to or update your vaults and sync those changes between devices.

First, you’re protected by Transport Layer Security (TLS), which is an industry-standard protocol that you encounter every time you visit a website with an HTTPS connection. On top of that, this line of defense is bolstered by a protocol called Secure Remote Password (SRP). With SRP, another encryption key generated on-device protects your information while it’s in transit. Now we have two layers of encryption protecting the in transit data. So even if a criminal intercepted and decrypted TLS, they wouldn’t have access to anything useful.

When and how MFA protects your 1Password account

Now let’s dig into MFA in the context of your 1Password account.

When turned on, a second factor will be required to add your account on a new device, in addition to your 1Password account password and Secret Key. During setup, you’ll be able to choose between an authenticator app or a hardware security key.

Multi-factor authentication (MFA) has become the baseline for protecting sensitive data. Cybersecurity threats are increasing in number and complexity, so there’s never been a better time to enable MFA on your 1Password account.

Let’s look at a couple of scenarios where MFA provides added security:

Scenario 1: A criminal obtains your account password and Secret Key.

Your 1Password account password should be hard to guess, and your Secret Key is designed to be just that: secret. But if a criminal gained access to both your account password and Secret Key, they could attempt to sign in to your 1Password account from a new device.

With MFA enabled, the attacker would still need your second factor – which you can choose to be a code from an authenticator app or a hardware security key – to sign in and unlock 1Password.

Scenario 2: You accidentally enter your 1Password credentials on a malicious site.

Imagine falling victim to a phishing attempt where you unknowingly enter your 1Password credentials on a malicious site. If you had MFA enabled, the criminal would still be unable to sign in to your 1Password account. The MFA prompt – for example, via your authenticator app – would give you an opportunity to recognize the phishing attempt and change your credentials before any damage is done.

How to keep your 1Password account secure

MFA is a great way to make sure your 1Password account has the highest possible level of protection. Here are some other best practices to make sure your account remains secure:

• Choose a strong, unique account password. Our free password generator can help you create a long, memorable password.
• Keep your Secret Key secure. Don’t share it with anyone and always store it in a safe place.
• Be aware of phishing attempts. If 1Password doesn’t autofill on a site that looks like 1Password.com, double-check the URL before manually entering any information.

The bottom line

Should you protect your 1Password account with multi-factor authentication? We think it’s a great step to take. Enabling MFA adds an extra layer of security to your account and provides more protection against a broad range of threats.

Want to enable 2FA? Read our support page for step-by-step instructions:

• Turn on two-factor authentication for your 1Password account

1Password