1Password and time-based one-time passwords
by Sarah Brown
With an increase in cyber threats and data breaches, it’s essential to choose the right security measures to protect your information. Usernames and passwords have traditionally been the only thing standing between your data and anyone looking to steal it.
That’s where a two-step verification process like the time-based one-time password protocol (TOTP) comes in. This generates disposable passwords that can be used when you need to perform sensitive operations for your accounts.
Read on to learn when and why TOTP is useful for 1Password users, and what to do if you want genuine two-factor security.
The time-based one-time password protocol is a form of two-step verification that is used in tandem with a traditional password to grant access to your account. They can also be required when you perform sensitive actions, like sending a payment or changing your password for an account. One-time passwords verify your identity based on a shared secret and that secret can be embedded in a QR code that’s only shared between you and the provider.
When logging into a site that requires a one-time password, your device uses an algorithm to generate a unique numeric code, based on the shared secret and the current time. On the other end, the server generates the same code, based on the shared secret, to validate the login request. This temporary password typically expires after an interval somewhere between 30 seconds and 2 minutes.
You don’t need a one-time password to access your 1Password account, but you can use your account to store and manage your one-time passwords for other sites. When two-step verification is enabled for a website, 1Password can be used to store and quickly access your one-time passwords. Simply fill in your username and password, and 1Password automatically copies your one-time password to the clipboard for 30 seconds.
If you generate your one-time passwords with 1Password, then you always have a failsafe if your device is lost, stolen, or destroyed. Your 1Password membership includes automatic local backup and item history, as well as access through the web interface, so you always have access to your one-time password no matter what.
Sometimes a site or service requires that TOTP be used in tandem with your regular password to access your account. TOTP can help protect you against weak or reused passwords, but it is not a substitute or replacement for strong and unique passwords.
One-time passwords can also be useful when you’re accessing an account over an insecure or open network. The beauty of one-time passwords is that they aren’t reusable even if they’ve been compromised in transit. In this way, TOTP provides you with a strong defense against potential attacks even though there is no second factor being used.
Time-based one-time passwords are often seen as a two-step verification option rather than true two-factor (or second-factor) authentication like U2F-compatible security keys. Though one-time passwords are often part of a two-factor security system, using TOTP doesn’t automatically give you second-factor security.
When your one-time password is stored on the same device that you keep your password for a site, you don’t have two-factor security in place. However, the security benefit gained by using a one-time password comes from the one-timeness of the password, not the second-factorness of the device.
If you want to turn a site’s offering of TOTP into real two-factor security, you shouldn’t use 1Password for your one-time passwords (or in anything else that syncs across devices). If your goal is true two-factor security, then the device you use for TOTP should never be where you also store your password.