1Password and 2FA

Besides using long, random passwords (and using a password manager to help you remember those passwords), one of the best ways is to secure your account with Two Factor Authentication (2FA).

Two factor authentication uses something you know (like a password) and something you uniquely have (like your iPhone). In most cases, when you use 2FA, after you log in, the site will send a six digit code to your cellphone. This code must be entered into the site before you can completely log into your account. Apple makes this easy by looking for these codes in Messages, and letting you quickly paste them into the field.

There’s two problems with this. The first, it assumes your cellphone number is uniquely yours and no one else will ever have it. Hackers have been known to trick cellphone carriers into moving your phone number to a device they control. Suddenly, they can use your phone number to take over various accounts.

The second is that it makes accounts hard to share. My bank uses 2FA, but my wife and I have to share the same account. When she logs in, she had to text me to get the 2FA code that’s sent to my phone.

There’s another and more secure way of using 2FA, this uses a time based algorithm to generate that 2FA code. In the old days, you would have a physical 2FA key that would display a new six digit code every 60 seconds. The algorithm used in this device was also used in the server. Thus, both you and the server knew the code. You would have the password (something you knew) and the physical key (something you have).

These physical keys are still around, but programs like Google Authenticator can now emulate these physical devices. If you download Google Authenticator, you can use 2FA without relying on SMS text messages.

I’ve been using 1Password almost since it came out. A few revisions ago, 1Password got the capability to be a 2FA key generator. One of the things I now notice is that 1Password warns me if a site uses 2FA, and I don’t have it setup. Sort of pushing me. It also has a type of field called One Use Password that I found out is for 2FA.

However, I didn’t use 1Password or app based 2FA because I worried it would be too complex, and I might end up locking myself out of my accounts. After all, Apple’s use of copying and pasting the SMS 2FA codes made using SMS based 2FA simple. I also worried I might lock myself out of my account if my 2FA didn’t work. Besides, these sites tell me I can use Google Authenticator. Can I use 1Password too?

It turns out that the algorithm to generate the 2FA time based codes is open source. You can use hundreds of authenticator apps. Plus, there was my bank account where my wife has to text me whenever she logs in.

I decided to try 1Password with its built in 2FA, and found an account that uses 2FA (according to 1Password), but isn’t that important.

I went into Security Settings and selected to enable 2FA. Immediately, I ran into an issue: I was supposed to scan in the barcode. How do I scan a barcode that is displayed on my iPhone with my iPhone. Do I need to do setups via my Mac, and then scan them into my iPhone?

Fear not! Below the QR Code was Can’t scan the barcode. Clicking there gave me a URL to paste into 1Password. I created a One-Time Password field, and pasted it in. Saving the entry in 1Password gave me a six digit countdown code that changed every 30 seconds.

The site asked me for this code, so it verified that it worked before setting 2FA on my account. Entering this code and my 2FA was setup. It was fairly simple. The most comple part of the process was determining where 2FA is set.

Using time based 2FA can’t be easier. When I am using Safari, 1Password automatically pastes the 2FA code into the correct field. 1Password also copies the 2FA code into the clipboard in case it wasn’t automatically pasted in to the field. And if all else fails, it’s not hard to bring up 1Password in the share sheet, and copy the 2FA code.

My only regret is that I didn’t do this earlier. Using 1Password with time based 2FA codes is easy to do and simple to implement. It adds extra security to your accounts without a lot of additional hassle. The hardest part of the process was trying to find the setting to setup 2FA for a particular site in the first place.

It’s actually even easier on the Mac. 1Password brings up a scanning screen for those QR Codes. When you create a One-Time Password field, a translucent window comes up, you place it over the QR Code, and 1Password automatically pastes it in for you.

If you’re not using 2FA, go to 1Password and look for all entries with a 2FA tag and set them up. This is especially true if this is a financial site.

I have one or two relatively unimportant accounts set up with OTP in 1Password, but generally I like to have the two things (password manager and OTP manager) be separate things. If somehow 1Password is cracked (very , very unlikely, I know), having both stored on one place is putting everything at risk.

But, yes, 1password’s implementation is very nice, and one thing that I like is putting the OTP into the clipboard, as you say.

I’ve been using TOTP (Time-based One Time Passwords, the technical name for these sorts of 2FA passwords) for a while. As Dave says, the algorithm is open source so anyone can implement an authenticator. I personally use Authy on my iPhone, both because I was using TOTP 2FA before I was using 1Password, and I tend to agree with Doug and like to have the 2FA information separate from the password information, but that’s mostly because I’m a bit paranoid when it comes to security. Plus I find I can easily remember the six digit code long enough to enter it when necessary.

One thing that might help getting 2FA set up, is that there’s an associated 16 character “key” which is often displayed with the QR code. Most authenticators allow entering that instead of scanning the QR code. In 1Password, you can enter that key in a new field, then change the field type to One-Time Password. Obviously just scanning a QR code is easier, but if you’re faced with setting up a series of mirrors to take a picture of your phone’s screen with your phone entering the key is another option.

I’d highly recommend setting up 2FA for accounts that would hurt to get hijacked (bank or brokerage accounts, etc.) While it’s a little harder logging in, it’s only a little, and it greatly increases the security of the login.

I have been using 1password with 2FA for 2 years now. I use it for all sites that supports it. It has worked without flaws. Here in Norway we use something called Bank-ID for all our banking and connecting to goverment services. It too is based on the same principles with "something you know (like a password) and something you uniquely have (like your iPhone). "

Perhaps I missed it, but can your wife now login without texting you?

Yes. Since we share a 1Password account, she can generate the same code.

While 2FA using TOTP is a big improvement over passwords alone, there are few things to be aware of. First, there’s still a shared secret that can be stolen if the server is compromised. Next, it doesn’t help with fake websites that get you to enter your OTP. Worse, there’s malware for Android that can read Google Authenticator codes. I think Authy is a better choice.

One of the big reasons people are reluctant to use 2FA is the fear they will be locked out of their accounts if their smartphone is damaged or lost. Some 2FA sites offer recovery codes you can use if you lose your phone. I prefer taking a screen shot of the QR code and saving it (or a print out) in a safe place. Your partner (or future you) can scan the same QR code if desired which provides a convenient backup.

The future is passwordless authentication using modern smartphone hardware and cryptography. The hardware on your smartphone is used to generate a key pair where the private key exists only in the secure enclave and never leaves the device. Once your phone is enrolled you get 2FA that requires something you have (your smartphone), and something you are (Touch ID or Face ID biometrics). There’s no static shared secret to be stolen or compromised. To login, you simply approve a push on your phone and pass biometric authentication. If you lose your phone, you can re-enroll with your new device (similar to password recovery).

The technology is here but widespread adoption will take time.

I use OTP Auth for 2FA. I can backup the data file and even set it up to share with other devices via iCloud. This protect me from the “my iPhone died so I have no access to 2FA” problem.

Where I need to share the log in with someone else I do 2FA with 1Password.

However, some companies – Microsoft – are assholes and require that you use their 2FA app and no one else’s. Which defeats my methods.

I find some services, such as Google, which don’t require 2FA for every log in make it easy to change your 2FA to a new device as long as you can log in. I get many staff with new iPhones having the problem that Google Authenticator didn’t migrate its data asking how to access their mail on their new phone. I direct them to getting onto gmail on their Mac, then going to Account, and setting up a new 2FA.

Most sites give you emergency access codes to use in case you lose your device. One of the advantages to 1Password is you can use iCloud to backup your 2FA. You can also backup without the Internet to other devices like your Mac or another iPhone.

I use Authy for 2FA. It works for Microsoft. Every provider that uses an authenticator app for 2FA that I have encountered works with Authy.

I use Authy for 2FA codes, and it syncs nicely between my iPhone, iPad, and Mac.

The real problem with 1Password is that I have 19 accounts set up in Authy, and I see no way to transfer those to 1Password without toggling 2FA off and on again at each one of those sites. And, while I’m sure that would work, it feels like poking the bear.

I have been creating a otpauth URI and storing it in my pwSafe “notes” field. Then when I access it using StrongBox it generates the timed codes. I think KeePassXC does this as well for URIs in the “Notes” field, but it may also have a dedicated field for it.

The URI scheme is at Key Uri Format · google/google-authenticator Wiki · GitHub but the only thing used to generate the code is the ?secret=JBSWY3DPEHPK3PXP part - everything else just lets your software display it with extra info like “Your code for account abc at website DEF is:”

Additionally, recording the shared secret information (which I get from clicking the “can’t scan the code” links) in my password manager means that if I ever want to use some other generator from Google or Microsoft or whomever, I can set it up using that stored shared secret. I mostly use “OTP Manager” for the very few of the dozen codes that I actually use frequently - ‎OTP Manager on the Mac App Store

I have only found one place that doesn’t play nice with this type of thing and that is Steam, which seems to bury their shared secret info deep within their own authentication app when then requires a lot of hoop jumping to get it out.

One of the great things about using 1Password is that it doesn’t get fooled by fake websites. If the website domain uses the Greek letter Rho rather than a P, I may get confused, but 1Password still refuses to log me in. It has saved me from many phishing attacks.

2FA can be a lot of trouble for folks who don’t have smart phones, depending on how a company decides to communicate with its customers.

A bank that I deal with originally did 2FA by authenticating the device itself (as being a computer owned by the customer, for example) and requiring a password; that worked fine. Then they replaced the device authentication with a 6-digit short-lived OTP, but provided a choice of four channels by which it could be delivered; that was tedious, but still worked OK, because it was flexible.

Another financial institution that I dealt with had a much more onerous arrangement for delivering the short-lived OTP. If you didn’t have a smartphone, then you had to accept the OTP via audio message on a standard phone. While that was quite secure, it also meant that there were times of the day when I could not deal with that institution at all because the ringing of a landline would have wakened other folks in the household. That was one of several reasons why I stopped dealing with that institution.

Which highlights a more fundamental problem with password plus authenticator. It’s too much friction. Passwordless authentication is here but it will take a huge industry effort to adopt it. An interesting data point is that Apple joined the FIDO alliance last year.

FIDO = Fast IDentity Online

FIDO sounds really interesting, but I don’t see any real-world examples that actually eliminate the need for passwords, which is the Holy Grail in this field and what the FIDO Alliance seems to be aiming for. All the examples are for security keys on top of existing accounts, as far as I can tell.

I’m not sure if anyone has yet to bring this up, but there is definitely one flaw to 2FA that really bothers me, so much so that I quit using it and opted for very long passwords within 1Password instead. It requires you to have a second device to receive the code on. So for most people this is an iPhone. Not everyone has a third or fourth device to use. Say your iPhone stops working for whatever reason and you have to get it repaired or replaced in the worse case scenario, or say you temporarily lost it somewhere. If you have 2FA turned on for your bank account site, this becomes crucial. You simply cannot access your bank account. What does one do then? You can’t even get into your bank account’s site to turn OFF 2FA. This issue would seem to need to be addressed, big time…

I think it has been addressed, or at least there are ways to address it. If you’re doing SMS 2FA (which isn’t recommended), you can have messages appear on other devices, or get something like a Google Voice number. For TOTP 2FA, 1Password will sync between devices. And there are free TOTP apps for almost any recent computing device you can name. Some sync automatically, but even those that don’t it’s pretty easy to just enter the 2FA key on each device you want it on.

I see comments like this a lot, but is it true? If you use 30+ character 1Password (or similarly) generated passwords, unique to each login, what is the security risk that 2FA solves? 2FA seems like a lot of hassle and a significant risk of losing or at least being locked out of your accounts when you least need it (i.e. losing a device). I know there are workarounds to the risk of losing the TOTP keys, but that only increases the hassle more, and I have no desire to track multiple keys that I have to store or print out. As it stands, I have 2FA enabled for only 2 accounts, and that’s because they require it (my AppleID being one of them). Everywhere else, I just use a strong, unique password, and I’ve yet to hear a convincing argument as to how 2FA would provide any benefit.

I get the 2FA code from my auth app on the same device all of the time. You have to switch to the app and switch back, but that’s not a big deal. (I do have the app set up on my iPad and have the app installed on my Apple Watch as well, so I do have it on multiple devices.)