1Password and 2FA

If the password and user ID have leaked because the server has been breached by a hacker. A longer password may take longer to be found, but requiring 2FA for each new device to log in means that whoever has access to the password cannot access your account.

I have no idea what my passwords are, so I need 1Password anyway. Since 1Password also does my 2FA, is really not a problem. If I lose access to my phone, I don’t have my passwords. Of course my Mac, my wife’s phone, and any new phone I get will have 1Password on it, and my 2FA.

Two factor authentication protects you in case someone else gets your passwords. Maybe it was leaked. Maybe it was phished. But once someone has your password, they have access to your account unless you have 2FA set.

It’s why people have said that having 1Password both store your passwords and be the 2FA isn’t a good idea. If someone breaks into your 1Password account, they have both your passwords and your 2FA which destroys the purpose of using 2FA.

Not understanding why you don’t have 1Password synch your iPhone and your Mac. I’d never have all my passwords just in one place…and my comment about needing a second working device to do 2FA still stands.

They could only get the password if it was stored unencrypted (or with very weak encryption). I don’t think this is a high risk for any site that matters (e.g. financial institution, major tech providers, etc.). For a random shopping site that might have poor password storage practices, I don’t really care. I’d prefer someone didn’t get into my account, but if they do – the password isn’t used anywhere else.

If you’re using a password with 30+ characters and a mix of uppercase, lowercase, symbols, and numbers, my understanding is that “longer” is on the order of years with current computing power, so essentially not a concern.

I’m not saying that there’s no security improvement in using 2FA. What I’m questioning is whether there is a “big” or “great increase” or even a meaningful/noticeable increase in security. For me, it needs to provide a practical and worthwhile security improvement to be worth the considerable hassle.

Perhaps it would help to look at it from a different perspective.

I’ve long said that security has three L’s: likelihood (how likely is a problem to happen), liability (what’s the downside if a breach happens), and lost opportunity (how much work must be done to provide the protection).

I don’t protect accounts with 2FA because I want stronger security in theory; I do it because the liability if someone were to break in is high enough to warrant the extra effort. I don’t think the likelihood of these problems is high at all, and the lost opportunity is low—just the effort of entering a 2FA code every so often.

Some of the accounts I have protected with 2FA include:

• Google: Since my email is hosted at Gmail, we rely on Google Docs for all TidBITS and TCN collaboration, and I use Google Drive heavily for the Finger Lakes Runners Club, if my Google account were compromised, it would be nightmare.

• Twitter: Being impersonated on Twitter could be extremely problematic from a reputational standpoint, and although I flatter myself with this comment, it’s not inconceivable that someone could affect Apple’s stock price with carefully coordinated campaign that involved corroboration by multiple compromised accounts at the level of TidBITS.

• easyDNS/easyMail: If someone were to compromise my account at easyDNS, they could take over my email forwarding and probably compromise other accounts, which would be very bad thing.

• DigitalOcean: This is where we host TidBITS Talk. A vandal could do a lot of damage very quickly if they got in. The alternative protection is off-site backups on AWS.

• AWS: We rely on SES for email sending and S3 for storage. Fixing vandalism in this account could be a lot of work.

• Stripe: The payment service that handles everything for our company. If someone could break into this account, they could likely redirect at least one payment before I’d notice, so the liability could be very high.

So yeah, bring on the 2FA. Your mileage very well may vary, but I’d still protect financial accounts with 2FA.

Do you mean this philosophically or technically? Philosophically I can see the argument, but technically it’s not true. For example run 1Password on your Mac. That’s all you need to store your passwords and do 2FA. Now, you probably want it available on multiple devices, for the same reason you do backups, but you don’t need it.

It’s not either/or. If you don’t use 2FA, you’re going to get hacked or not. Each thing you do improves protection:

1. Don’t use easily guessable passwords. If a hacker knows your favorite sports team is the bears, and your password is b3ar, change it.
2. Don’t reuse passwords. If you are reusing passwords, stop.
3. Use longer and more random passwords. If your passwords are less than 12 characters, a rainbow us can probably guess it in minutes.
4. Use a password manager to log in. Password managers are harder to phish. I normally am careful, but there has been a couple of times I was fooled, and the fact that my password manager didn’t automatically fill in the password clued me in that something was up.
5. Use 2FA authentication. Even if someone gets your password, they still can’t log in. I had a friend who was phished for her Google account password. Because she had 2FA, she was still safe.
6. Use 2FA that uses one time time based passcodes rather than text messages. Text messages are sent unencrypted and can get intercepted.

If you’re not doing #1 on this list, you shouldn’t be worried about 2FA. And yes, there’s a smaller return as you go down the list. Also, risk is relative. I have a much stronger lock on my front door than my garden shed that’s protected with a cheap combination lock. I’m not overly concerned that someone will steal my tomato cages.

Most people are fine if they use any sort of password manager like the one built into Safari. However, if you are a higher target, like Adam Engst, you might take stronger measures. Maybe a regular tumbler lock is good for a normal household, but a nuclear missile silo might need something stronger.

Unfortunately, as we have more of our lives online, we’ve all become high level targets. What was good in 2000 for security is not anymore. I’ve stopped answering security questions truthfully. It’s not too difficult to find the name of my first pet or the name of my fifth grade teacher. I now store the security question answers I made up in 1Password. Of course it leads to some interesting interactions on the phone:

Customer Rep: Okay, before I can give you information about your account status, I need to ask you a security question. What was your favorite band in High School?
Me: ((Looking in 1Password) Uh, two old geezers banging trash can lids.
Customer Service Rep: Really? Mine too! I know it’s hard to believe, but there aren’t a lot of fans of 1980s North Dakota grunge bands.

Fortunately, using higher security is simpler. Apple automatically offers to fill in 2FA texts into the right field. 1Password takes the time based 2FA and fills it in for you. Then restores your clipboard to prevent someone from reading it.

It’s not hard to use 2FA now. The cost in terms of time, effort, and money is extremely low. So why not since we’re all high value targets now.

I’m not so sure. I have a new financial institution that uses their own app on my phone for 2FA. When I log into their website on my Mac, 1Password fills in my credentials and then the site displays a 6-digit number which I have to type into their app on my phone. The app then displays a series of numbers in response which I have to type into my Mac to complete the login.

This is a pain as it requires two devices and typing (increasing the chance of a typo). I would much rather use 1Password’s 2FA features, but the site doesn’t give me that option. It’s their app or SMS. There was no place in the app for setting up 2FA – it seems to just be built-in – so I don’t think I can extract the setup code to use in 1Password or another authenticator app.

My worry is that if I lost my iPhone, would I be locked out of the site? I tried asking their customer service about this and they were so clueless they didn’t seem to even understand what an authenticator app was. They merely kept advising me to use their provided app. I finally gave up.

I don’t think the site would roll back to SMS if authenticator failed, as that would seem to be an easy loophole for hacking (just enter wrong authentication codes and hijack the customer’s SMS to get those codes).

There clearly must be some sort of solution to this problem of losing the 2nd device, but I haven’t had a chance to do some testing and research to find out what that would be. For instance, perhaps the app stores my authentication details in the cloud so reinstalling the app or putting it on another device would allow it to work for 2FA? But wouldn’t a first install require the 2FA code rather than just the (potentially compromised) password?

The whole 2FA thing is poorly documented, confusing, and a bit terrifying, if the site gives you no other way to authenticate. I could switch to SMS authentication, but I know that’s not as secure. But I also don’t want to be locked out of my account if my 1Phone isn’t available.

Yes, you’re correct in general. I was thinking the standard TOTP 2FA lots of sites use (aka “Google Authenticator”), but while that’s ubiquitous, it’s not universal. If a site uses their own app then you’ll need something that can run that app, and if that’s different than where you want to log in, you’ll need a second device. There are some workarounds, for example it seems some financial sites use Symantec’s VIP Access, and the ones I’ve used allow adding multiple instances, so you can at least get around the single point of failure problem if you have multiple devices (and with VIP Access specifically, there’s a way to get Google Authenticator compatible 2FA keys so you can use 1Password or whatever).

I agree completely with this. It’s certainly better than it was years ago when I started using 2FA, but isn’t to the point where I’d expect a completely non-technical person to be able to set it up and use it.

They can use reverse hash tables, and if they know how the hash was salted, they can use these lookup tables. If the server used a weak hashing scheme, they may be able to reverse the hash as well. For a random password that long? Probably not. But you forget another possible vector: if they can see the user ID, and the email account that can be used for a recovery password, and they have a way to get into the email account you’ve used, they can try a password recovery attack (the recent “SolarWinds” hacks included ways to hack into email accounts to read email, as an example, but it could even be as much as a social engineering attack where they contact the service claiming that they have changed their email account, and if these hackers can see the tables that store the information for your account, they can see things like account numbers, security question answers, etc.)

2FA is not all that much a hassle to me. For my gmail account, I need to provide it when I try to connect from a new device or browser for the first time. The same with my amazon account. The same with my Facebook and Twitter accounts. Microsoft does require it often with my outlook.com account, but it’s not that much of a hassle, really, but it is protecting me from other people trying to get into my account if they have, for some reason, been able to authenticate.

I simply prefer the extra security myself, for wherever I can use it.

I still don’t think that’s true. I do have multiple devices, but using Authy with just an iPhone, you can recover your 2FA codes if you purchase a new phone that is provisioned with the same number. If it gets a different number for some reason, there is still a way to recover. And I have a way to recreate all of my 2FA codes without a second device. Somebody who has printed their QR codes out and stored them securely also could as well. Most providers have a way to authenticate using a different method (for example, with a set of emergency codes that can be printed.) But, you know, how many of us who actually use 2FA as a choice when it’s presented have only a single device? I bet it’s a pretty small percentage.

Studies estimate that over 80% of security breaches are due to compromised passwords. You might unknowingly have a virus and keystroke logger. Passwords can be phished. You might be fooled into entering your password on a fake website. A security camera might spy you typing your password. A service provider might have their systems broken into. There are fake VPNs, fake public WiFis etc.

Companies invest a lot money in security, but people make mistakes and do things they are not supposed to, or fail to do something they were supposed to.

Security is a continuum from easy to break to very difficult. Passwords alone fall on the easier to break side. Imagine a system with no static password to steal. No shared secret. Every login session is unique and can’t be replayed. There’s nothing to phish. No password to remember or write down, yet able to recover if you lose your device. This is what I and others are working on.