0

I've heard that 1password have a feature.

We basically stored the QR codes for google 2FA in 1 password.

1 password then tell us the google 2FA keys everytime we logged in.

https://support.1password.com/one-time-passwords/

Is 1 password the only one with this feature?

I felt a little bit icky.

The whole point of 2FA is we need two different authorization. And now it's combined into one.

Anyone that can get into my 1password account can steal all my money.

So what's the solution?

user4234
  • 139
  • 8
  • Possible duplicate of [Is it safe to store 2FA tokens together with passwords in 1password?](https://security.stackexchange.com/questions/194142/is-it-safe-to-store-2fa-tokens-together-with-passwords-in-1password) and [How secure is a password app that stores both the password and two factor secret in one place?](https://security.stackexchange.com/questions/80752/how-secure-is-a-password-app-that-stores-both-the-password-and-two-factor-secret). – Steffen Ullrich Sep 30 '18 at 20:11

1 Answers1

1

TLDR: Don't use that particular feature of 1Password.

Is 1 password the only one with this feature?

My password manager of choice, KeePass can also support this via a plugin. As for other password managers, I do not know.

I felt a little bit icky.

It is a little icky to merge your 2 factors into one.

The whole point of 2FA is we need two different authorization. And now it's combined into one. Anyone that can get into my 1password account can steal all my money.

Yes, anyone who manages to gain access to your 1Password would be able to log in. But in this case, the point of 2FA is a bit different. It is not really as much two factor as making the one factor better.

So what's the solution?

Other then not using this feature, there is no solution. However, I believe there is no "problem" either.

I believe this feature is not meant to protect from 1Password compromise. It is rather meant to prevent the password being compromised when it is entered. Here are few examples the password may be revealed:

  • Keylogger or other spyware grabing the clipboard when you copy password
  • Keylogger grabing the password with autotype feature
  • Accidentaly saving the password in the browser
  • A malicious web browser extension grabbing the password
  • A malicious javascript (for example from XSS) grabbing the password
  • Attacker intercepting the login credentials, for example by MITM attack

In all these situations, the attacker would be able to gain your password, however if you use TOTP 2FA, he would have an old OTP. Therefore, he would not be able to log in at all in some of these scenarios and only log in once in the rest.

This feature is therefore IMO useful when you trust your 1Password will not be compromised, but you are worried about the password leaking. If you feel you need to protect your self, especially with e-Banking, you should use your phone instead. This is for lower-security applications.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28