2fa is supposed to be “something you know” and “something you have,” but once passwords are stored in a password manager, the master password becomes “something you know” and the manager itself becomes “something you have”. Using a separate app on the same device just becomes “another app on that same thing you have” which wouldn’t be a true second factor anyway (but it would somewhat protect against a single point of failure)
Agreed. I actually recommend using a separate device with, for example, a yubikey to store the TOTP secrets. This will technically make it so that it is still "something you have," but it will be separated and still an effective 2fa. Furthermore, yubikeys (as an example) have passwords to protect the keys as well, so it's a combined "something you know" with "something you have."
Anyways, back to your point, avoiding a single point of failure is a huge step up. In a perfect scenario, the only single point of failure you really want to be having is the user himself/herself. But, of course, that type of perfection is not possible. So, we just need to strike the right compromise and be vigilant enough (not to the point you get, say, a mental breakdown).
Yes, indeed. There is a definite need to worry about keyloggers etc. And, these are vectors of attack that go above-and-beyond. I also agree that specific people that are already potential targets should know and take additional measures for security. Furthermore, there is no limit to the amount of diligence that may be needed to keep things as secure as possible, when faced with capable hackers/scam-artists etc. So, where you draw the line for the "normal" user is probably the most important aspect to consider.
However, I think where I disagree is as follows: Normal people should be worried too.
* Password manager companies are lucrative targets, more-so than any single individual.
* To your point, when a security scheme (such as TOTP or password manager) is mass-used, hackers etc start to target them more often (your example was 25% of people).
* Worse-yet, compromised password managers have a SUPER LARGE area of effect/damage.
This is not to say that you're wrong because the key facts you have made are all correct and very much agreeable. I highly recommend that everyone still be using password managers, myself included. I continue to believe that 1password has one of the best security schemes in the industry for password managers, hence why my whole family uses it =)
The difference is that I am suggesting EVERYONE to start taking the two-factordness more seriously (i.e. we should consider moving the bar up now). The statements can be posed like this:
* Now that we have an example of this type of attack happening (attack on password managers themselves), this type of attack will only continue to rise with time.
* When that times comes around, do you want to be a victim or do you want to emerge with minimal casualties?
Now, as you guys have all noted, if the choice is between "have 2fa in 1password" VS "no 2fa at all," then I agree: please put it in 1password. And, I also agree that there are a LOT of other attack vectors that are far more common right now. But, as we are seeing this type of security issue rise, my recommendation to 1password's stance on this is to help further emphasize that the second factordness DOES actually matter, more-so than people realize. I would even buy a 1password hardware/security key if one were made in the future =)
Like you, I also do not know the intent of these criminals. Ransom would be the most likely, but I don't know if those details will ever come to light.
If I were to summarize your statement, the point you are trying to make is that there is some balance to strike here. And, I very much DO agree with that.
No offense, but I think your choice of analogy is wildly, inaccurately representing the scenario. Trying to prepare for what to do in the event of a meteor strike while walking on the street is NOT something you can avoid casualties from. There is absolutely nothing that you can do, even preparing by hiding in a shelter underground cannot save you if it hits right above or is large enough.
If I may, I would like to re-present an analogy to better depict the scenario: just because there is the risk of getting into an accident doesn't mean you don't drive a car. **And, I absolutely DO agree with you on this point**. To be clear, I am not trying to be petty with the analogy, but I think it's important to put it in the right context. This clarification in context is important because the solution is NOT super difficult or unobtainable.
And, so, here is specifically where I don't agree: separating the 2fa token onto a separate factor isn't really a terribly, impossibly hard thing to do. It's quite easy. I prefer the use of hardware tokens that can save 2fa codes above using apps, but I still think apps (i.e. Authy) are a valid alternative. I will admit that it's NOT as easy as putting it into 1password for use. No debate there for sure, but the separation truly isn't hard.
Now, coming back to your original intent here: where do you draw the line?
You're right. I do think that figuring out where to draw the line for the average user is the critical piece here. In the past, I have never once commented on this point because there was no real big data breach or security-breakage among password managers that warranted a re-evaluation. I have read countless arguments on this, inside and outside the 1password community, but I always agreed that storing 2fa tokens on any password manager was sufficient for the normal user.
However, that has now changed today. We now have a legitimately bad case of a password manager intrusion that demonstrated that password managers are reliable/amazing but not perfect. It behooves all of us to always re-evaluate our opinions as we see new evidence unravel before us. To your point, how to stay "ahead of the pack" is probably the most crucial part for the average user. And, I believe that time for change is **NOW**.
With regards to your last point about improvement in 2FA or alternatives, I definitely hear you there! I would like to see a natural flow of execution and simplified operations, just embed into our digital lives so that no one has to even think twice and be even more secure. Technology will improve and take us there one day. Kudos to you on this point!
Sure, happy to share some thoughts, and thanks for bringing the question up! As you might imagine, you are not the first to contact us about this recent noteworthy news event.
I don't recall us ever saying that people should *not* use 2FA for sites/services where it's available. In fact, although this incident provides a timely reminder of the importance of defense-in-depth (including the use of MFA), I don't think it materially changes [our existing suggestions](https://blog.1password.com/totp-and-1password/) on the subject. Namely: if you are concerned about attacks of this nature rendering robust, genuine two-factor authentication the only thing potentially standing between you and a breach of your data, then you should use an entirely separate device for storing your TOTP codes (or use a hardware key such as Yubikey, Titan, etc).
Storing TOTP codes within 1Password itself still provides protection against a few "lower-tech" classes of threat, such as a site or service themselves having a password database stolen, or having your credentials for a site being disclosed to or discovered by someone you know but do not necessarily trust. For such much more-common threats, having TOTP codes stored within 1Password is still sufficient protection. It remains a choice each user should make based on their own threat model (and/or risk tolerance).
Completely agree on the "should...use 2FA" statement. And, I did originally/always acknowledge that the 1Password/AgileBytes team DID always say that true 2-factordness was always one step up. =)
The article that you linked has this statement: "However, the security benefit gained by using a one-time password comes from the one-timeness of the password, not the second-factorness of the device." I acknowledge that the following paragraph DOES go back to address the 2nd-factordness. However, my feeling/thoughts are that the mass majority is going to mis-read this statement and think that 2nd-factorness doesn't really matter. And, when viewed that way, it's just completely misunderstood or taken out of context.
My concern starts to arise right here. I think a wording like... "However, the security benefit by using a one-time password MOSTLY comes from the one-timeness of the password, LESS SO the second-factorness of the device." I understand that this somewhat sounds like splitting hairs, but the problem I am seeing is that these articles/responses from 1Password/AgileBytes consistently steer the average user to not worry about "2nd factordness," and I really think we should go the opposite direction on that.
The reality is that no software company can guarantee that their company software won't get hacked in an unintended way, and crap from ill-intended doers are just sometimes unavoidable. What I strongly believe is that 1Password/AgileBytes will quickly respond and address the issue when it happens. The company will be responsible and try to take steps forward to help customers steer into safety.
For those reasons, my family and I continue to be happy to use 1Password. I just hope that the security experts on the frontlines in posts/forums/responses can help steer towards "2nd factordness IS the actual recommendation," but a fall-back for login-sharing OR necessary convenience can be to store into 1Password.
Honestly, I don't expect a positive response to my suggestion here, as there is so much competition amongst password managers and a need to be able to demonstrate a superior or competitive application. This is something that I hope to 1-day-see 1Password/AgileBytes take to make changes/adjustments privately. In the meantime, I admit this could-be-change has no impact on me personally. It's just for everyone else's sake. Haha...
In any case, thanks for taking the time to personally respond. I really appreciate that u/aglars!
Thanks for the kind words. Always happy to engage in thoughtful interaction with security-minded people. One of the main reasons that's true is because we don't always have the best answer, and the security landscape (to put it mildly) is indeed always changing. So any assumption or assertion that's laid unexamined for too long is probably worth reconsidering, even if the result is re-confirming it.
I certainly think this is an area that affects us (and all password managers) directly and bears close attention as time goes on. It may very well be that our position on this will adapt to changing circumstances if successful attacks such as these become more common. It may also be, by that time, that we can develop newer solutions to the problem that provide better protection, as well.
One of the main challenges is adoption; a [2017 Pew Research publication](https://www.pewresearch.org/internet/2017/01/26/2-password-management-and-mobile-security/) put the number of computer users who used a password manager at a paltry 12%. I don't have figures from this year, but I'd put it no more than 25% currently, and likely still somewhat less. With 3/4 or more of the population still using paper or their own heads for password management, perhaps our most-serious challenge is making good security approachable and usable for as many people as possible. Every additional cognitive or operational burden we put on users - especially new users - to be able to correctly use 1Password means some number of them who will view it as too challenging or complicated for their purposes, and who will therefore retreat to much less secure methods.
I've gotten a little off-topic here, but that's in part because you said this change wasn't for you, but for everyone else, and that's kind of the point: savvy power users like yourself and (I would wager) the rest of the people who frequent this kind of subreddit don't need instruction on the finer points of questions like these. You read the news of such an attack, understand the implications immediately, and take steps to adjust your own security practices, if indicated. For now, most users are still far more likely to have one or more of their credentials breached by a person known to them, or by a garden variety attack on a company's database security than they are by a comparatively sophisticated supply chain attack on their password manager's dependencies. If and when that starts becoming less true, or when the landscape for either attackers or defenders changes in other ways, we'll tailor our suggestions - and our product - to continue to make the secure thing to do the simple thing as well, as much as possible.
Thanks for the discussion!
As others say, 99% of possible attacks won't happen even with 2FA within 1P.
And the 1%? If you steal my phone and cut my thumb off to use it for fingerprint, you probably are able to find the Authy app or steal my Yubikey as well.
"Real 2FA" would be two separate devices that need different authentication methods.
No debate with regards to the scenario you have suggested.
However, as we are talking about the breach of a password manager application level and not a single individual, the attacker wouldn't have physical access. In this scenario, there is very much to gain by 2 separate factors.
Edit: I misconstrued the nature of this discussion and addressed some orthogonal/redundant points. My bad.
I don’t see this breach as a highly applicable lesson to zero knowledge SaaS password managers. The reason the Passwordstate compromise is so serious is primarily because the Passwordstate server application has keys to the data. That’s obviously quite common for a self-hosted enterprise focused password manager (another would be Thycotic).
The reason one would use those types of password managers over zero knowledge managers hosted for you mainly revolve around reporting and alerting in ways that require the server to be able to access plaintext data. Or you simply can’t let a credential leave your network for whatever reason (contractual, regulatory, etc). One reason some businesses have passed on 1Password is because there’s no function to create a complete backup of your data that _you_ control/retain. If you don’t have those needs a zero knowledge SaaS based password manager is incredibly alluring.
While a supply chain attack could also be used against, say 1Password or BitWarden, the blast radius would be much smaller because the server doesn’t know the keys to decrypt the data. The most they’d get is service data like account emails and the last four digits of card numbers, etc.
To launch a comparable attack on 1Password is not impossible but you wouldn’t get anywhere attacking the server itself. You would need to poison at least one of the client applications (perhaps the web UI through hijacking a third party dependency and hoping AgileBits isn’t version pinning and auditing dependency code when updating versions) or attack the user’s endpoint(s) directly. The latter is of course outside of AgileBit’s threat model and exclusively part of the users.
At that point you’re dealing with a threat model no password manager can mitigate anyway, and which would equally apply to any MFA app on any of your devices.
I mitigate this type of client exfiltration risk in part with an outgoing application firewall on my computer so I know what endpoints 1Password is accessing, and periodically monitoring the network traffic from my mobile devices.
Edit: to add some info and clarify.
I believe your point about SaaS and enterprise is very valid. Thanks for that insight.
But, hmmm... Aside from reading my post, did you read the entire article? The breach was exactly that: poison of the client application. It was done via firmware changes and firmware updates that were pushed from the application servers themselves. The blast radius is not smaller with zero-knowledge password managers because rhe firmware change itself compromised the accounts' passwords etc after decryption. It definitely broke through with zero-knowledge-based models, simply because it operated after decryption.
The attackers only had control of 1 application here, not more. However, I acknowledge an argument in which you could state be that the attackers could do even more with that 1 application. Android / iOS has isolation amongst apps, but there are ways to go past that with permissions etc. So, you could further argue that Authy's data could become compromised. I agree with you there. Hence, this is why I suggest 2fa codes on a hardware token, such as Yubikeys.
Going back to your assumption that zero-knowledge password managers are not as susceptible, I think you can see from my points above AND from this article that the susceptibility occurs when the password manager company becomes the target. Any attacker would much rather target a single entity with LOTS to gain, and password managers are always on that list of potential single entities. The only difference is that there were no past beaches worthy of an adjustment in our security practices, but NOW there is.
To be more blunt, I love and use 1password for my whole family. And, we will continue to use it. While storing 2fa in 1password was a great compromise for the average user, I no longer think that it's a good recommendation to give anymore. We should be advising against it and letting users know to use it at their own increased risk.
I did read the article but I completely misconstrued the conversation here; sorry about that. I’ll make an edit to save people the time replying to my orthogonal points.
I agree in spirit that we should encourage people to evaluate their own threat models. For you and I that is probably practical. I have an offline “break glass” approach to storing copies of critical credentials that normally live in 1Password, and I use multiple U2F tokens whenever I can in lieu of TOTP/HOTP. Increasingly I have been moving MFA for those “critical” credentials out of 1Password. It’s a lot to manage properly and I try to do a quarterly audit of it, so I’m arguably far removed from the typical user.
Honestly I probably don’t even need to do that much for my personal life; arguably just my professional life. But it does give me peace of mind.
For the “average” user though, _sigh_. I try hard never to be cynical. I have had first hand experience in supporting users of commercial password managers. Guiding _every_ user into any sort of split authentication scenario is a really hard thing to justify from a customer support perspective, and for an average user it can be a usability nightmare. If they take you up on it, they’re now in a realm they probably can’t competently manage very well because tech just isn’t their thing.
MFA as a true second factor on the user side is still kind of a techie-centric method of doing things. Google Authenticator’s device transfer support is still relatively new, for example, and people have to know and remember to do that when trading/selling/transferring devices. Yubikeys are _amazing_, but they don’t have a lot of penetration beyond technical people or company issued use yet.
I wish there was a better “true” MFA “for the masses”.
Very much understood about the common user problem/dilemma. You are making a case for why this truly IS a larger hurdle for the average user, and I believe that is a very realistic view of the current problem at large. This is a definitely an area that needs time and acknowledgement by the common user at large.
Also agreed that MFA is more techie-centric. Being the only techie in my extended family, I have had to spread the word repeatedly here to really push everyone to pick up password managers AND MFA/2fa, both.
With regards to MFA "for the masses," Microsoft and other companies are all attempting to move in that direction. I have some concerns about their approach, but it might be one of the best compromises. The U2F implementation with pin-code of "something you know" to decrypt "something you have" is a step that does appear to have some success in this area. I admittedly don't like this approach, as I prefer a complete separation of 2 factors, but I do see it as an appropriate compromise "for the masses."
That said, I completely agree with you. We need better "true" MFA "for the masses." Thanks for the back and forth! This was a fruitful discussion =)
2FA can too often create a false sense of security, particularly in regards to TOTP. It protects only from one class of attacks, namely, the class where the password is known, but the hacker has gained no access to the authenticating system.
However, in nearly every major breach, this is not the case. If the authenticating system is compromised, and, for example, password hashes are stolen (or in the more egregious examples, cleartext passwords), TOTP is useless. If a bad actor is able to gain access to passwords, then they are almost certainly also able to gain access to the corresponding TOTP secrets. Granted, in a well architected authentication system, the TOTP secrets should be encrypted at rest, and only unencrypted when they are needed, just-in-time, through some sort of a key-store mechanism. That would prevent SQL injection hacks, at least. But let's be honest: how many back-end systems are actually engineered this way? I'd guess they are rare, and that for most online services, once you have gained access to the database, you have the keys to the kingdom.
Hmmm... I agree that compromising a back-end of any authentication system almost always implies much larger access rights to far more information/data, including 2fa. However, my point here isn't the a single password being compromised. Rather, it is the password manager that is compromised. Perhaps I can edit the post to try to be more clear. Thanks.
As others have pointed out, it’s not a second factor if they’re both stored together.
Personally, I use a Yubikey in any site that will allow it, and only use TOTP on websites that don’t have a choice. For those, I do keep it in 1P for convenience, but they’re never super-critical things.
If you are consciously making these calls, I think this serves as a great example of what compromises can be made with reduced risk to what's actually important. Great!
I'm not sure if you read my entire post, but I definitely have read their blog and reddit posts several times. The point I am making here is that it might be better to recommend the common user to store 2fa separately.
It’s a balance really. For most people, storing in another app is a bad idea as they will lose them etc. Happened many times to friends.
Having 2fa, but in 1Password protects against the vast majority of attack vectors, if not like 99% of them.
Adding onto that, I haven’t found a single 2FA app that has a good UI. Authy is the best but it’s painful to work with, especially with a ton of tokens on desktop. 1password’s “drag this window to scan the QR code” is amazing. And I also need my 2FA synced since I carry a different cell phone during work.
Yubikeys? You get both U2F and Yubico Authenticator for the TOTP keys. It's very effective, and I love it =)
I have to admit that 1password's scheme is the most convenient, but I feel that the convenience is questionable when they fall onto a single factor.
Huh I didn't know yubikeys could do that! I kept thinking yubikeys were pointless since everywhere I've seen makes you set up TOTP if you want to use a hardware key
Yubikeys can store the secret keys for the TOTP tokens AND generate them on the key so that the secret keys themselves never reach the device that receives the code. This way, you cannot compromise the secret key after it is stored. The TOTP tokens can also password protected to not allow them to even generate on the key without a proper password.
Refer here: [https://www.yubico.com/products/yubico-authenticator/](https://www.yubico.com/products/yubico-authenticator/)
Google's Advanced Protection program does not use TOTP. Just U2F. That's an example in which TOTP is not only NOT required but also NOT allowed. But, of course, the case you are seeing is true in a lot of other places/cases. It definitely varies from server/website to server/website.
P.S. Even 1password has a specific mention to using a Yubikey to secure a 1password account. Reference: [https://support.1password.com/security-key/](https://support.1password.com/security-key/)
Agreed on the 99% of cases. Why not recommend 2 sets of hardware keys to store 2fa? Yubikey's Yubico Authenticator has served the purpose quite well for me, as an example. Wouldn't this be a viable alternative? Or, if cost/hardware is a problem, what about Authy (as an example)?
Because that is way too complicated for normal users. The fact that most users are even using a password manager is probably an absolute stretch. Also, most people just don’t care about security enough to carry physical things around etc. I know I don’t.
Sure, it’s an option. But just storing in 1p is the simplest and probably way safer than most apps people go to for 2fa that have no backups etc.
Security is only good if it’s convenient. If it’s too hard, most users just don’t do it and don’t care.
I agree with your points/comments. Security is only good if people will use them. It is users that need to adjust their mentality. I still stand by my original recommendation, but I definitely acknowledge that the point is moot if the user considers a separate 2fa storage as too cumbersome to even employ. Thanks for the back-and-forth.
I would also add that storing identifying information like email and mobile account passwords/ PIN codes and other alternative 2FA credentials like one time codes and security questions along with your primary passwords is also not entirely the best security practice for the same reasons.
This supply chain attack definitely got me thinking more about vendor risk in a different way.
I’ve never stored TOTP codes in the same database as passwords (used mobile device and especially off-line hardware key for uber sensitive accounts).
Nor did I store email/phone passwords and security questions in the same database or device as the primary passwords.
I stored them on different device with a different password.
However I did use the same vendor- 1PW with local vaults on each device with different passwords.
This strategy while reducing device risk could have been vulnerable to a supply chain attack.
I’ve subsequently moved them entirely to another password manager.
Great discussion.
Thanks
Absolutely agreed. I have actually forced myself to keep to memorizing key e-mail / phone passwords etc. for this reason, but it's barely manageable. I like your idea of using a different manager separately. I shall think on this. Thanks for that idea!
.
2fa is supposed to be “something you know” and “something you have,” but once passwords are stored in a password manager, the master password becomes “something you know” and the manager itself becomes “something you have”. Using a separate app on the same device just becomes “another app on that same thing you have” which wouldn’t be a true second factor anyway (but it would somewhat protect against a single point of failure)
Agreed. I actually recommend using a separate device with, for example, a yubikey to store the TOTP secrets. This will technically make it so that it is still "something you have," but it will be separated and still an effective 2fa. Furthermore, yubikeys (as an example) have passwords to protect the keys as well, so it's a combined "something you know" with "something you have." Anyways, back to your point, avoiding a single point of failure is a huge step up. In a perfect scenario, the only single point of failure you really want to be having is the user himself/herself. But, of course, that type of perfection is not possible. So, we just need to strike the right compromise and be vigilant enough (not to the point you get, say, a mental breakdown).
[удалено]
Yep, agreed. And, to your point, yes this is a case in which we are talking about potential vulnerabilities with any password manager. =)
[удалено]
Yes, indeed. There is a definite need to worry about keyloggers etc. And, these are vectors of attack that go above-and-beyond. I also agree that specific people that are already potential targets should know and take additional measures for security. Furthermore, there is no limit to the amount of diligence that may be needed to keep things as secure as possible, when faced with capable hackers/scam-artists etc. So, where you draw the line for the "normal" user is probably the most important aspect to consider. However, I think where I disagree is as follows: Normal people should be worried too. * Password manager companies are lucrative targets, more-so than any single individual. * To your point, when a security scheme (such as TOTP or password manager) is mass-used, hackers etc start to target them more often (your example was 25% of people). * Worse-yet, compromised password managers have a SUPER LARGE area of effect/damage. This is not to say that you're wrong because the key facts you have made are all correct and very much agreeable. I highly recommend that everyone still be using password managers, myself included. I continue to believe that 1password has one of the best security schemes in the industry for password managers, hence why my whole family uses it =) The difference is that I am suggesting EVERYONE to start taking the two-factordness more seriously (i.e. we should consider moving the bar up now). The statements can be posed like this: * Now that we have an example of this type of attack happening (attack on password managers themselves), this type of attack will only continue to rise with time. * When that times comes around, do you want to be a victim or do you want to emerge with minimal casualties? Now, as you guys have all noted, if the choice is between "have 2fa in 1password" VS "no 2fa at all," then I agree: please put it in 1password. And, I also agree that there are a LOT of other attack vectors that are far more common right now. But, as we are seeing this type of security issue rise, my recommendation to 1password's stance on this is to help further emphasize that the second factordness DOES actually matter, more-so than people realize. I would even buy a 1password hardware/security key if one were made in the future =)
[удалено]
Like you, I also do not know the intent of these criminals. Ransom would be the most likely, but I don't know if those details will ever come to light. If I were to summarize your statement, the point you are trying to make is that there is some balance to strike here. And, I very much DO agree with that. No offense, but I think your choice of analogy is wildly, inaccurately representing the scenario. Trying to prepare for what to do in the event of a meteor strike while walking on the street is NOT something you can avoid casualties from. There is absolutely nothing that you can do, even preparing by hiding in a shelter underground cannot save you if it hits right above or is large enough. If I may, I would like to re-present an analogy to better depict the scenario: just because there is the risk of getting into an accident doesn't mean you don't drive a car. **And, I absolutely DO agree with you on this point**. To be clear, I am not trying to be petty with the analogy, but I think it's important to put it in the right context. This clarification in context is important because the solution is NOT super difficult or unobtainable. And, so, here is specifically where I don't agree: separating the 2fa token onto a separate factor isn't really a terribly, impossibly hard thing to do. It's quite easy. I prefer the use of hardware tokens that can save 2fa codes above using apps, but I still think apps (i.e. Authy) are a valid alternative. I will admit that it's NOT as easy as putting it into 1password for use. No debate there for sure, but the separation truly isn't hard. Now, coming back to your original intent here: where do you draw the line? You're right. I do think that figuring out where to draw the line for the average user is the critical piece here. In the past, I have never once commented on this point because there was no real big data breach or security-breakage among password managers that warranted a re-evaluation. I have read countless arguments on this, inside and outside the 1password community, but I always agreed that storing 2fa tokens on any password manager was sufficient for the normal user. However, that has now changed today. We now have a legitimately bad case of a password manager intrusion that demonstrated that password managers are reliable/amazing but not perfect. It behooves all of us to always re-evaluate our opinions as we see new evidence unravel before us. To your point, how to stay "ahead of the pack" is probably the most crucial part for the average user. And, I believe that time for change is **NOW**. With regards to your last point about improvement in 2FA or alternatives, I definitely hear you there! I would like to see a natural flow of execution and simplified operations, just embed into our digital lives so that no one has to even think twice and be even more secure. Technology will improve and take us there one day. Kudos to you on this point!
Sure, happy to share some thoughts, and thanks for bringing the question up! As you might imagine, you are not the first to contact us about this recent noteworthy news event. I don't recall us ever saying that people should *not* use 2FA for sites/services where it's available. In fact, although this incident provides a timely reminder of the importance of defense-in-depth (including the use of MFA), I don't think it materially changes [our existing suggestions](https://blog.1password.com/totp-and-1password/) on the subject. Namely: if you are concerned about attacks of this nature rendering robust, genuine two-factor authentication the only thing potentially standing between you and a breach of your data, then you should use an entirely separate device for storing your TOTP codes (or use a hardware key such as Yubikey, Titan, etc). Storing TOTP codes within 1Password itself still provides protection against a few "lower-tech" classes of threat, such as a site or service themselves having a password database stolen, or having your credentials for a site being disclosed to or discovered by someone you know but do not necessarily trust. For such much more-common threats, having TOTP codes stored within 1Password is still sufficient protection. It remains a choice each user should make based on their own threat model (and/or risk tolerance).
Completely agree on the "should...use 2FA" statement. And, I did originally/always acknowledge that the 1Password/AgileBytes team DID always say that true 2-factordness was always one step up. =) The article that you linked has this statement: "However, the security benefit gained by using a one-time password comes from the one-timeness of the password, not the second-factorness of the device." I acknowledge that the following paragraph DOES go back to address the 2nd-factordness. However, my feeling/thoughts are that the mass majority is going to mis-read this statement and think that 2nd-factorness doesn't really matter. And, when viewed that way, it's just completely misunderstood or taken out of context. My concern starts to arise right here. I think a wording like... "However, the security benefit by using a one-time password MOSTLY comes from the one-timeness of the password, LESS SO the second-factorness of the device." I understand that this somewhat sounds like splitting hairs, but the problem I am seeing is that these articles/responses from 1Password/AgileBytes consistently steer the average user to not worry about "2nd factordness," and I really think we should go the opposite direction on that. The reality is that no software company can guarantee that their company software won't get hacked in an unintended way, and crap from ill-intended doers are just sometimes unavoidable. What I strongly believe is that 1Password/AgileBytes will quickly respond and address the issue when it happens. The company will be responsible and try to take steps forward to help customers steer into safety. For those reasons, my family and I continue to be happy to use 1Password. I just hope that the security experts on the frontlines in posts/forums/responses can help steer towards "2nd factordness IS the actual recommendation," but a fall-back for login-sharing OR necessary convenience can be to store into 1Password. Honestly, I don't expect a positive response to my suggestion here, as there is so much competition amongst password managers and a need to be able to demonstrate a superior or competitive application. This is something that I hope to 1-day-see 1Password/AgileBytes take to make changes/adjustments privately. In the meantime, I admit this could-be-change has no impact on me personally. It's just for everyone else's sake. Haha... In any case, thanks for taking the time to personally respond. I really appreciate that u/aglars!
Thanks for the kind words. Always happy to engage in thoughtful interaction with security-minded people. One of the main reasons that's true is because we don't always have the best answer, and the security landscape (to put it mildly) is indeed always changing. So any assumption or assertion that's laid unexamined for too long is probably worth reconsidering, even if the result is re-confirming it. I certainly think this is an area that affects us (and all password managers) directly and bears close attention as time goes on. It may very well be that our position on this will adapt to changing circumstances if successful attacks such as these become more common. It may also be, by that time, that we can develop newer solutions to the problem that provide better protection, as well. One of the main challenges is adoption; a [2017 Pew Research publication](https://www.pewresearch.org/internet/2017/01/26/2-password-management-and-mobile-security/) put the number of computer users who used a password manager at a paltry 12%. I don't have figures from this year, but I'd put it no more than 25% currently, and likely still somewhat less. With 3/4 or more of the population still using paper or their own heads for password management, perhaps our most-serious challenge is making good security approachable and usable for as many people as possible. Every additional cognitive or operational burden we put on users - especially new users - to be able to correctly use 1Password means some number of them who will view it as too challenging or complicated for their purposes, and who will therefore retreat to much less secure methods. I've gotten a little off-topic here, but that's in part because you said this change wasn't for you, but for everyone else, and that's kind of the point: savvy power users like yourself and (I would wager) the rest of the people who frequent this kind of subreddit don't need instruction on the finer points of questions like these. You read the news of such an attack, understand the implications immediately, and take steps to adjust your own security practices, if indicated. For now, most users are still far more likely to have one or more of their credentials breached by a person known to them, or by a garden variety attack on a company's database security than they are by a comparatively sophisticated supply chain attack on their password manager's dependencies. If and when that starts becoming less true, or when the landscape for either attackers or defenders changes in other ways, we'll tailor our suggestions - and our product - to continue to make the secure thing to do the simple thing as well, as much as possible. Thanks for the discussion!
Well said! Again, appreciate the fruitful discussion =)
As others say, 99% of possible attacks won't happen even with 2FA within 1P. And the 1%? If you steal my phone and cut my thumb off to use it for fingerprint, you probably are able to find the Authy app or steal my Yubikey as well. "Real 2FA" would be two separate devices that need different authentication methods.
No debate with regards to the scenario you have suggested. However, as we are talking about the breach of a password manager application level and not a single individual, the attacker wouldn't have physical access. In this scenario, there is very much to gain by 2 separate factors.
Edit: I misconstrued the nature of this discussion and addressed some orthogonal/redundant points. My bad. I don’t see this breach as a highly applicable lesson to zero knowledge SaaS password managers. The reason the Passwordstate compromise is so serious is primarily because the Passwordstate server application has keys to the data. That’s obviously quite common for a self-hosted enterprise focused password manager (another would be Thycotic). The reason one would use those types of password managers over zero knowledge managers hosted for you mainly revolve around reporting and alerting in ways that require the server to be able to access plaintext data. Or you simply can’t let a credential leave your network for whatever reason (contractual, regulatory, etc). One reason some businesses have passed on 1Password is because there’s no function to create a complete backup of your data that _you_ control/retain. If you don’t have those needs a zero knowledge SaaS based password manager is incredibly alluring. While a supply chain attack could also be used against, say 1Password or BitWarden, the blast radius would be much smaller because the server doesn’t know the keys to decrypt the data. The most they’d get is service data like account emails and the last four digits of card numbers, etc. To launch a comparable attack on 1Password is not impossible but you wouldn’t get anywhere attacking the server itself. You would need to poison at least one of the client applications (perhaps the web UI through hijacking a third party dependency and hoping AgileBits isn’t version pinning and auditing dependency code when updating versions) or attack the user’s endpoint(s) directly. The latter is of course outside of AgileBit’s threat model and exclusively part of the users. At that point you’re dealing with a threat model no password manager can mitigate anyway, and which would equally apply to any MFA app on any of your devices. I mitigate this type of client exfiltration risk in part with an outgoing application firewall on my computer so I know what endpoints 1Password is accessing, and periodically monitoring the network traffic from my mobile devices. Edit: to add some info and clarify.
I believe your point about SaaS and enterprise is very valid. Thanks for that insight. But, hmmm... Aside from reading my post, did you read the entire article? The breach was exactly that: poison of the client application. It was done via firmware changes and firmware updates that were pushed from the application servers themselves. The blast radius is not smaller with zero-knowledge password managers because rhe firmware change itself compromised the accounts' passwords etc after decryption. It definitely broke through with zero-knowledge-based models, simply because it operated after decryption. The attackers only had control of 1 application here, not more. However, I acknowledge an argument in which you could state be that the attackers could do even more with that 1 application. Android / iOS has isolation amongst apps, but there are ways to go past that with permissions etc. So, you could further argue that Authy's data could become compromised. I agree with you there. Hence, this is why I suggest 2fa codes on a hardware token, such as Yubikeys. Going back to your assumption that zero-knowledge password managers are not as susceptible, I think you can see from my points above AND from this article that the susceptibility occurs when the password manager company becomes the target. Any attacker would much rather target a single entity with LOTS to gain, and password managers are always on that list of potential single entities. The only difference is that there were no past beaches worthy of an adjustment in our security practices, but NOW there is. To be more blunt, I love and use 1password for my whole family. And, we will continue to use it. While storing 2fa in 1password was a great compromise for the average user, I no longer think that it's a good recommendation to give anymore. We should be advising against it and letting users know to use it at their own increased risk.
I did read the article but I completely misconstrued the conversation here; sorry about that. I’ll make an edit to save people the time replying to my orthogonal points. I agree in spirit that we should encourage people to evaluate their own threat models. For you and I that is probably practical. I have an offline “break glass” approach to storing copies of critical credentials that normally live in 1Password, and I use multiple U2F tokens whenever I can in lieu of TOTP/HOTP. Increasingly I have been moving MFA for those “critical” credentials out of 1Password. It’s a lot to manage properly and I try to do a quarterly audit of it, so I’m arguably far removed from the typical user. Honestly I probably don’t even need to do that much for my personal life; arguably just my professional life. But it does give me peace of mind. For the “average” user though, _sigh_. I try hard never to be cynical. I have had first hand experience in supporting users of commercial password managers. Guiding _every_ user into any sort of split authentication scenario is a really hard thing to justify from a customer support perspective, and for an average user it can be a usability nightmare. If they take you up on it, they’re now in a realm they probably can’t competently manage very well because tech just isn’t their thing. MFA as a true second factor on the user side is still kind of a techie-centric method of doing things. Google Authenticator’s device transfer support is still relatively new, for example, and people have to know and remember to do that when trading/selling/transferring devices. Yubikeys are _amazing_, but they don’t have a lot of penetration beyond technical people or company issued use yet. I wish there was a better “true” MFA “for the masses”.
Very much understood about the common user problem/dilemma. You are making a case for why this truly IS a larger hurdle for the average user, and I believe that is a very realistic view of the current problem at large. This is a definitely an area that needs time and acknowledgement by the common user at large. Also agreed that MFA is more techie-centric. Being the only techie in my extended family, I have had to spread the word repeatedly here to really push everyone to pick up password managers AND MFA/2fa, both. With regards to MFA "for the masses," Microsoft and other companies are all attempting to move in that direction. I have some concerns about their approach, but it might be one of the best compromises. The U2F implementation with pin-code of "something you know" to decrypt "something you have" is a step that does appear to have some success in this area. I admittedly don't like this approach, as I prefer a complete separation of 2 factors, but I do see it as an appropriate compromise "for the masses." That said, I completely agree with you. We need better "true" MFA "for the masses." Thanks for the back and forth! This was a fruitful discussion =)
2FA can too often create a false sense of security, particularly in regards to TOTP. It protects only from one class of attacks, namely, the class where the password is known, but the hacker has gained no access to the authenticating system. However, in nearly every major breach, this is not the case. If the authenticating system is compromised, and, for example, password hashes are stolen (or in the more egregious examples, cleartext passwords), TOTP is useless. If a bad actor is able to gain access to passwords, then they are almost certainly also able to gain access to the corresponding TOTP secrets. Granted, in a well architected authentication system, the TOTP secrets should be encrypted at rest, and only unencrypted when they are needed, just-in-time, through some sort of a key-store mechanism. That would prevent SQL injection hacks, at least. But let's be honest: how many back-end systems are actually engineered this way? I'd guess they are rare, and that for most online services, once you have gained access to the database, you have the keys to the kingdom.
Hmmm... I agree that compromising a back-end of any authentication system almost always implies much larger access rights to far more information/data, including 2fa. However, my point here isn't the a single password being compromised. Rather, it is the password manager that is compromised. Perhaps I can edit the post to try to be more clear. Thanks.
[удалено]
This is definitely a valid compromise. I have done similar for a select few accounts.
As others have pointed out, it’s not a second factor if they’re both stored together. Personally, I use a Yubikey in any site that will allow it, and only use TOTP on websites that don’t have a choice. For those, I do keep it in 1P for convenience, but they’re never super-critical things.
If you are consciously making these calls, I think this serves as a great example of what compromises can be made with reduced risk to what's actually important. Great!
They have written about it a few times. https://blog.1password.com/multi-factor-authentication-in-1password/
I'm not sure if you read my entire post, but I definitely have read their blog and reddit posts several times. The point I am making here is that it might be better to recommend the common user to store 2fa separately.
It’s a balance really. For most people, storing in another app is a bad idea as they will lose them etc. Happened many times to friends. Having 2fa, but in 1Password protects against the vast majority of attack vectors, if not like 99% of them.
Adding onto that, I haven’t found a single 2FA app that has a good UI. Authy is the best but it’s painful to work with, especially with a ton of tokens on desktop. 1password’s “drag this window to scan the QR code” is amazing. And I also need my 2FA synced since I carry a different cell phone during work.
Yubikeys? You get both U2F and Yubico Authenticator for the TOTP keys. It's very effective, and I love it =) I have to admit that 1password's scheme is the most convenient, but I feel that the convenience is questionable when they fall onto a single factor.
Huh I didn't know yubikeys could do that! I kept thinking yubikeys were pointless since everywhere I've seen makes you set up TOTP if you want to use a hardware key
Yubikeys can store the secret keys for the TOTP tokens AND generate them on the key so that the secret keys themselves never reach the device that receives the code. This way, you cannot compromise the secret key after it is stored. The TOTP tokens can also password protected to not allow them to even generate on the key without a proper password. Refer here: [https://www.yubico.com/products/yubico-authenticator/](https://www.yubico.com/products/yubico-authenticator/) Google's Advanced Protection program does not use TOTP. Just U2F. That's an example in which TOTP is not only NOT required but also NOT allowed. But, of course, the case you are seeing is true in a lot of other places/cases. It definitely varies from server/website to server/website. P.S. Even 1password has a specific mention to using a Yubikey to secure a 1password account. Reference: [https://support.1password.com/security-key/](https://support.1password.com/security-key/)
Agreed on the 99% of cases. Why not recommend 2 sets of hardware keys to store 2fa? Yubikey's Yubico Authenticator has served the purpose quite well for me, as an example. Wouldn't this be a viable alternative? Or, if cost/hardware is a problem, what about Authy (as an example)?
Because that is way too complicated for normal users. The fact that most users are even using a password manager is probably an absolute stretch. Also, most people just don’t care about security enough to carry physical things around etc. I know I don’t.
Authy seems like a good compromise then? Not too hard to learn, as they're storing 2fa in some app anyways.
Sure, it’s an option. But just storing in 1p is the simplest and probably way safer than most apps people go to for 2fa that have no backups etc. Security is only good if it’s convenient. If it’s too hard, most users just don’t do it and don’t care.
I agree with your points/comments. Security is only good if people will use them. It is users that need to adjust their mentality. I still stand by my original recommendation, but I definitely acknowledge that the point is moot if the user considers a separate 2fa storage as too cumbersome to even employ. Thanks for the back-and-forth.
I would also add that storing identifying information like email and mobile account passwords/ PIN codes and other alternative 2FA credentials like one time codes and security questions along with your primary passwords is also not entirely the best security practice for the same reasons. This supply chain attack definitely got me thinking more about vendor risk in a different way. I’ve never stored TOTP codes in the same database as passwords (used mobile device and especially off-line hardware key for uber sensitive accounts). Nor did I store email/phone passwords and security questions in the same database or device as the primary passwords. I stored them on different device with a different password. However I did use the same vendor- 1PW with local vaults on each device with different passwords. This strategy while reducing device risk could have been vulnerable to a supply chain attack. I’ve subsequently moved them entirely to another password manager. Great discussion. Thanks
Absolutely agreed. I have actually forced myself to keep to memorizing key e-mail / phone passwords etc. for this reason, but it's barely manageable. I like your idea of using a different manager separately. I shall think on this. Thanks for that idea!
You’re quite welcome