A few days ago, 1Password was updated to improve the ability to use 1Password with sites that have a time-based, two-factor authentication code. This is a useful feature of 1Password. Here is why I recommend two-factor authentication in general, and how it and how it now works in 1Password on the iPhone or iPad.
Two-factor authentication is good
Two-factor authentication is a way to confirm your identity when you are logging in to a website. Normally a website asks for your username and password, but your username is often easy for a hacker to learn (it might just be your public email address), and thus all a hacker needs to do is learn your password and he has access to your account with that website. There are lots of different ways that a hacker could theoretically learn your password — such as if you use the same password at multiple sites (don’t do that!) or if you have multiple password that are similar and the hacker can guess your pattern (don’t do that either!) or if someone looks over your shoulder while you are typing in your password in a public spot (yikes!), etc. With two-factor authentication, it is not enough for the hacker to have your username and password; he must also have access to a device in your possession (such as your iPhone) which displays a number that changes every 30 seconds. If the hacker is in some foreign country across the globe, he won’t have that, and his attempts to access your account will fail.
There are many different iPhone apps which can be used to display authentication numbers which change every 30 seconds. 1Password is a good one to use just because you naturally think of that app as a place to store login information. But with the update this week, 1Password is even better than other apps because it can automatically put the number on your clipboard. This makes two-factor authentication really fast to use. And that’s good because you get more security without a bottleneck that slows you down.
Here is how you use the feature.
Configure a 1Password entry to use a one-time password
First, in 1Password, find your entry for the website in question, where you already have your username and password stored. Tap Edit in the top right corner and scroll down until you see “Add new one-time password.” Tap that and you will see a new entry which has a QR code icon on it.
Next, on your computer, go to the website in question. In this example, I’ll use Backblaze, the service I use to automatically backup my home computer. On the account settings area of the Backblaze website on my computer, I click on the option to turn-on two-factor authentication. The website will then display a big QR code on my computer’s monitor. I tap the QR code icon in 1Password on my iPhone and use my iPhone’s camera to scan the QR code.
Now my 1Password entry for Backblaze has a One-Time Password field with a six-digit number which changes every 30 seconds. There is even a little timer on the right which counts down the seconds so I can see how long I have until the password changes.
Using 1Password with two-factor authentication
Now that the entry for a website has two-factor authentication configured, you can use it the next time that you access that website. So back to my Backblaze example, whenever I want to access the Backblaze website on my iPhone, I tap the Action button at the bottom of the Safari window, then I select 1Password, I use my Touch ID fingerprint to confirm that I am really me, and then 1Password automatically types my username and my password on the website.
Next, the website will ask me for my authentication code, but I don’t have to go back to the 1Password app to lookup that code. Right after 1Password automatically entered my username and password, it pasted the six-digit code to my iPhone clipboard, and it briefly displayed a message that says “One-time password saved to the clipboard.” Thus, all I need to do is tap in the box and select paste, and the number is entered for me.
This new system is so much more convenient then having to manually go to another app to find the number and then going back into Safari to enter the number.
Although my focus here is iPhone/iPad, this new 1Password system works the same on your PC and Mac. Just use 1Password on your computer to enter the username/password, and then use your computer to paste the number when you are asked to enter the six-digit code. [UPDATE: To be more clear, the current version of 1Password for Mac automatically copies that code so that it is ready for you to paste, just like iOS. The current version of 1Password 6 for Windows (version 6.6.439) does not automatically copy the code, but you can right-click on the entry in the browser add-on to manually copy that code and then you can paste it into the Windows browser. I presume that 1Password for Windows 6 will gain this feature in a future update.]
I currently have two-factor authentication in 1Password configured for Backblaze, Dropbox and Facebook, but I plan to add more websites in the future now that 1Password works so much better with two-factor authentication.
Jeff,
I have a real concern about this being a step in the wrong direction making us all less secure.
The point of 2FA is that user authentication requires 2 factors, but having 1Password manage both password and the second factor undermines that very security. If 1Password does NOT manage my OTPs then even if my 1Password account is hacked it is useless as I, and not the hacker, have the device which generates my OTP—my iOS device. If 1Password also generates the OTP then the hacker has both.
Jeff,
I have looked at the 1Password blog and they themsleves say:
“We need to make the distinction between one time passwords and second factor security. One time passwords are often part of second factor security systems, but using one time passwords doesn’t automatically give you second factor security. Indeed, when you store your TOTP secret in the same place that you keep your password for a site, you do not have second factor security.”
See https://blog.agilebits.com/2015/01/26/totp-for-1password-users/
Philippe Doyle Gray
I could go on for pages on this topic, but at the risk of being too brief, here is why I think this still makes good sense. My main concern with a website using a password is that there are so many ways that a hacker could learn/guess/obtain a password. A system in which a hacker would have to instead have access to my iPhone — which yes, has the username, password, and security code all in one place — is infinitely more secure than a system in which the hacker just has to have the password. I see the argument that security would be EVEN BETTER if just my password is on my iPhone and the security code is someplace else, but where would that be? For years, people used those little RSA security fobs, but if someone steals my fob, I may not realize it for a while. If someone steals my iPhone, I guarantee I will know about it almost instantly. And even if that happens, I know that a hacker can only do so much without my fingerprint, plus I may be able to remotely erase the iPhone. I especially like that this system doesn’t rely upon a text being sent to my cell phone as the second factor because there are ways that a hacker can clone my SIM, or convince my cellphone company to activate a different phone under my name so that the hacker gets my text messages, etc.
The problem with security is that it often cuts against convenience. The 1Password two-factor system described in this post gives me a LOT more security, with virtually NO added inconvenience. This is amazing and makes two-factor much more attractive to me. If you want to obtain even greater two-factor security using additional means, and if the inconvenience doesn’t bother you, that’s great! But for me, this seems to hit the sweet spot of additional security and minimal additional inconvenience.
-Jeff