Hacker News new | past | comments | ask | show | jobs | submit login

Then it's not really 2FA anymore. Anyone with access to your 1Password account can login anywhere.



If anybody has access to your 1pass account, you are fucked no matter what.

The biggest threat the vast majority of people face is getting one of their accounts taken over because they re-use credentials and some site, somewhere, got their account db compromised and now those credentials are on a list. Any account that has 2FA, even ones that use "weak" 2FA like SMS, will be immune to being broken into. These drive-by people won't be breaking into your 1pass account to recover your 2FA secret either--that is too much work. They'll just move on all the accounts that don't have 2FA enabled.

(huge asterisk: what I said is only true for drive-by attacks where some bot is burning through a list of a million accounts to try. If somebody is specifically trying to attack you and your accounts... you've got bigger problems to worry about than simply having SMS-enabled 2FA or saving your 2FA keys in a password manager.)


Regarding people getting access to your 1Password account, things have gotten better recently.

1Password supports 2FA to login to the vault itself and most recently Webauthn security keys on browser, which I immediately switched to. On mobile it’s still TOTP, but better than nothing. I’ve got 2 physical keys and Google Authenticator as only 2FA methods.

Once U2F is supported on mobile, I’ll drop TOTP altogether for my 1Pass login. Probably buy another Titan key and throw into the bank box.


If your 1password is broken but 2fa is elsewhere, you are much less fucked than you would be in the case of a breach of 1password + 2fa.

It would be royally annoying, but salveagable.


It's two-step with a unique key every login. It wipes out phishing, password reuse and password leaks as vectors.


It doesn't wipe phising. Phising is getting more and more complex, now phising sites ask you for your ToTP to gain control to your account in real-time. And that's one of the origins of FIDO2. - https://fidoalliance.org/fido2/


Unique passwords wipe out password leaks as a vector. Anything where you type in a code is also still phishable.


People can still log into your account if your unique password leaks. It just prevents them logging into your other accounts.

Point is, TOTP isn't useless.


What's the second factor for 1password?


They added 2fa with duo security + a few other methods.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: