Adding 2FA Codes to 1Password After you follow 1Password’s link to enable 2FA on a site, that site will typically present you with a QR Code. If 1Password doesn’t know 2FA is available on the site. Two-factor authentication is an extra layer of protection for your 1Password account. When turned on, a second factor will be required to sign in to your account on a new device, in addition to your Master Password and Secret Key. Learn more about authentication and encryption in the 1Password security model. Two-Factor Authentication Two-factor authentication in 1Password is implemented with Time-based One-Time Passwords. Time-based One-Time Passwords is a mouthful, so forgive me for abbreviating it to TOTP from here on out. TOTP is a widely adopted standard and it’s a great way of adding a familiar additional factor to your authentication process.
I’ve used Authy for several years to generate mytime-based one-time passwords(TOTP)for two-factor authentication(2FA). For variousreasons, I recently migrated to using Bitwardeninstead.
Google Authenticator Issues
Two-factor authentication is an extra layer of protection for your 1Password account. When turned on, a second factor will be required to sign in to your account on a new device, in addition to your Master Password and Secret Key. Learn more about authentication and encryption in the 1Password. If you have 1Password, there is no a need for an extra application like Google Authenticator. 1Password has this TOTP feature baked right in to the Android and IOS applications and Chrome extension. For the Chrome extension, go to your desired website and begin setting up 2FA.
Many services recommend using GoogleAuthenticator for 2FA. Ioriginally used it before switching to Authy, but I switched for a reason thatis still valid today: it doesn’t have any sort of backup or syncingfunctionality.
Check out thereviewsto get a sense of how often people get burned by switching to a new phone forwhatever reason and realizing they’ve lost all their codes or need to go througheach service one by one and set up 2FA again.
Google Authenticator is also a neglected app. The Androidappwas last updated on September 27, 2017, and the iOSapp was lastupdated on September 12, 2018. You could argue that these are relatively simpleapps that don’t need frequent updates, but take a look at what other apps likeandOTPand Aegis offer in terms of functionality that GoogleAuthenticator doesn’t have, like being able to search for a service instead ofhaving to scroll though the entire list to find it.
Authy Issues
While I have happily used Authy for several years, I also have some issues withit that caused me to look for a replacement.
No Browser Extension
Authy doesn’t have a browser extension forFirefox, my primary browser. This is aproblem because an extension can offer some protection againstphishing, one of the main securityweaknessesof using TOTP for 2FA. If the extension fails to find an entry that matches thecurrent domain, that can alert me to a possible phishing attempt.
The Chromeextensionalso hasn’t been updated in two and a half years and will no longer besupported goingforward.
No Web Client
1password 2fa Security
Authy doesn’t have a web client. While this could be considered a securityfeature, I’d rather have the option to access my codes through any browser in anemergency. It’s a security vs. usability tradeoff that I’m willing to make.
No CLI Client
Authy doesn’t have a CLIclient. I have some ideas for personal browser automation projects that could beeasier to implement with programmatic access to my TOTP codes.
Mac CPU Usage
I use the Mac desktop program, but when it has a code open, the program usessignificantly more CPU. Here’s the CPU usage when it’s just displaying the listof services.
And here’s the CPU usage when it’s showing the TOTP code.
Since I don’t want the program to unnecessarily drain my laptop battery, I tryto remember to press the back button after copying the code. There’s no optionto automatically go back on copy or to just copy the code from the list viewwithout even seeing the code.
Authentication and Recovery
When you create an Authy account, you have to provide a phone number rather thanan email address or username. I didn’t like this to begin with since I want asfew things tied to my phone number as possible, given how often phone numbersget hijacked. Project x hzrdus t800 55 graphite.
Authy thenencouragesyou to add the app to your other devices and then disable the multi-devicefeature. This means that your codes will keep working on your existing devices,but to add Authy to a new device, you need access to one of your old ones totemporarily re-enable multi-device and to grant access to the new device. If youdon’t have access to an old device, you have to go through a 24 hour accountrecoveryprocess.
However, I want to be able to regain access to my 2FA codes, even if I’ve lostaccess to all my devices. For example, I could be in a foreign country withoutmy laptop and then lose my phone. I want to have a good contingency plan forthis kind of situation.
Note that Authy doesn’t support an account level password. It does support apassword for your encrypted backups, but you don’t enter that until after youlog in.
Authy also doesn’t support TOTP codes orU2F security keys forprotecting itself. Its sole authentication mechanism (beyond account recoveryprocesses) is access to an old device.
Yubico Authenticator
I considered using my YubiKeys to generate TOTP codesusing YubicoAuthenticator,but a YubiKey can only store32TOTP secrets, and I already have 49 of them since I enable TOTP-based 2FAwhenever possible.
Bitwarden
I currently use LastPass to manage my passwords,but I am going to switch to 1Password soon. I decidedto use Bitwarden as well but solely for TOTP codes. 1Password can also handleTOTP codes, but I am willingto deal with the hassle of having two password managers to avoid using the sameservice for both passwords and 2FA.
By using a password manager for TOTP, I get broad cross-platform support with aweb client, browser extensions, desktop programs, mobile apps, and even a CLIclient. I also get standard authentication mechanisms, including 2FA support.
This does mean that I am treating my TOTP codes more like secondary passwords(something Iknow)rather than as something Ihave.Authy’s requirement to have access to an old device better fits the latterprinciple. This is a deliberate choice on my part.
Note that Bitwarden requires a premium account that costs $10 a year in order togenerate TOTP codes. A premium account also adds U2F support, which I wanted aswell.
2fa 1password Chrome Extension
Authentication Strategy
U2F support is the last component of my authentication strategy. Going forward,it will be like this: I’ll store passwords in 1Password and TOTP secrets inBitwarden. I’ll use separate, high entropy masterpasswords that will only exist in my head.
1Password requires a secret key inconjunction with the master password in order to log in on a new device. Since Ican’t memorize it, I plan to store my secret key as a staticpasswordon my YubiKeys. This means that if I touch the metal contact for a few seconds,it will type out the secret key for me.
For both services, I’ll add all my YubiKeys for 2FA. This means that all I needis one of my YubiKeys (one of which is on my keychain) and the master passwordsin my head to regain full access to all of my accounts.
However, I can’t guarantee that I’ll be able to use my YubiKey on every device.For example, Bitwarden doesn’tsupport U2F inits mobile apps. I would also be paranoid about feeling like I need two YubiKeyswhen I travel in case I lose one.
My plan to deal with these issues is to also set up TOTP-based 2FA for both1Password and Bitwarden. I’ll print those TOTP secrets, along with the 1Passwordsecret key, on a small card and laminate it. I can make multiple copies to putin my wallet and my bag. Sometimes being overly prepared is fun in itself, eventhough it might be overkill.
Migration
To migrate to Bitwarden, I went through my Authy list one by one. In theory, I’dbe able to just copy the TOTP secret to Bitwarden, but Authy doesn’t expose thesecret.
For each account, I logged in and reset 2FA to add the secret to Bitwarden. ThenI deleted the account from Authy. Authy marks it for deletion and then waits 48hours before actually deleting it in case you made a mistake.
I did have trouble with adding some services, such asAlgolia and npm, that onlyshow the QR code and don’t have an option to display the TOTP secret. The QRcodes encode URIs that look like this, asdocumentedin the Google Authenticator wiki:
I tried using my phone camera’s built-in QR scanner, but I couldn’t see the fullURI and opening it would open Authy, with no other option. I used GoogleLens instead to grab the secret. In retrospect, I wasonly having trouble because I was adding the services to Bitwarden through thebrowser extension. I should have installed the mobile app from the beginning andused that because it has an option to scan QR codes.
I also had trouble with adding Twitch, which has aspecific integration with Authy instead of providing a generic QR code. To getaround the issue, I followed thisguide.You can use the deprecated Authy Chromeappto retrieve the TOTP secrets and configurations. This method entails usingChrome’s developer tools to execute customcode toprint the information.
This revealed that Twitch uses 7 digit codes instead of the standard 6 and 10second intervals instead of the standard 30.
At this point, I thought I hit a Bitwarden limitation because I mistakenlyassumed that the extension would only take the TOTP secret in the authenticatorkey field.
However, I discovered that Bitwardensupportsputting the full URI with configuration into that field. I tested it and wasable to log in to Twitch using the code generated by Bitwarden.
Conclusion
Migrating to Bitwarden took me about a full day, but I’m happy with the result.I’ve been using the Bitwarden browser extension to log in to accounts for thepast week, and it is much nicer than using the Authy desktop program. Next up ismigrating from LastPass to 1Password.
Two-factor authentication is an extra layer of protection for your 1Password account. When turned on, a second factor will be required to sign in to your account on a new device, in addition to your Master Password and Secret Key.
Learn more about authentication and encryption in the 1Password security model.
Get an authenticator app
2fa 1password Code
Before you can use two-factor authentication with your 1Password account, you’ll need to install an authenticator app on your mobile device:
Although 1Password can be used to store one-time passwords for other services where you use two-factor authentication, it’s important to use a different authenticator app to store the authentication codes for your 1Password account. Storing them in 1Password would be like putting the key to a safe inside the safe itself.
Set up two-factor authentication
To turn on two-factor authentication:
- Sign in to your account on 1Password.com.
- Click your name in the top right and choose My Profile.
- Click More Actions > Manage Two-Factor Authentication.
- Click Set Up App. You’ll see a square barcode (QR code).
To save a backup of your two-factor authentication code, write down the 16-character secret next to the QR code and store it somewhere safe, like with your passport and Emergency Kit.
- On your mobile device, open your authenticator app and use it to scan the QR code. After you scan the QR code, you’ll see a six-digit authentication code.
- On 1Password.com, click Next. Enter the six-digit authentication code, then click Confirm.
Your 1Password account is now protected by two-factor authentication. To continue using your account on other devices or to sign in to it on a new device, you’ll need to enter a six-digit authentication code from your authenticator app.
Tip
After you set up two-factor authentication, if you have a U2F security key, like YubiKey or Titan, you can use it as a second factor with your 1Password account.
View and manage authorized devices
To view your authorized devices, sign in to your account on 1Password.com. Then click your name in the top right and choose My Profile.
To manage an authorized device, clicknext to it. You’ll find these options:
- Deauthorize Device: Your account will be removed from the device.
- Require 2FA on Next Sign-in: Your account will remain on the device, but changes you make on other devices won’t appear until you reauthorize using a second factor.
Manage two-factor authentication for your team
With 1Password Business, you can manage two-factor authentication for your team if:
- you’re a team administrator or owner
- you belong to a group that has the “Manage Settings” permission
To manage two-factor authentication for your team, click Security in the sidebar and choose “Two-Factor Authentication”. Then you can:
- Allow security keys in addition to an authenticator app.
- Enforce two-factor authentication for everyone on your team.*
- Use Duo, a third-party option that’s automatically enforced.
- Turn off two-factor authentication completely.
* To enforce two-factor authentication, your Master Password policy must be set to Strong. Your team will need to set up two-factor authentication when they sign up, sign in, or unlock 1Password. Create a team report to see who uses two-factor authentication.
Get help
Two-factor authentication requires a 1Password membership and 1Password 7 or later (or 1Password 6.8 for Mac).
If you lose access to your authenticator app
If you lose access to your authenticator app, you won’t be able to sign in to 1Password on new devices until you turn off two-factor authentication.
To turn off two-factor authentication, sign in to your account on 1Password.com in an authorized browser or unlock 1Password on an authorized device:
1Password.com
- Click your name in the top right and choose My Profile.
- Click More Actions > Manage Two-Factor Authentication.
- Click Turn Off Two-Factor Authentication, then enter your Master Password.
Mac
Choose 1Password > Preferences > Accounts. Click your account, then click Turn Off Two-Factor Authentication.
iOS and Android
Tap Settings > 1Password Accounts. Tap your account, then tap Turn Off Two-Factor Authentication.
Windows
Choose Accounts and select your account, then click “Turn off two-factor authentication”.
If you don’t have access to an authorized browser or device, ask someone to recover your account.
If your team uses Duo
If your team uses Duo, you won’t see the option to turn on two-factor authentication because Duo is already providing multi-factor authentication for everyone on your team.
If 1Password isn’t accepting your authentication codes
Make sure the date and time are set correctly on Mac , iOS , Windows , and Android .