1Password 2FA: Is TOTP Enough?

TL;DR

While 1Password doesn’t *directly* support Time-based One-Time Password (TOTP) apps like Google Authenticator or Authy, it’s still very secure. It uses a different system – its own app and browser extension – which is generally considered more robust against common attacks. However, there are things you can do to improve your security further.

Understanding 1Password’s Approach

1Password doesn’t use standard TOTP for a few reasons. Their system stores the ‘secret’ needed for generating codes on their servers (encrypted, of course). This allows features like recovery and syncing across devices without needing to manually back up TOTP secrets yourself.

Improving Your 1Password Security

1. Strong Master Password: This is the most important thing. Make it long, complex, and unique. Don’t reuse it anywhere else.
   • Aim for at least 16 characters.
   • Use a mix of upper and lowercase letters, numbers, and symbols.
   • Consider using a passphrase – a sentence that’s easy to remember but hard to guess.
2. Travel Mode: Enable Travel Mode when travelling. This removes sensitive data from your devices, reducing the risk if they’re lost or stolen.

   You can enable this within the 1Password app settings.

3. Watchtower: Use 1Password’s Watchtower feature to monitor for compromised passwords and weak security practices. It will alert you to breaches and suggest improvements.
4. Emergency Kit: Create an Emergency Kit. This is a recovery code that allows access if you lose your master password or all devices. Store this securely offline – printed out in a safe deposit box, for example.

   You can find the option to create an emergency kit within 1Password’s settings under ‘Security’.

5. Device Security: Ensure your devices (phones, computers) are secured with strong passwords/PINs and up-to-date software.
   • Enable full disk encryption.
   • Use a screen lock timeout.
6. Consider a Hardware Security Key: For the highest level of security, use a hardware security key (like YubiKey) with 1Password.

   This adds an extra layer of authentication that’s resistant to phishing attacks.

Why Not TOTP?

While TOTP is good, it has drawbacks:

• Secret Management: You’re responsible for backing up the secret. Lose it, and you lose access to your accounts.
• Device Dependency: If your phone is lost or broken, recovery can be difficult.
• Phishing Risk: Phishing attacks can trick you into entering TOTP codes, granting attackers access.

1Password’s system handles these issues for you.

Checking Account Security

1. Review Log Activity: Regularly check the activity log in 1Password to see where and when your account has been accessed.

   Look for any unusual or unexpected logins.

2. Password Strength: Use Watchtower (mentioned above) to identify weak passwords that need updating.

Advanced Users – TOTP via Browser Extension Workarounds

It’s possible to use a browser extension like Bitwarden or LastPass alongside 1Password, and *then* enable TOTP within those extensions for some sites. This isn’t ideal (managing multiple password managers) but is an option if you specifically want TOTP.

Final Thoughts

Not supporting standard TOTP doesn’t make 1Password insecure. It uses a well-designed system with built-in recovery features and strong security practices. Focus on using a strong master password, enabling Travel Mode and Watchtower, creating an Emergency Kit, and securing your devices for the best protection.