An update to 1Password brings time-based one-time passwords (TOTP for short) to its iOS app. A one-time password is typically used as a second element in two-factor authentication (2FA), a subject I’ve written about many times in this column. But, as noted in a sensible and honest post by AgileBits, 1Password’s developer, a second factor isn’t always a second factor.
A TOTP requires a seed code that, when transformed through an algorithm that includes the precise current time, produces a number that’s converted into a short code, typically six digits long. In order to use a TOTP at a site that offers it, you walk through its enrollment process, which involves scanning a two-dimensional QR Code and generating one-time backup or recovery keys. The QR Code graphically represents the seed that both you and the site retain. (Some sites offer the seed as a code you can tap in as well.)
Google was the first mainstream site to add TOTP via an app, and still offers it today. When you log in from a new computer or browser, or in other circumstances Google’s security algorithms require, you’re prompted to enter this factor. Via Google Authenticator, an ecosystem of apps and synchronization like Authy, or this new option in 1Password, you pull up the current time-bound sequence of numbers and enter them. The site validates that the number you entered matches its derivation, and grants you access.
TOTP predates Google’s usage, of course, and was typically previously found largely in security cards and dongles used by corporations and financial sites. I have a keychain-style doohickey from PayPal and one from E*Trade that carry out the same function, but they’re dedicated bits of plastic and silicon with a tiny LCD screen and contain their seeds locked in hardware. I have to have them physically in my possession to validate a login.
Not every step is a factor
Now the rubric with multi-factor authentication is that factors may be “something you know,” “something you have,” and “something you are,” which corresponds respectively and typically to a password, a physical device receiving or generating something, and biometrics (like fingerprints and retina scans). Any multifactor system picks at least two of these, and sometimes all three.
Here’s the thing. I and many other people who write about security, along with many (not all) folks who work in the security industry use the terms “two-step” and “two-factor” interchangeably, which is confusing. Technically, all two-factor authentication requires two steps. But not all two-step verification employs two factors! This 1Password update emphasizes that difference.
In most cases, the split in risk happens between remote attacks, in which someone cracks a site or your account without being in proximity to you, and physical access attacks, in which someone can obtain your device. With 1Password, you can be remotely exploited in the right (or, rather, wrong) rare circumstance as well.
With true two factor, the two elements are physically separate. The password is, say, in my head, and the SMS message comes via my phone, or I receive a Find My iPhone notification from Apple to validate my Apple ID login. Or I store the password in 1Password, but use Authy with Touch ID to unlock the one-time password. AgileBits argues that having both factors on the same device eliminates the benefit. I’d argue using biometrics for one—with a unique and strong password not stored in 1Password if the recognition fails—and a password for the other separates it enough.
When you merge factors into one place, you lose the benefit of resistance to physical exploitation, but retain the remote one. And even with physical access, they need your password (or fingerprint).
Dear reader, the sophistication that drives you to read this excellent publication may have you tut-tut my previous paragraph. Surely, everyone should enable a second factor and should do it correctly, for the best protection! But because so many people pick weak passwords and because not all sites are exploit-free in how they throttle attempts to crack passwords or prevent their password data from being obtained, a one-time password as a second step is far better than nothing at all, even if using it as a second factor would be superior.
AgileBits’ inclusion of TOTP tokens means that someone who otherwise might have skipped enabling two-step verification because of the fuss or management issues now does so, and achieves a substantial bump up in their account’s integrity against compromise.
There is one path for exploiting 1Password’s new feature remotely, although I feel it’s quite unlikely. If you use 1Password’s sync features with Dropbox (all versions) or iCloud (iOS/OS X only, and the Mac App Store version of 1Password is required for OS X), someone could conceivably obtain a copy of your vault—the encrypted package of all your password data. If that person had your cloud credentials, your vault, and your password, they would be able to then obtain your two-step password and TOTP.
That’s a lot of conditions to be met, and I already suggest enabling two-factor authentication for both Apple IDs (and thus iCloud access) and Dropbox to reduce the potential, as both Dropbox and Apple ID provide true second-factor methods.
As with all issues involving weighing risk, you should consider whether the ease outweighs potential exploitation. For you, perhaps true second-factor use is mandatory, and I feel that way for most, but not all accounts. For people you advise informally—family, friends, coworkers—1Password as a single-source solution that deters remote access could be a huge step up.