In “LastPass Publishes More Details about Its Data Breaches” (3 March 2023), I talked about how I decided to move my two-factor authentication (2FA) codes from Authy to 1Password and how the process was fussy and time-consuming. However, it was worth the bother of migrating: having 1Password auto-fill time-based one-time password (TOTP) codes is much easier than opening Authy, finding the entry, copying the generated code, and pasting it into the browser.
I dislike putting all my security eggs in one basket, and having 1Password contain both kinds of secrets—account passwords and TOTP codes—has given me some pause. I’m pretty confident in my 1Password setup and in 1Password’s integrity and security, but the fact remains that if someone were to gain control of my 1Password account, two-factor authentication wouldn’t restrict access to my most important accounts. Does having 1Password generate TOTP codes even qualify as two-factor authentication? Thanks to a recent blog post by 1Password’s Megan Barker, I now know it does not meet the definition.
In a slight departure from Barker’s post (her “verification” is another example of authentication), there are two aspects to creating and logging into an account:
- Identity: The first question is, “Who are you?” and the answer is an identifier. It’s generally an email address, often coupled with a username. In the real world, an identifier might be a driver’s license or passport. You can have multiple identities, even within the same system.
- Authentication: How do you prove that you are who you say you are? That’s the job of authentication, the process of confirming your identity by entering a secret shared with the service. Exactly what that entails can vary. When setting up an account, authentication often involves clicking a link in an email sent to the address you provided. After initial setup, the shared secret is most commonly a password, but it could also be a magic link, which apps like Slack offer. Risk-based authentication might ask for more information, such as how Apple devices sometimes ask for passcodes or passwords from other devices in your trusted set. For high-value accounts, authentication might involve showing a government-issued ID, and on occasion, I’ve even had to do online video identity checks.
Passwords can be guessed or stolen, so many sites allow multifactor authentication for additional security. There are three common types of online authentication factors:
- Something you know, like a password or a PIN
- Something you have, like an iPhone, Apple Watch, or hardware security key
- Something you are, generally biometric recognition of your face or fingerprint
For multifactor authentication, you need at least two of these. (While providing three authentication factors may seem like overkill, it offers higher security and is required in some specialized fields and parts of government.) Here’s the catch: Each factor must be separate and distinct to be valid. Implemented correctly—which Apple has—biometrics are always separate and distinct.
Without requiring biometrics, it’s not so simple. Using 1Password to auto-fill your username and password provides one authentication factor, but if you also have 1Password on the same device auto-fill the TOTP code, it’s not separate and distinct, and thus the TOTP code doesn’t represent a true second factor. Instead, it’s something called two-step verification (2SV). If you remember this term, it’s because Apple responded to the 2014 scandal that revealed personal iCloud photos by deploying an early two-step verification system even though iCloud wasn’t hacked (the breaches were likely identity-based password guessing).
Two-step verification is a significant improvement over plain password-based authentication because it presents an additional hurdle to anyone attempting to log in to your accounts. But as long as that TOTP code is delivered on the same device and in the same pathway—you unlock 1Password for passwords and TOTPs using the same method—it’s not two-factor authentication. That’s the case if the TOTP code comes from 1Password, Authy, or some other authentication app running on the same device you unlock using a password, Touch ID, or Face ID. However, logging in on your Mac and looking up the TOTP code in Authy on your iPhone would be true two-factor authentication.
Given how many platforms it runs on, it would seem that 1Password could implement true two-factor authentication. I’m sure there are subtleties involved, but at a base level, all requests for a TOTP code could generate a push notification on another of the user’s devices that would have to be acknowledged before the login would proceed. Attempt to log in on a Mac, and you’d get a push notification requesting confirmation on your iPhone and Apple Watch. Log in from an iPhone, and you’d get the notification on your Mac and Apple Watch.
I’m uncertain if Apple’s approach to two-factor authentication for logins to Apple websites counts or if it’s really a form of two-step verification. For instance, when you log in to iCloud.com, Apple first presents a dialog asking if you want to allow the login to proceed. If you agree to that, it gives you the TOTP code. As you can see in the screenshot below, that’s all happening on the same device, so it wouldn’t seem to be true two-factor authentication. (More problematic is how Apple lets you fall back on an SMS text message to a trusted phone number; SMS can be compromised without physical access.)
Apple’s answer is that I’ve designated my Mac as a trusted device and logged in. Because I have the device and can unlock it, it’s safe to provide the TOTP code. (Of course, the two-factor authentication prompts triggered by adding a trusted device to your set—as opposed to logging in to an Apple website—appear only on other devices.)
I’m not sure I buy Apple’s answer—if someone were to steal my Mac and guess my login password, they could accept two-factor authentication prompts just as in the iPhone passcode theft scenario we wrote about earlier this year (see “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life,” 26 February 2023, and “How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently,” 20 April 2023). Maybe it’s more like 1.5-factor authentication: not as weak as a password but not as strong as a TOTP code generated on a separate device.
Regardless of the technicalities, two-step verification increases security significantly. 1Password users should enable it whenever possible, allowing it to auto-fill for ease of use. If you need an even higher level of security, Apple now supports hardware security keys for true two-factor authentication; see “Apple Releases iOS 16.3, iPadOS 16.3, and macOS 13.2 Ventura with Hardware Security Key Support” (23 January 2023). For the vast majority of users, though, such hardware keys are overkill.