Two-Factor Authentication, Two-Step Verification, and 1Password
In “LastPass Publishes More Details about Its Data Breaches” (3 March 2023), I talked about how I decided to move my two-factor authentication (2FA) codes from Authy to 1Password and how the process was fussy and time-consuming. However, it was worth the bother of migrating: having 1Password auto-fill time-based one-time password (TOTP) codes is much easier than opening Authy, finding the entry, copying the generated code, and pasting it into the browser.
I dislike putting all my security eggs in one basket, and having 1Password contain both kinds of secrets—account passwords and TOTP codes—has given me some pause. I’m pretty confident in my 1Password setup and in 1Password’s integrity and security, but the fact remains that if someone were to gain control of my 1Password account, two-factor authentication wouldn’t restrict access to my most important accounts. Does having 1Password generate TOTP codes even qualify as two-factor authentication? Thanks to a recent blog post by 1Password’s Megan Barker, I now know it does not meet the definition.
In a slight departure from Barker’s post (her “verification” is another example of authentication), there are two aspects to creating and logging into an account:
- Identity: The first question is, “Who are you?” and the answer is an identifier. It’s generally an email address, often coupled with a username. In the real world, an identifier might be a driver’s license or passport. You can have multiple identities, even within the same system.
- Authentication: How do you prove that you are who you say you are? That’s the job of authentication, the process of confirming your identity by entering a secret shared with the service. Exactly what that entails can vary. When setting up an account, authentication often involves clicking a link in an email sent to the address you provided. After initial setup, the shared secret is most commonly a password, but it could also be a magic link, which apps like Slack offer. Risk-based authentication might ask for more information, such as how Apple devices sometimes ask for passcodes or passwords from other devices in your trusted set. For high-value accounts, authentication might involve showing a government-issued ID, and on occasion, I’ve even had to do online video identity checks.
Passwords can be guessed or stolen, so many sites allow multifactor authentication for additional security. There are three common types of online authentication factors:
- Something you know, like a password or a PIN
- Something you have, like an iPhone, Apple Watch, or hardware security key
- Something you are, generally biometric recognition of your face or fingerprint
For multifactor authentication, you need at least two of these. (While providing three authentication factors may seem like overkill, it offers higher security and is required in some specialized fields and parts of government.) Here’s the catch: Each factor must be separate and distinct to be valid. Implemented correctly—which Apple has—biometrics are always separate and distinct.
Without requiring biometrics, it’s not so simple. Using 1Password to auto-fill your username and password provides one authentication factor, but if you also have 1Password on the same device auto-fill the TOTP code, it’s not separate and distinct, and thus the TOTP code doesn’t represent a true second factor. Instead, it’s something called two-step verification (2SV). If you remember this term, it’s because Apple responded to the 2014 scandal that revealed personal iCloud photos by deploying an early two-step verification system even though iCloud wasn’t hacked (the breaches were likely identity-based password guessing).
Two-step verification is a significant improvement over plain password-based authentication because it presents an additional hurdle to anyone attempting to log in to your accounts. But as long as that TOTP code is delivered on the same device and in the same pathway—you unlock 1Password for passwords and TOTPs using the same method—it’s not two-factor authentication. That’s the case if the TOTP code comes from 1Password, Authy, or some other authentication app running on the same device you unlock using a password, Touch ID, or Face ID. However, logging in on your Mac and looking up the TOTP code in Authy on your iPhone would be true two-factor authentication.
Given how many platforms it runs on, it would seem that 1Password could implement true two-factor authentication. I’m sure there are subtleties involved, but at a base level, all requests for a TOTP code could generate a push notification on another of the user’s devices that would have to be acknowledged before the login would proceed. Attempt to log in on a Mac, and you’d get a push notification requesting confirmation on your iPhone and Apple Watch. Log in from an iPhone, and you’d get the notification on your Mac and Apple Watch.
I’m uncertain if Apple’s approach to two-factor authentication for logins to Apple websites counts or if it’s really a form of two-step verification. For instance, when you log in to iCloud.com, Apple first presents a dialog asking if you want to allow the login to proceed. If you agree to that, it gives you the TOTP code. As you can see in the screenshot below, that’s all happening on the same device, so it wouldn’t seem to be true two-factor authentication. (More problematic is how Apple lets you fall back on an SMS text message to a trusted phone number; SMS can be compromised without physical access.)
Apple’s answer is that I’ve designated my Mac as a trusted device and logged in. Because I have the device and can unlock it, it’s safe to provide the TOTP code. (Of course, the two-factor authentication prompts triggered by adding a trusted device to your set—as opposed to logging in to an Apple website—appear only on other devices.)
I’m not sure I buy Apple’s answer—if someone were to steal my Mac and guess my login password, they could accept two-factor authentication prompts just as in the iPhone passcode theft scenario we wrote about earlier this year (see “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life,” 26 February 2023, and “How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently,” 20 April 2023). Maybe it’s more like 1.5-factor authentication: not as weak as a password but not as strong as a TOTP code generated on a separate device.
Regardless of the technicalities, two-step verification increases security significantly. 1Password users should enable it whenever possible, allowing it to auto-fill for ease of use. If you need an even higher level of security, Apple now supports hardware security keys for true two-factor authentication; see “Apple Releases iOS 16.3, iPadOS 16.3, and macOS 13.2 Ventura with Hardware Security Key Support” (23 January 2023). For the vast majority of users, though, such hardware keys are overkill.
I pointed out to Apple Support the 2-factor verification issue on the same device with Macs years ago. It was like speaking to a brick wall and expecting a meaningful response. It left me with the feeling that they were politely telling me to go and kiss the dark spot in the crack of their behind.
Interesting enough, speaking of hardware verification, in order to get touch ID verification on a MacPro desktop you have to purchase a new separate keyboard. For the numeric keyboard that will cost you an additional $200. However, unless you also have an ARM machine it will not work. This means for owners of a MacPro 7.1 2019+ enterprise computer with a base price of $5000.00 touch ID verification is not available, at least from Apple. Neither is facial recognition. Go figure!
My workaround is simple, although it’s bypassing all kinds of conveniences that 1PW has made available. I don’t allow it to install 1PW’s browser plug-ins, nor do I allow it to auto-fill fields for any online logins. I use it to store certain un’s and pw’s - I open the app, look them up, and manually retrieve them by copy/paste only. The one system I have decided to trust is Apple’s keychain system. If that gets penetrated and compromised, all is lost.
Wondering if anyone has tried or just has an opinion on the idea of activating a defunct iPhone (not the one I use daily) with a pay-as-you-go SIM card, and employing that for certaind high-sensitivty 2FAs.
Just make sure you never enter your iPhone passcode in public, since that (coupled with resetting the Apple ID password) is the known way to break Apple’s keychain system.
I never enter my iPhone passcode in public - because you (and the WSJ) told us not to! Thanks.
I thought Apple was adding some extra steps to help fix this in iOS 17? (…or maybe I just thought they were, lol.)
Alternatively, AFAIR I thought I read about another solution – something to do with using device accessibility settings to help stop a thief ‘using device code to take-over Apple ID’ issue. Of course I can’t find it again now, so…?
EDIT: Silly me – it’s literally in your above How a Thief… article, the text from “The closest we have to an additional password step is a Screen Time passcode.” Doh.
I just want to reiterate that this is not a solution. A thief who knows the passcode can still reset the Apple ID passphrase even with screen time restrictions. So setting a screen time passcode and restricting account changes ending up just making the phone more difficult to use for yourself.
As for what is coming in iOS 17 - at WWDC, Craig Federighi, when asked about this vulnerability during John Gruber’s live podcast, said (without any detail about timing or specific changes) that Apple was looking into ways to make the phone more secure from this.
I see your point, @ace, but having to keep the multiple factors separate poses it’s own issues.
I ran into an issue recently while travelling in Europe. I needed to check our credit card balance during our trip. The bank site required me to enter a code sent by SMS to log in. Alas, I had switched SIM cards while travelling and couldn’t receive any texts at my regular number, so I was tucked. Some sites offer an alternative, but many don’t. As for 1Password, I like that it clears the clipboard of any copied logins after 90 seconds and that you can put it in “travel” mode, making only certain logins accessible.
That is one good thing about being a Verizon customer - they have an app called Message+ that will collect and send any SMS messages to the app over a data connection, even if you are not connected to the network. It is not the most beautiful app, but it’s great for that one purpose.
Is this not true then? (setting a separate 4-digit code for Screen Time to stop changes to the Apple ID.)
Correct. Screen Time passcode does not prevent thief changing Apple ID. I think Adam recognised that this was the case in the other long thread.
It is easy enough to test for yourself. You can can back out before actually changing your Apple ID password.
Yes, that’s correct. In the second article on that topic, I wrote:
Unless something changed with 16.5.1 - I don’t think it has - there is still a way to change the Apple ID password even with that setting turned on if you know the Apple ID (when you turn on restrictions, it prevents showing the Apple ID, but it’s available in other places on the phone, including the email app) and the device passphrase. Joanna Stern at the WSJ keeps recommending it, even knowing that it doesn’t protect you, because she argues it adds another minute or two to the theft of your account, which may be just enough to borrow a phone and use Find My to lock the device.
[edit - I checked on 16.5.1(c) - the vulnerability remains.]
Ah OK, not worth bothering with then. Thanks all.
Looks like an issue to check for any improvements in the shipping version of iOS 17 in the Fall.
‘…looking into ways to make the phone more secure from this.’ – sounds pretty noncommittal to me.
Reading between the lines, it’s more like a ‘we don’t know yet if we think this is a problem worth fixing, or whether the status quo is good enough and so won’t be fixing’.
“Lock” is not a choice in Find My. It’s either “Mark as Lost” or “Erase.” And all anyone needs is the passcode to mark as found, so I think the only viable choice is Erase.
The next step would be to change your Apple ID password.
If you don’t erase your phone and it’s registered as a trusted device, the crooks can deny your attempt to log in to your Apple account, and you won’t be able to change the ID password.
So if you get the chance, Erase.
What Apple has said off the record to journalists is that they have far more people who forget their Apple ID passphrase than have been victimized by this ability to change the password knowing only the device passcode, so they have left it this way for this reason. Perhaps it would be as simple has having a non-default option to force entering the old password when changing it, or allow an older recovery key or trusted number to regain control of the Apple ID within a short amount of time (2 weeks, or 30 days, say).