Readd 1Password #2048

Merged
merged 3 commits into from Sep 23, 2016

Projects

None yet

7 participants

@Carlgo11
Member
Carlgo11 commented Sep 20, 2016 edited

Rework exceptions.link YAML tag

The old way the exceptions.link tag worked was by redirecting to the restrictions page however since that page no longer exists as per #1637 I thought I could change what the tag links to.
This PR changes it to work as a documentation link for non 2FA compliant sites.
For an example see bc56ae9.

Add 1Password again

In #422 and #585 the 1Password authors asked us to remove them from our list as their views were that, since the 1Password client only used a decryption password, 2FA wasn't needed for 1Password.
The @2factorauth members have discussed this a lot and come to the conclusion that we disagree with their stand on 2FA. Especially since they now have a second authentication step (Don't really understand this but @RichJeanes apparently does so I'll let him explain this more in depth.)

I've also discussed this with some other colleges in the 2FA industry, including an employee of AgileBits, whom have agreed with me that they should be using 2FA.
I therefore made this proposal to add 1Password again.

@RichJeanes
Member
RichJeanes commented Sep 20, 2016 edited

EDIT:
Doing some closer reading, they say you need your Account Key the first time you sign on with a new browser, which makes the statement that you can see it if you sign in confusing at face value. It seems with "viewable by signing in to your account on 1Password.com", they should have appended "on a previously authorized device". This leaves the Account Key as just a split key, just without the usual hassle of creating, storing, and transporting one. While I appreciate the step forward in making stronger security more user-friendly, there is still an online portion of the account, even if used for nothing but billing the annual subscription fee, that seems to be left unprotected. While it seems overkill to have 2FA for something that you only need to use once per year, it is something to consider with 1Password's shift from Software to Service.

Now that it has been around for a while and I have spent more time with the documentation, outside of the one point I make above, I actually have to conclude that the situation with 1Password has not changed and that the core of their functionality is still reliant on local decryption, not remote authentication, therefore 2FA still does not seem to apply.

@jpgoldberg, perhaps your input could be useful here if I am still mistaken.
/EDIT

1Password uses what they are calling an "Account Key", claiming it is "Better than two-factor™" (trademark theirs). It is a 128-bit string that is used for encryption (basically as key splitting in conjunction with your password). I'm of mixed feelings about it, but I have to agree with them that it is, by definition, not Two Factor authentication.

In the most basic terms, the Account Key is a secondary password. It is static, therefore once compromised, must be changed manually (if possible? Requires more research). They claim "your Account Key is never sent over the Internet" but contradict themselves with "it's... viewable by signing in to your account on 1Password.com". So while it is never transmitted as a form of authentication, only actively used locally for decryption, I find the claim that it is "never sent over the internet" and "unlike 2FA, it cannot be reset, intercepted, or evaded" to be very misleading (at best). (EDIT: With all authentication methods that require something generated by the other party, it has to be transmitted over the internet at some point to get to you, eg. the seed for a TOTP token, so to say the Account Key is "never" sent is still misleading. The "cannot be reset, intercepted, or evaded" does hold true since it is used as a split keyfor local encryption)

While they now provide a hosted password service, I imagine that it is simply file storage for your encrypted password vault that is then downloaded and decrypted by a local client (even when using the web client). With this in mind, I'm sure we will get the same discussion as last time where someone will claim that this means 2FA doesn't apply since authentication is not taking place.

I STRONGLY disagree with that. With stating that your account key is "viewable by signing in to your account on 1Password.com", they are saying that you can view the account key with just your password. So while your password vault may be protected by key splitting (Master Key + Account Key), your Account Key is available to anyone with your Master Password, completely negating it's benefit. This could be mitigated by providing 2FA for online authentication for account management while still providing the Account Key for the key splitting and local decryption of your vault (without authentication, as argued by the developers).

What I have to conclude from this is only that your 1Password vault is now more vulnerable than before. Before 1Password was a hosted service, you did not have to authenticate with your Master Password to a website, therefore your password (and it's hash) never existed anywhere you didn't put it. Now the same password you use to encrypt your vault is living as a hash on 1Password's servers and has to be used for online authentication. In addition, your vault is now being transmitted in the same channel as your password authentication, whereas before moving your vault was your responsibility and your password was never sent to a remote server. I feel this shift from Software to Service is a big step backwards for the security (not to mention flexibility~)~ that 1Password has always lauded as (EDIT: one of) their biggest selling point(s).

All quotes were taken from https://support.1password.com/understanding-account-key/

@mxxcon
Member
mxxcon commented Sep 20, 2016

@RichJeanes Once again i disagree with you on 1pass :) and even more so with the current state.
I'm using "1pass for teams" at work and their online component is more than just for billing. You perform all account management tasks online, you add/remove users online, you give users access to vaults online, you can access the actual vaults online too.

It is possible to regenerate Account Key. It is also fully visible in plain text from your own account. It's possible that's not transmitted over the wire but retrieved from local storage/cookies.

And funny enough, they now have this:
screen shot 2016-09-20 at 4 40 24 pm

@stephengroat
Member

Correct me if I'm wrong, but whether the Account Key is a split key that is or isn't transmitted in whole, isn't it still just knowledge (something known), not possession(something they have) or inherence(something they are)? Does the definition of 2FA for the site require more than one category?

@Carlgo11
Member
Carlgo11 commented Sep 20, 2016 edited

@stephengroat you are right. It's still knowledge.

@RichJeanes
Member

@mxxcon I was not looking at 1Password for Teams. If it applies there, then I would argue that 1PfT should be listed separately.
It does not appear (from the documentation that I have seen) that a personal 1Password account can have the Account Key reset without losing your vault since it is part of the encryption key. If it is different for 1PfT, then I believe that is more reason that it should be listed separately.
Also, if you have to provide your Account Key to log in and the device stores the Key for later use, then I would image that, yes, it is just displaying a local copy.

@stephengroat The three factors of authentication are:

  • Something you know
  • Something you have
  • Something you are

Two/Multi Factor Authentication is the practice of requiring more than one of these factors to authenticate someone. Duplicating a single factor does not count as MFA (eg. two knowledge factors).

The issue with 1Password is more the difference between authentication and de/encryption. One of their developers made the argument that (old) 1Passord was only performing de/encryption, therefore Two Factor Authentication doesn't apply. I would define authentication as "proving one's identity to another party". Since there is no other party involved in de/encryption, I tend to agree with said 1Password developer and I believe that still applies for the new hosted version of 1Password (Personal).
(See #585 for the whole discussion. Lots of interesting details. Worth the read if you have the time.)

@jamcat22
Member

I'd just like to point out for clarification that 1Password's personal version is hosted using the exact same architecture as 1Password for Teams. They each use the same encryption and authentication methods and practices. In fact, when using 1Password's app, the app prompts you to sign in to "a team or family account" even when using an individual account, as the only difference is that the subdomain "my.1password.comhttp://my.1password.com" is used instead of a team or family specific subdomain.

@RichJeanes
Member

Then why do they advertise that admins on Team accounts can reset Account Keys and then advertise that Account Keys cannot be reset on personal accounts? The way that Teams operates seems to be very different, architecturally, to allow for things like vault sharing and administration. Just because the app can handle both types of accounts doesn't mean that they are handled the same in the background. That's like saying "My image viewer can open both of these image files, therefore they must be the same format." Do you have any documentation to verify that they are the same?

@jamcat22
Member
jamcat22 commented Sep 21, 2016 edited

I have reached this conclusion upon reading how recovery groups work in the 1Password White Paper (available here). One part of the paper mentions,

If there are no members of a Recovery Group, the capacity to recover
data is lost to the team.

which to me suggests that for personal accounts, either a recovery group isn't created, or one is created with no members. The rest of the architecture seems to be the same based on the details given in the white paper and on their support site.

One of their articles says,

Most website have a password reset feature which relies on a master key in the possession of the service provider. Your 1Password account has no such key, so it can only be recovered by people you entrust. They alone can help you regain access if you forget your Master Password or lose your Account Key.

and,

Your 1Password account uses the SRP protocol to authenticate your login details without sending your Master Password over the Internet, so it can’t be stolen while it’s in transit.

@jamcat22

Found one incomplete URL and gave suggestions for rephrasing the exception text.

_data/identity.yml
@@ -1,4 +1,15 @@
websites:
+ - name: 1Password
+ url: https://
@jamcat22
jamcat22 Sep 21, 2016 Member

This URL should be set to https://1password.com/

_data/identity.yml
+ facebook: 1Password
+ twitter: 1Password
+ exceptions:
+ text: "Although AgileBits, the company behind 1Password, feel that two factor authentication doesn't really fit 1Password, we disagree. Because of the way in which 1Password handles authentication and password data."
@jamcat22
jamcat22 Sep 21, 2016 edited Member

"Because of the way in which 1Password handles authentication and password data." sounds a bit like a sentence fragment. It could be rephrase the sentence as, "AgileBits, the company behind 1Password, feels that two factor authentication doesn't really fit into 1Password's offering. We disagree because of the way in which 1Password handles authentication and password data."

@RichJeanes
RichJeanes Sep 21, 2016 edited Member

Copy paste error on your first example? That's still two sentences...
In the second example, sentence two, I would remove the comma. Unnecessary pause.

@jamcat22
jamcat22 Sep 21, 2016 edited Member

Ah thanks. The form didn't save correctly. I'll fix that. Feel free to suggest a better version. I'll remove the comma.

@jamcat22
jamcat22 Sep 21, 2016 Member

I now believe this line should be removed.

@jpgoldberg

I'm Jeffrey Goldberg from AgileBits. I would not consider our Account Key to be 2FA. It has very different security properties and is used to solve a different problem than 2FA is used for.

@jamcat22
Member

@jpgoldberg We currently don't consider Account Key to be a form of 2FA, which is why we were going to list 1Password as not supporting 2FA. How do you feel about this decision?

@jpgoldberg

Hi @jamcat22

We currently don't consider Account Key to be a form of 2FA, which is why we were going to list 1Password as not supporting 2FA. How do you feel about this decision?

I fully concur that that is the correct decision.

_data/identity.yml
+ facebook: 1Password
+ twitter: 1Password
+ exceptions:
+ text: "AgileBits, the company behind 1Password, feels that two factor authentication doesn't really fit into 1Password's offering. We disagree because of the way in which 1Password handles authentication and password data."
@mxxcon
mxxcon Sep 21, 2016 Member

I feel this is an unnecessary qualification. Ultimately the reasons behind why 2fa is not implemented are irrelevant. Especially now that 1pass functions similarly to other online password managers. Your password database is no longer kept offline-only.

@thegeekkid
thegeekkid Sep 21, 2016 edited Contributor

I agree; however, since Agilebits has been very responsive, it's probably only fair that they are given a chance to defend themselves.

@mxxcon
mxxcon Sep 21, 2016 edited Member

I don't see anything that they should defend considering they already have 2fa in the beta form.
Right now it's tfa:no, when, if ever, it gets released, it'll be tfa:yes
Or I guess at best it's in progress..

@thegeekkid
thegeekkid Sep 21, 2016 Contributor

True. My main issue with not acknowledging the argument that they made is that there was obviously a difference of opinion as to whether or not tfa was important for them. I disagreed with their viewpoint; but I think that's something that people should have been able to decide for themselves, and acknowledging that there was a different viewpoint would have done the trick. I guess since they are implementing it now, they've pretty much conceded their previous stance.

@mxxcon
mxxcon Sep 21, 2016 Member

They could argue that when 1pass was purely an offline solution. Now it's no longer that.

@jamcat22
jamcat22 Sep 21, 2016 edited Member

According to @jpgoldberg, they agree with our decision. I believe this exception text is no longer necessary.

@mxxcon
Member
mxxcon commented Sep 21, 2016

@Carlgo11 Should CONTRIBUTING.md change be part of this PR?

@jamcat22
Member

@mxxcon I'd think so since we're changing how the link: tag works.

Carlgo11 added some commits Sep 20, 2016
@Carlgo11 Carlgo11 Readd 1Password
Signed-off-by: Carlgo11 <github@carlgo11.com>
a6597fe
@Carlgo11 Carlgo11 Changes proposed by @jamcat22
Signed-off-by: Carlgo11 <github@carlgo11.com>
3ae6945
@Carlgo11 Carlgo11 Remove exception
Signed-off-by: Carlgo11 <github@carlgo11.com>
65f0efe
@Carlgo11
Member

@mxxcon @jamcat22 I removed the exceptions tag and therefore also the exception-rework from this PR.
See new commit history.

@jamcat22 jamcat22 added looks-good and removed enhancement labels Sep 22, 2016
@stephengroat stephengroat merged commit a259290 into 2factorauth:master Sep 23, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@Carlgo11 Carlgo11 deleted the Carlgo11:patch-1password branch Sep 24, 2016
@Carlgo11 Carlgo11 added a commit that referenced this pull request Sep 24, 2016
@Carlgo11 Carlgo11 Remove 1Password as per #2048 4bfe7f6
@Carlgo11 Carlgo11 referenced this pull request Oct 25, 2016
Closed

1password 2FA Info #2162

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment