[spsful]

Google's 2FA is very frustrating to say the least. The forced use of a mobile device with a Google app installed as my primary 2FA device is nothing if not annoying-- I already have 1Password set up in the browser to autofill 2FA codes. Google doesn't seem to like this because after sign in I always have to wait for the prompt saying "open the google app on your phone", then scroll down and click "try a different way" and THEN click a selection to enter a 2FA code. Very very frustrating.

[cletus]

I use a password manager myself (as IMHO everyone should). It's not ideal because if your master password gets compromised it's potentially catastrophic in away that any individual getting compromised isn't.

The problem with 1Password 2FA is, I believe, that the 2FA itself is still gated behind your master password, in that if that gets compromised so does your supposed 2FA.

The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.

Again, I don't use this feature of 1Paswword so this might not be exactly how it works.

But if so, I'm sympathetic to Google not treating it as 2FA because, well, it isn't.

[joshstrange]

I know 2FA is often described in this way but it's not the way I really use it or how your average person wants to use it IMHO. It's just a second piece of data that is needed to login, which does add significant security. Maybe I just don't oversee anything important enough but I don't actually want my digital security to be dependent on a single piece of hardware ever. Yes, I know about backup codes but where are you going to store those if not 1Password/alternative-manager? So for me I'm perfectly happy to keep my 2FA alongside my password in 1Password.

As for "If that 1Password master password is the only thing needed to gain access then you don't really have 2FA." it's not, unless they get access to a device you have logged into 1Password on in the past (and thus entered your secret key [0]). For me this stays true enough to "something I have". If someone has my phone/computer AND can guess my 1Password master password then things are already pretty bleak and they already have access to whatever other 2FA app I was using (Authy/GA).

Lastly 2FA falls apart if you share an account with a significant other (or a team). In 1Password I can just move that login to a shared vault or share that login individually and everyone can log in and use 2FA. I'm not sure what the alternative would be. Sure, if a product supports multiple accounts or even multiple 2FA's (I don't think I've ever seen the latter, at least in non-enterprise settings) there is a way to do this but most apps/SaaS/etc there isn't an alternative (other than disabling 2FA).

[0] https://support.1password.com/secret-key/

[toomanybeersies]

> backup codes but where are you going to store those

On a flash drive/SD card, or even printed out, and then stashed somewhere safe/secure (i.e. not in an unlocked drawer next to your desk)

[tialaramex]

Yes. I write them in a book. The book lives in a locked desk drawer.

My threat model does not include "Nation state adversary breaks into my home and... reads the contents of the book". If I annoy the Russians enough, presumably they would just try to outright murder me.

In contrast, "Person I annoyed online plans elaborate Internet revenge" is definitely a potential threat I want to cope with, as are "Scam email claiming to be from company I have account with", "Facebook lose everybody's passwords", and so on.

[fshbbdssbbgdd]

What about the “my house burns down along with all my devices” threat model?

[tialaramex]

In the event I die, most documents and other material are encrypted and so are now intentionally useless. My accounts are not intended to be "memorialized" or whatever. My net worth cashes out for a handful of people to split up as they choose, or if they can't/won't evenly between them.

If you meant somehow the building burns down and destroys all my possessions but leaves me miraculously alive, I lose access to a bunch of stuff. Nothing to be done about it.

But one of the Security Keys lives in my jeans pocket, so if I survive the fire in the regular way, by fleeing a burning building, I still have that Security Key. If I am wearing trousers. Not so many people actually flee naked, if the fire is going to kill you in the time it takes to pull jeans on you're probably just not making it out at all.

[SkyPuncher]

The only use case I've identified for 1Password 2FA is an account that _must_ be a shared login. There are a few business services we use that don't support multiple users on an account.

Our choice is either:

* No 2FA

* Virtual, 1Password 2FA

It's better. But it's not great.

[cbsks]

Is there any reason why you couldn't set up the same TOTP authentication on multiple devices?

[SkyPuncher]

It's a pain and would require setting it up on nearly every employee's device.

[LordLandon]

The way I see my password manager, is that its password store in itself is "something I have", while the password to it, is "something I know".

[tshaddox]

The problem is that “something I have” is generally supposed to imply that it’s a physical object whose functionality cannot be feasibly copied to another object. Some data, especially data stored in the cloud, isn’t really a good candidate, even if it’s protected by a password that only you know.

[hunter2_]

I disagree. The "have" factor can be soft or hard. It just needs to not be memorable (because then it's guessable, which is a primary weakness of a "know" factor).

For example: if you have an application protected by password+yubikey with "remember device" enabled, after prompting for your password it may decide not to also prompt you for the yubikey, and that can be because a cookie (perhaps ANDed with some other heuristics) is taking its place. A cookie which can be trivially copied to another device, but can't be trivially memorized nor guessed, and is for that reason not a "knowable" thing. If it was considered a "know" factor, then the "remember device" feature would effectively be a "conditionally disable 2FA" feature (two "knows" are 1FA), but it's really not that, outside of describing the interim UX.

[tshaddox]

I think that a "remember device" feature is a totally orthogonal concept. That's really just another word for a session, and it's quite common for authentication to apply to an entire session rather than to each and every message in a session.

It's true, of course, that once you have created an authenticated session on a device, anyone who has compromised that device (with physical access or a software hack) can likely gain access to that session. But the authentication method still prevents unwanted initiation of sessions, which is the whole point.

Any service provider obviously needs to choose their session policies to match the sensitivity of their service, their own threat models, and the threat models of their clients. So e.g. an online bank probably shouldn't issue cookies that last for a year and are portable across IP addresses. For some services, it could be a good idea for the session to only grant less sensitive access (e.g. only read access), and still require fresh authentication for sensitive actions (e.g. transferring money).

[cmroanirgo]

I avoided using my password manager's 2fa for quite some time for the same argumentation...

But when I realised the 'something you have' is the password manager (actually, the data store) itself, and the 'thing I know' is my master password (and not the individual site's password) I've started using it for 2fa. I can still see how the subscription version of 1password stretches that definition though (because you don't actively have unique ownership of the data itself), which is why I use keepass now.

Just like a dongle, your pc is not immune to evil maid if left unattended. My threat model isn't inclusive of that (my threats come from the internet - I live rurally).

Requiring your phone for 2fa (google auth or sms 2fa or other) isn't a panacea either, especially if that's the device you're logging in with.

I wish Google would allow setting 2fa without a phone number...

[jfrunyon]

> the 'something you have' is the password manager

The problem is, assuming your master password is unique (I hope so!), all of the likely vectors for exposing it also expose the database, even if it's only kept locally. Having the database only stored in one place is also quite inconvenient, of course, and any sync mechanism adds even more opportunities for it to be exposed.

My computer could very easily have a zero-day vulnerability get exploited. So could my phone. Either one would expose anything I do on it (for example: access my password database using my master password).

(My solution to this is to use a security key for as much as I can. If you're not concerned about this risk, great, but it definitely is a threat.)

[patrakov]

> The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.

Well, this is not exactly true. You need to know the master password, and you need to have the device that has the 1Password database on it. Even with the knowledge of the master password, you can't login into your $random_website account from my laptop. So even without the additional one-time 2FA codes, using a password manager that has a master password and doesn't synchronize its database, de-facto, _is_ a form of 2FA. Yes I understand that this view is controversial and that auditors will disagree.

[daveidol]

1. 1Password requires a secret key[1] in addition to the master password to gain access on a new device - specifically to protect against weak/reused/leaked master passwords

2. You can add 2FA (well, technically 3FA if you need the secret key, master password, AND a rotating token) to your 1Password signin as well (I auth Authy for that purpose)

[1] https://support.1password.com/secret-key/

[jfrunyon]

The second factor for login to 1Password (or other password managers) protects you from people logging into your account officially, but not from vulnerabilities or inside action of the vendor.

1Password also seems able to bypass the secret key ("If you still can’t find your Secret Key, contact 1Password Support.") which means social engineering, phishing, and/or credential stuffing attacks are viable.

[programmarchy]

By implementing #1 and #2 seems like you would still have a layer of protection even if your master password get key-logged.

[kitbrennan]

Totally agree, it’s crazy to have your 2FA and password manager be the same application. You can actually disable 1Password’s 2FA and tie a different 2FA. I’m not sure if it’s just a business/teams feature, but we are able to require everyone at the company install and use Duo as their primary 2FA as part of their 1Password activation.

[fsflover]

> It's not ideal because if your master password gets compromised it's potentially catastrophic in away that any individual getting compromised isn't.

If you care about this, consider security through compartmentalization provided by Qubes OS. I store my passwords in plain text in an offline VM (with hardware virtualization).

[jfrunyon]

There are vulnerabilities disclosed in VMs and containers almost weekly.

[fsflover]

None of which affect VT-d hardware virtualization in a meaningful way [0].

[0] https://www.qubes-os.org/security/xsa/

[zzyzxd]

A password manager itself should be protected with 2FA already. Especially in terms of 1Password since you mentioned it, you need to have both master password and private key to decrypt a vault. It is a pretty strong 2FA as long as you know how to protect the private key.

Granted that if you put your TOTP seed somewhere else outside the password manager, you technically achieved "3FA"(1Password master password + 1Password private key + TOTP token) and it is more secure. But I don't think putting TOTP seed and password together in the same password manager weakens 2FA?

To login to a website:

- Without a password manager, your 2 factors are account password + account TOTP.

- With 1Password, your 2 factors are 1Password master password + 1Password private key.

[reshie]

somthing you have and something you know. a password can be hacked remotely. something you have is more involved. these are layees if security. some are better than others and there are gimicks like some forms of recovery.

[barkerja]

Your example is correct, but your 1Password account can be protected by MFA that's separate from 1Password itself. They also support U2F.

I personally have all my MFA codes in 1Password, but 1Password is protected with my Yubikey. In the unlikely event that a bad actor did acquire my master password, they wouldn't get far unless they also physically had my hardware security key.

[bradfa]

I've used a U2F dongle for my 2FA with Google for a few years. I've been enrolled in the Google Advanced Protection program for a while. I don't have any issues around Google logins, just plug in my U2F dongle and press the button or hold the dongle near my phone for NFC to do its magic.

Another benefit is that I'm much less likely to lose my U2F dongle as it's on my physical keychain (and has been, for years, without damage) than I am to need to replace or wipe my phone (although a password manager with 2FA codes in it also avoids this).

[bradfa]

For anyone who says, "But what if $WORKPLACE doesn't allow you to plug in USB dongles or use NFC!?!" my counter is then maybe you shouldn't be logging into your personal Google account on that PC. And you probably have an IT department who already have a solution for 2FA that you're required to use.

[tialaramex]

Also, just because you aren't allowed to plug in "USB dongles" such as flash drives, does not mean FIDO authenticators [the things needed to make WebAuthn or its predecessor U2F work] won't work.

A FIDO authenticator is actually a USB HID class device, like a keyboard‡. So, if your $WORKPLACE doesn't allow you to plug in keyboards then, OK, I guess maybe a FIDO dongle isn't worth trying, but few people are in that situation.

If your employer has a policy of specifically issuing and authorising only particular devices (e.g. you can pick from a list of 3 Dell branded keyboards and 2 Logitech keyboards and anything else needs HR director override) then seems like it's time for them to authorise and issue a nice high quality FIDO authenticator. Yubico make some eye-wateringly expensive models, maybe they should pick those.

‡ "Like" a keyboard but it isn't a keyboard. The FIDO protocols don't involve keypresses, the device is just HID class because well, it's a Human Interface Device, seems legit. It sets protocol to 0xFF custom, and needs dedicated software to use that, which is fine.

[rot13xor]

Some work machines have all external ports glued shut and the mouse/keyboard are non-removable to prevent data exfiltration. Though you shouldn't be logging into personal accounts on those machines anyway.

[CogitoCogito]

This is quite a flippant response. These requirements are being put in place against (some) users' will. Simple changing email providers isn't exactly easy and maybe they need to access that account. Maybe Google should allow users to turn this off?

[LUmBULtERA]

I've had the same experience. Signed up for Advanced Protection Program not long after it was announced and I've been very happy with my MFA experience with Google for years now.

[SpelingBeeChamp]

If you use a Google Titan Key with Apple devices, have you been able to pair and successfully authenticate using either (1) bluetooth only, or (2) NFC only, on any Apple device?

I have not, and it's frustrating that Google offers no support beyond their help pages for their own branded hardware.

[bradfa]

I use a few Yubikeys and a Bluetooth Feitian key with my iPhone 8. My wife uses a Google Titan USB key and Bluetooth key for her Apple devices. Our iPads are too old to have NFC, but the Bluetooth paired fine with Google's Smart Lock app and we've used that.

For our iPhones, the NFC has worked fine even without the Smart Lock app. I believe Google phased Smart Lock out some time ago but I've not tried using it in a while, I don't use an iPad very often.

[LUmBULtERA]

Yes, the bluetooth titan key definitely worked for me and my wife on our iPhones. I think NFC did too but I haven't had to reauthenticate my iPhone in ages so I don't remember for sure.

[eikenberry]

What's your plan for when your dongle is lost/stolen/destroyed? Many U2F devices cannot be backed up and they recommend that you register with 2 separate devices. But while that is possible, it certainly doesn't scale and really is useless advice for the general case.

[bradfa]

I have 3 U2F devices. My wife has 2. For any U2F logins we have, we have enrolled all of our dongles in each login.

At least one of each of our devices is always stored at home in a safe place, where we store other valuable documents. If either of us lose one device, we will buy a new U2F dongle, enroll the new dongle, and unenroll the old lost/missing/stolen dongle from each of the services we use.

You can't backup a U2F dongle but so far everywhere I've enrolled to use one it always recommends you enroll at least 2 and keep one in a safe place.

[aendruk]

Can you elaborate on it not scaling? Keeping a spare is a pretty common pattern; see tires, house keys, emergency supplies.

[SpelingBeeChamp]

Mind sharing which U2F dongle and phone you use?

I haven't been able to get any Google Titan Key to work with any Apple device via NFC.

[bradfa]

I have a Yubikey 5, Yubikey 4, and a Feitian Bluetooth key, the Feitian is basically the unbranded Google Titan Bluetooth key. Both work fine, although I haven't used the Bluetooth one in a while. I use my Yubikey 5 on a regular basis.

I use an iPhone 8.

[ABS]

FWIW I've been using Authy for all my 2FA for years, including Google's, without any issues

[dazc]

And authy has a desktop app too, which makes it much more convenient.

[EVa5I7bHFq9mnYK]

The whole point of 2FA is that 2 devices need to be compromised - your phone AND your computer. With desktop Authy only one device - your computer - needs to be compromised.

[dazc]

This is correct but, in the vast majority of cases, attacks are carried out remotely. I would agree that where third parties have access to your machine, it would be not be a good solution.

[EVa5I7bHFq9mnYK]

If someone controls your computer remotely, it's the same as if she controlled it physically, no difference from pownership point of view.

[PikachuEXE]

Authy desktop app doesn't show some entries for me though. Dunno why

[omegalulw]

> I already have 1Password set up in the browser to autofill 2FA codes

The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.

[fragmede]

Two passwords - a master password, and a secret key. That secret key comprises the phone or laptop with 1password configured being the "something you have" for MFA because it's basically the same as the TOTP seed value/QR code - that secret key is only used by the user when setting up a new device - similar to when a new TOTP MFA is set up.

[seoulmetro]

That's not how MFA works.

Chaining just increases vulnerability.

[andrewaylett]

My password manager requires a hardware token to log in. So now the second factor is "has a device I've logged into my password manager with, or the hardware token for the password manager".

[seoulmetro]

Which isn't something you have. It's something you know, gated behind something you have.

[TacticalCoder]

> The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.

Indeed.

It's also why I think U2F should be mandatory in way more places/sites/companies (it is in some, thankfully): you then need to physically have a Yubikey or similar and it's not possible anymore to trade security for convenience. It doesn't solve all security issues, but it's already a great step forward.

When you let people the choice, they'll pick the lazy, insecure, way.

[shoto_io]

FWIW, you could use a different app, other than Google's. For example, you could use an app called Authy or the Microsoft authenticator app. Then AT LEAST, the app is outside the Google network.

[dannyw]

That sounds like design decisions for optimising the 2FA experience for the vast majority of users, who don't want to mess with Google Authenticator or their password manager _is_ Google (Chrome).

[mattmcknight]

If you are working in facility where you can't have a mobile phone nearby, it is incredibly frustrating. Sure, just print out a long list of codes every week.

[cageface]

My parents are low tech and don’t have cellphones. I guess they’re going to have to get a call on their landline now every time they have to 2fa?

[tialaramex]

Because your parents do not have cellphones, Google will conclude that it doesn't know a better way to authenticate them and they get to keep their existing (poor) security. As the article eventually explains.

If you would like your parents to have better security for these accounts, I commend Security Keys. Unless your parents aren't together any more, or are just really fervently independent, it's probably fine to buy them one each, but with the suggestion that they both enroll both keys. This way when Parent #1 loses the Yubikey you bought them, Parent #2 can use their Yubikey to save the day until a new one is purchased.

Yubico's USB A format factor "Security Key 2" is robust, but relatively expensive for what you need.

Searches for "Security Key" on Amazon or your preferred site will give you a pile of products and review feedback across price brackets, the only thing your parents are likely to care about are the connector (USB A is no use for a USB C MacBook for example) and maybe other form factor concerns like can it hang from a keychain, or would it fit in a wallet? For their purpose these things don't fill up, and shouldn't (modulo physically smashing it) wear out.

[cageface]

Something like this is really going to be a challenge for them. Might be time to move them to fastmail.

[pepoluan]

> USB A is no use for a USB C MacBook for example

You can always buy a USB-A-to-USB-C adapter/converter. They are available everywhere, inexpensive, and if you're afraid it will be misplaced, there's always the option to glue the USB A key to the adapter...

[closetohome]

Google discontinued the "read you a number over a landline" feature a little while back and only supports texting now.

[fragmede]

Others have mentioned a desktop app, but how often do your parents have to 2fa? It's not every time they log in (unless they're buying a new burner laptop every time they log in. If they are, there may be other issues to discuss first.)

[cageface]

I've found Google asks for 2fa at pretty random times. I do travel a lot but still it happens at least once a month.

[14]

I am curious about this as well parents in the same position. What happens now?

[wstrange]

My Dad is in the same boat. What about a Titan/yubikey? They are fairly easy to use - although you might have to help your parents with enrollement.

[throw63738]

low tech, but with google account?

[cageface]

Yeah they can barely manage email. I've taught them how to forward email a dozen times but that's a bridge too far for them.

[junon]

One alternative (though it's absurd it has to be this way) is to use two separate google accounts - one for your phone, one for everything else. It actually solves a few invasive/dark patterns Google employs.

[k8sToGo]

Security often comes at the cost of convenience.

[DoingIsLearning]

False dichotomy, these issues would be gone if google provided any meaningful customer service for edge cases.

You can fill forms and feedback but I have never heard of free users ever getting as much as a reply back.

[psanford]

Huh. My google account shows Security Keys as the default 2fa option. When I login it goes straight to the security key prompt.

[seoulmetro]

1Password isn't really multi factor authentication though.

Google doing it properly should not upset you this much.

[ramesh31]

You can always use SMS 2FA

[latchkey]

Please, no. https://en.wikipedia.org/wiki/SIM_swap_scam

[bduerst]

There are services that have safeguards in place against sim swapping, coincidentally one of them is Fi: https://support.google.com/fi/answer/9834243?hl=en

[latchkey]

While I'm sure that Fi and Google Voice are better than almost any other carrier based SMS security, this does nothing to convince me to ever use SMS 2FA.

"Your Fi number is tied to your Google Account." -- I'm sure you've seen cases of people's google accounts being randomly locked for no reason. Now you lose access to make a call too!

The last thing I'd ever trust security to is SMS. Lots of good technical details here:

https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...

[bduerst]

No matter what cellular service you use, you run a risk of being flagged as a false positive for fraud locks (irrespective of SIM swaps).

If a SIM swap scam is happening and your account is locked, it is incredibly unlikely they'll be able to swap it out.

[zrm]

Apparently the safeguards consist of using a non-SMS method of 2FA. Maybe just do that in the other case too.

[dazc]

SMS 2fa is still multiple times more secure than no 2fa at all though.

[filmgirlcw]

I sort of disagree. With social engineering, it could be easier to reset someone's password with a SIM swap than traditional means. For many years, PayPal refused to do true 2FA and I cringed at having to choose between no 2FA or SMS-based. Phone numbers are much easier to source through public records than many people realize. As someone who has had the same primary cell phone number since I was a teenager, I’m honestly shocked it isn’t in more places (I’ve taken great pains to limit it getting out, but I’m still shocked). That scares me enough to almost get a second number, but that’s such a pain in the ass and not a great solution.

[latchkey]

That's not really on the table though. We are not talking about your local tech illiterate bank here. We are talking about securing your Google account which is likely used to SSO authenticate with many other accounts.

[gchucky]

Here in the US, NIST has deprecated the use of SMS as 2-factor auth[1] on the grounds that "there’s a risk that SMS messages can be intercepted or redirected".

[1] https://www.zdnet.com/article/nist-blog-clarifies-sms-deprec...