[irl_]

It looks like 2fa is not required for 1password, and also that even if you did enable 2fa you can only use TOTP. Both TOTP and passwords are vulnerable to phishing as there's no cryptographic protocol going on there, you are just typing in the numbers from your phone.

This seems like an excellent way to ensure that you reduce the security of your SSH login to either having a single-factor (password) or at best single-factor + TOTP, where you previously had a phishing-resistant cryptographic protocol.

Is this really an improvement for security, or is it just a usability improvement (i.e. sync of keys) intended to work around policies trying to improve security (i.e. required use of keys)?

(The other option is I skimmed the docs badly and maybe I've misunderstood something, it's possible.)

Edit: I did skim the docs badly, it is possible to use a FIDO2/WebAuthN key for 2FA. https://support.1password.com/security-key/

[lkurtz]

1p has some native support for hardware keys (https://support.1password.com/security-key/), but you can always use Yubico Authenticator for any applications that force you to use TOTP.

[irl_]

I see. They didn't mention it on the two factor authentication page I was reading because they've split the security key and TOTP documentation and not made it obvious (enough for me to see it while skimming) how to find the former from the latter.

[deviantintegral]

1Password is different than other password managers in that it bakes in a form of 2FA via it's secret key. However, it's not quite the same as normal 2FA like TOTP since it doesn't change - but, it's also never transmitted over the wire like normal 2FA. We found it's good enough for our needs to not require 2FA on top of it.

https://support.1password.com/secret-key-security/

[raverbashing]

Whenever I hear "oh but this 2FA is vulnerable to phishing" then why did security people annoy everybody and pushed for it before considering this factor?

I'm happy to use only a password for some sensitive things, because I can remember it.

Of course security is a spectrum and 2fa does help for a lot of stuff. Especially against websites that don't know how to hash your passwords properly (usually the ones from where passwords leak the most).

[Method5440]

I was going to comment something similar - I think the messaging around this needs to be more clear. It feels like I’ve been seeing serious security folk push the unqualified use of password managers for years now. Better hope granny never needs to use SSH.

[gonehome]

You can use a Yubikey for 2fa with 1Password

[dhess]

I literally just enabled this 1 hour ago, for unrelated reasons.

However, for those reading along, initially the 1Password web interface for my account only offered the choice of setting up a TOTP authenticator. I completed that, and still saw no option for enabling a FIDO/YubiKey device. I then went into the 2FA settings for my account, toggled the option for YubiKey support off and then on again, and returned to the 2FA settings page. Only then did I see the option to enable a YubiKey.

I was then able to add my YubiKey and I can confirm that it's working with my 1Password account as a 2FA source.

[irl_]

Ok, I assume that's with FIDO/U2F, so that's not so bad.

At that point though, you already have a hardware token capable of holding SSH keys, so I'm still not convinced of the benefit.

[howinteresting]

The benefit is an extra layer of indirection.

[electroly]

We use Duo Push with 1Password. It supports lots of 2FA types.