Hacker News new | ask | show | jobs
by vanshg 1367 days ago
So that you're protected from data breaches of the service itself (e.g. revealing a reused password)
1 comments
philliphaydon 1367 days ago
That doesn't have anything to do with MFA. If for some reason your 1Password masterpass is compromised, the hacker has access to your passwords and your MFA tokens.

If you use 1Password and say Authy (Assuming your Authy pass isn't in 1Password) or Google Authenticator. Then all services with MFA wont be compromised if the 1Password masterpass is...

link
bwoodruff 1366 days ago
Hi there!

Not quite. An attacker would need either your account password AND an already authorized device, OR they would need both your account password AND Secret Key. If you have 2FA enabled for your 1Password account, and the attacker doesn't have one of your authorized devices, they would also need your second factor (TOTP or hardware key).

Additionally our Principal Security Architect, Jeff Goldberg, wrote some thoughts on this subject, here: https://blog.1password.com/totp-for-1password-users/

- Ben, 1Password

link
philliphaydon 1366 days ago
So you're banking on the idea that in order to login to 1Password you need an authorized device as your layer of security.
link