1Password's update highlights the difference between two-step and two-factor verification

An update to 1Password brings time-based one-time passwords (TOTP for short) to its iOS app. A one-time password is typically used as a second element in two-factor authentication (2FA), a subject I've written about many times in this column. But, as noted in a sensible and honest post by AgileBits, 1Password's developer, a second factor isn't always a second factor.

A TOTP requires a seed code that, when transformed through an algorithm that includes the precise current time, produces a number that's converted into a short code, typically six digits long. In order to use a TOTP at a site that offers it, you walk through its enrollment process, which involves scanning a two-dimensional QR Code and generating one-time backup or recovery keys. The QR Code graphically represents the seed that both you and the site retain. (Some sites offer the seed as a code you can tap in as well.)

Google was the first mainstream site to add TOTP via an app, and still offers it today. When you log in from a new computer or browser, or in other circumstances Google's security algorithms require, you're prompted to enter this factor. Via Google Authenticator, an ecosystem of apps and synchronization like Authy, or this new option in 1Password, you pull up the current time-bound sequence of numbers and enter them. The site validates that the number you entered matches its derivation, and grants you access.

TOTP predates Google's usage, of course, and was typically previously found largely in security cards and dongles used by corporations and financial sites. I have a keychain-style doohickey from PayPal and one from E*Trade that carry out the same function, but they're dedicated bits of plastic and silicon with a tiny LCD screen and contain their seeds locked in hardware. I have to have them physically in my possession to validate a login.

[Figures: Adding a TOTP in 1Password 5.2 for iOS. 1 Edit Gmail entry.PNG: Edit an existing entry (or create a new one). 2 Scan or enter seed code.PNG: Scan the seed by tapping the QR Code icon, or enter the text version. 3 Entry shows link.PNG: The Secret field will show a link or the text seed. 4 Code generation in practice.PNG: After tapping Done to finishing editing, whenever you view the password entry, the current TOTP will be shown, including the remaining time that it's valid. ]

Not every step is a factor

Now the rubric with multi-factor authentication is that factors may be "something you know," "something you have," and "something you are," which corresponds respectively and typically to a password, a physical device receiving or generating something, and biometrics (like fingerprints and retina scans). Any multifactor system picks at least two of these, and sometimes all three.

Here's the thing. I and many other people who write about security, along with many (not all) folks who work in the security industry use the terms "two-step" and "two-factor" interchangeably, which is confusing. Technically, all two-factor authentication requires two steps. But not all two-step verification employs two factors! This 1Password update emphasizes that difference.

In most cases, the split in risk happens between remote attacks, in which someone cracks a site or your account without being in proximity to you, and physical access attacks, in which someone can obtain your device. With 1Password, you can be remotely exploited in the right (or, rather, wrong) rare circumstance as well.

With true two factor, the two elements are physically separate. The password is, say, in my head, and the SMS message comes via my phone, or I receive a Find My iPhone notification from Apple to validate my Apple ID login. Or I store the password in 1Password, but use Authy with Touch ID to unlock the one-time password. AgileBits argues that having both factors on the same device eliminates the benefit. I'd argue using biometrics for one--with a unique and strong password not stored in 1Password if the recognition fails--and a password for the other separates it enough.

When you merge factors into one place, you lose the benefit of resistance to physical exploitation, but retain the remote one. And even with physical access, they need your password (or fingerprint).

Dear reader, the sophistication that drives you to read this excellent publication may have you tut-tut my previous paragraph. Surely, everyone should enable a second factor and should do it correctly, for the best protection! But because so many people pick weak passwords and because not all sites are exploit-free in how they throttle attempts to crack passwords or prevent their password data from being obtained, a one-time password as a second step is far better than nothing at all, even if using it as a second factor would be superior.

AgileBits' inclusion of TOTP tokens means that someone who otherwise might have skipped enabling two-step verification because of the fuss or management issues now does so, and achieves a substantial bump up in their account's integrity against compromise.

There is one path for exploiting 1Password's new feature remotely, although I feel it's quite unlikely. If you use 1Password's sync features with Dropbox (all versions) or iCloud (iOS/OS X only, and the Mac App Store version of 1Password is required for OS X), someone could conceivably obtain a copy of your vault--the encrypted package of all your password data. If that person had your cloud credentials, your vault, and your password, they would be able to then obtain your two-step password and TOTP.

That's a lot of conditions to be met, and I already suggest enabling two-factor authentication for both Apple IDs (and thus iCloud access) and Dropbox to reduce the potential, as both Dropbox and Apple ID provide true second-factor methods.

As with all issues involving weighing risk, you should consider whether the ease outweighs potential exploitation. For you, perhaps true second-factor use is mandatory, and I feel that way for most, but not all accounts. For people you advise informally--family, friends, coworkers--1Password as a single-source solution that deters remote access could be a huge step up.

Join the CSO newsletter!

Error: Please check your email address.

Tags AgileBits2FAGoogle1Passwordsecuritysecurity softwareprivacy

More about AppleDropboxE*TradeGooglePayPalQR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place