Skip to main content

2FA/MFA

2FA = Two Factor Authentication

MFA = Multi Factor Authentication

These two concepts are similar. All 2FA is MFA, but the inverse is not true. For our purposes we'll use the terms interchangeably.

1Password enables us to use 2FA even with shared credentials, for certain types of accounts.

Some of you may be saying: What?!? Aren't we invalidating the extra security by saving both the user/pass and the second factor in a single system? Yes and no; having 2FA enabled still protects us against casual sharing and phishing, since for the 2FA to work you need a code that's only valid for 30s.

Our 1Password accounts are protected by a very long Access Key plus user/pass (and team URL,) and so even without 2FA enabled on the 1Password account itself, there are still security measures present - the "one password of 1Password" is just for you, not hackers!

1Password cannot support text message (SMS) based 2FA. Which means if SMS-based 2FA is the only 2FA available for a shared account, do not enable 2FA. We will instead lean on unique and long/complex passwords to limit vulnerability.

At this time we are not using 2FA for the 1Password account itself. Again, there is already more than just a user/pass needed for access, and we're focusing on making the transition smoothly for now.

To enable app-based 2FA click on an item in 1Password and look for this banner:

2FA_available.png

Clicking on it reveals:

2FA_Start.png

Start the process of enabling 2FA on the website. This differs for each website, but basically it's "enable 2FA" and then choose app-based 2FA, or as referenced above, do not proceed for shared accounts! After choosing app-based 2FA you should be presented with a QR Code.

Click the "Scan QR Code" as shown above, and position this scanner so that it can see the QR Code:

2FA_QR_Code_Scanner.png

It will instantly recognize the code.

Often you will be offered either a recovery code, or a bunch of one-time codes. This is a rescue system and it is critical that all codes provided are saved to the 1Password entry!

If it's a single code save it in a new field in the same entry as a password (not the main password!) Should look like this:

2FA_RecoveryCode.png

Again, do not replace any password with this one. Do not replace the main account password, do not replace the "one-time password" which is the primary 2FA system. This is a third, completely separate entity.

If you are not confident you're doing this correctly, do not proceed! This warning is from Hover but succinctly covers why:

2FA_backup-code_saving_note.png

(Ignore the "phone" references, it means "1Password app" to us. Also, do not write the codes down, print them, or store them anywhere but in 1Password. As above, do not proceed with enabling 2FA if you're not positive regarding all actions.)

Back to top