Hacker News new | past | comments | ask | show | jobs | submit login

How do folks use two factor auth for 1password logins? It feels wrong to me to use 1password as the second factor for 1password itself. My last remaining authy second factors are for primary email and 1password. All other second factors are in 1password.



Two ways:

- a Yubikey - a sparingly used email account with no 2FA, just a very long password

2FA through the sort-of-secret email account lets me get back into Bitwarden (and thus everything else) even if my house burns down and I lose access to all of my yubikeys. And auth on a device that doesn't easily support yubikeys, like older iPhones.

2FA is very useful, but highly overrated. If you have a sufficiently long and complex memorized password (and the email platform actually lets you create one that's properly long, 40+ characters), it's unlikely that you'll have any problems unless you accidentally share the password somewhere.

Of course I feel like all my my precautions are moot when my bank and CC company force SMS 2FA. But I haven't found any with superior security schemes anwyway.


> 2FA is very useful, but highly overrated.

What a bizarre statement. It protects you from any password leak.

If you have 2FA, even if you get keylogged or phished or breached or shoulder peeked, your intruder still does not gain access.


Sorry, but my Article and Walmart.com accounts do not need 2FA. I'm fine with OTP, but most places use SMS 2FA, which exposes a unique identifier for myself and -- due to SIM swapping, which is a risk on literally every major carrier due to horrible customer service operations -- often makes it easier for a malicious actor to hijack my account.

You're generally correct, though: GOOD 2FA is not overrated and I would welcome it on any account. But it's obnoxious that almost every account I have uses SMS as a singular point of failure. I'd welcome a move back to email 2FA with a backup email for account recovery.


Apparently MFA in practice mainly protects against credential stuffing:

https://hn.algolia.com/?dateEnd=1705017600&dateRange=custom&...


Small side tangent - I’m on Mint Mobile and enabled 2FA for my account there, which is required for all customer calls. This would stop SIM swapping attacks which are the main failure point for SMS 2FA, right?


that depends entirely on Mint's 'lost 2fa' recovery process.

https://www.reddit.com/r/mintmobile/comments/104h7p2/locked_...

seems like some senior CSRs can still get you bypassed.


Passwords don't protect against spoofed login pages.


Yeah, if you type your password in manually. Password managers protect against spoofed pages though.


I use Authy on my phone and watch, but not Authy on the desktop for exactly this reason; if my computer is compromised and 1password is accessible, they still don't have access to my TOTP codes. Having it on both my watch and phone means I can break a device and not lose access.


For 1Password I use a Yubikey, but for 2FA in general, I have a backup phone running Aegis[1].

[1] https://getaegis.app/


I used to use Authy (lol) as my second factor for 1Password and then 1Password for everything else. After migrating off of 1password, I just use Authy for everything...


I use a YubiKey.


Does 1Password allow multiple/backup hardware authenticators?


Yup, I technically use 3.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: