One Password Security



A password manager, digital vault, form filler and secure digital wallet. 1Password remembers all your passwords for you to help keep account information safe. A password manager helps you generate strong passwords as well as remembering each one for you. However, if you do choose this route, you will need to at least create a secure password and remember it. With the masses of websites for which you have accounts, there is no logical way to remember each one easily. Secure data access policies Adopt more secure data access policies beyond AD’s native controls. With its convenient stored passwords feature, Password Manager enhances security as it eliminates help desk errors and the need for users to write down their passwords.

Learn how to set up a security key, like YubiKey or Titan, so you can use it for two-factor authentication in 1Password.
Two-factor authentication provides an extra layer of protection for your 1Password account. If you have a U2F-compatible security key, you can use it as a second factor in supported apps and browsers instead of a six-digit authentication code.
One Password Security

Tip

If you don’t have a U2F security key, use two-factor authentication with an authenticator app.

Set up your security key

One Password Security Key

Before you can use your security key as a second factor for your 1Password account, you’ll need to turn on two-factor authentication for your 1Password account. Then follow these steps:

  1. Sign in to your account on 1Password.com on your computer.
  2. Click your name in the top right and choose My Profile.
  3. Click More Actions > Manage Two-Factor Authentication.
  4. Click Add a Security Key.

    If you don’t see Add a Security Key, turn on two-factor authentication for your 1Password account.

  5. Enter a name for your security key and click Next.
  6. Insert your security key into the USB port on your computer.

    If Windows Security asks you to create a PIN, enter one and click OK. Your PIN is stored locally on your security key.

  7. Touch the sensor on your security key.
  8. When you see “Your security key was successfully registered”, click Done.

From now on, you can use your security key instead of a six-digit authentication code to sign in to your 1Password account in your browser, 1Password for iOS, and 1Password for Android.

View and manage your security keys

To view your security keys:

  1. Sign in to your account on 1Password.com.
  2. Click your name in the top right and choose My Profile.
  3. Click More Actions > Manage Two-Factor Authentication.

To prevent a security key from being used as a second factor, click Remove next to it.

To allow another security key to be used as a second factor, click Add a Security Key and follow the onscreen instructions.

Learn how to view and manage computers and mobile devices that are authorized to use your 1Password account.

Get help

You can use your security key as a second factor for your 1Password account:

  • on 1Password.com
  • on your iPhone or iPad (requires YubiKey 5 NFC, YubiKey 5C NFC, or YubiKey 5Ci)
  • on your Android device

Using your security key as a second factor requires:

  • a 1Password membership with two-factor authentication turned on
  • a U2F security key, like YubiKey or Titan

To sign in to your account in the 1Password apps or in a browser without U2F support, enter a six-digit authentication code from your authenticator app.

One

If you lose access to your security key

If you lose access to your security key, you can still sign in to your 1Password account:

On 1Password.com

When you’re asked for your security key, click Cancel. Then click “Use your authenticator app instead” and enter a six-digit authentication code from your authenticator app.

On your iPhone or iPad

When you see Two-Factor Authentication Required, choose Authentication Code, then enter a six-digit authentication code from your authenticator app.

On your Android device

When you see “Use your security key with 1Password”, tap the back button on your device and enter a six-digit authentication code from your authenticator app.

Get help if you also lost access to your authenticator app.

1. Introduction

Password Security Apps

One-time passwords are used to achieve higher security than traditional static passwords. They’re often generated by tokens. This article presents how tokens (synchronous and asynchronous) can be used to generate one-time passwords. Moreover, it describes a one-time password system that solves the scalability problem with tokens.

2. Identification and authentication

Password

When the user wants to get access to the system, he typically enters a username (identification) and static password (authentication). The authentication can be related to something the user:

  • knows (e.g. static password)
  • has (e.g. token or mobile)
  • is (e.g. iris scan)

Single-factor authentication takes place when only one of the aforementioned things is taken into account while authenticating the user. The strongest authentication uses all of them and is called three-factor authentication.

Google Password Security

A token based one-time password system is a transformation from something the user knows (static password) to something the user has (token). Consequently, the user doesn’t have to remember passwords, which are generated by the token.

3. User vs. static passwords

When the attacker gets the static password of the user, he can use it within its lifetime. Many people never change the password. Then, the attacker can impersonate the user for an unlimited time. It isn’t much better when an organization changes passwords every month. It still gives the attacker a lot of time to perform malicious actions.

People are advised to use strong passwords (a long mixture of lower and upper case letters, digits, special characters; the more random it is the better), which should be unique for every system. This is fine from a security point of view, but unusable from a user point of view. As a result, people write the passwords down, stick them on the monitor or hide under the keyboard. They also use the same password for different systems. When this is the case, the attacker can automatically impersonate the user in many places.

Let’s analyze the aforementioned problems when one-time passwords are used.

4. User vs. One-time passwords

One-time password (also called a dynamic password) should be randomly generated and is used only once. When this password has already been used, it is useless for the attacker (replay attack is prevented).

The user doesn’t have to manage/remember one-time passwords. The one-time password is generated by the token and presented to the user if he needs to authenticate. Then the passwords are not taken down or hidden under the keyboard. In addition to this the user doesn’t use the same password for many services. Consequently, the attacker cannot automatically impersonate the user in many places.

Security Password Change

5. One-time passwords with synchronous token

Time or a counter is used to synchronize the token and the authentication server which share a secret key. Let’s assume that time based synchronization is used. Then the secret key and time are used to create the one-time password. The user enters username and the one-time password generated by token to get access to the system. The one-time password might have limited lifetime (for example 60 seconds). When this is the case, the attacker who has learnt the one-time password can use it only within this time range.

6. One-time passwords with asynchronous token

The challenge/response mechanism is used to generate one-time passwords. The authentication server and the user share a secret key. The challenge is sent to the user who enters it into the token. The challenge and the secret key are used to generate the one-time password (the response). Then the user enters username and this one-time password to get access to the system. The authentication server checks if the one-time password it has received matches the expected value.

7. Token and two factor authentication

The authentication with a token is based on what the user has (single factor authentication). The problem occurs, when the token is stolen (the attacker can impersonate the user). That’s why it’s recommended to enter the PIN before using the token. Then stronger authentication is achieved (two factor authentication – something the user has (token) and something the user knows (PIN)).

The another approach might be combining one-time passwords generated by a token with static password to achieve two factor authentication. Static password is something the user knows, token is something the user has. If the attacker learns the static password of the user, he can’t impersonate him, because he doesn’t control the user’s token.

8. Solving a scalability problem with tokens

Good Security Passwords

The user doesn’t want to have N tokens to access N services (scalability problem). This section shows how a single private key stored on the smart card can be used to create one-time password system that is scalable.

The authentication server can generate a one-time password and encrypt it with the public key of the user. The user is the only one, who can decrypt it, because only he knows the corresponding private key. The user decrypts the one-time password and sends it to the authentication server. The authentication server checks whether the one-time password it has received matches the one previously generated. If they match, the user is authenticated. This is called zero knowledge proof – the user doesn’t have to show the private key in order to prove that he holds this key. Only the user knows the private key. That’s why the non-repudiation is satisfied. Only one private key can be used to get access to many systems. Thus the scalability problem is solved.

Once the private key is stolen, the security is broken. That’s why the private key should be securely stored. At first glance, modern smartphones seem to be a good choice for storing the private key – they are ubiquitous and no extra device would be needed for the purpose of authentication. But they are multifunctional devices and have the same security problems as personal computers. That’s why it’s proposed to use a dedicated device for user authentication.
When a dedicated device is used, the risk of stealing the private key is reduced as a consequence of complexity reduction. That’s why it’s recommended to store the private key on the smart card. The private key doesn’t leave the smart card while the one-time password is being decrypted.

9. Conclusions

One-time passwords (also called dynamic passwords) are more secure then static ones. Synchronous and asynchronous tokens can be used to generate one-time passwords. When tokens are used, it is recommended to use them together with PIN or static password to achieve two factor authentication. Zero knowledge proof can be used to create a one-time password system that solves the scalability problem with tokens. Then it is recommended to store the private key on the smart card to minimize the risk of stealing it.





Comments are closed.