You’ve probably heard or read the advice: ‘Turn on two-factor authentication (2FA) everywhere it’s offered.’ After all, it’s a great way to add an extra layer of protection to your online accounts.
But should that include your 1Password account?
The short answer is no, it’s not necessary. But there’s also no harm in enabling 2FA if you have a special set of circumstances, or think it will give you a little more peace of mind. To explain why, we need to unpack what 2FA does, and how your data is protected by 1Password’s security model.
What is two-factor authentication?
Two-factor authentication is a second line of defense that makes it tougher for criminals to gain access to accounts that are otherwise only protected by a username and password.
For example, imagine a criminal managed to find or guess the password to one of your social media profiles. With 2FA enabled, they wouldn’t be able to sign in to the account, because the service would ask for a one-time code that you’ve chosen to be sent via email, SMS, or an authenticator app.
How 1Password is secure by design
At this point you might be thinking, “Okay, 2FA sounds great. Why is the situation any different for my 1Password account?”
Because 1Password uses encryption, not just authentication, to protect your data. And it doesn’t rely on a single password to encrypt everything in your private vaults.
All of your private information is protected by:
Your 1Password account password. You choose this password. We don’t know it, and it’s never stored on our servers. You use your account password to unlock 1Password, and set up your password manager on new devices.
Your Secret Key. This is a unique part of 1Password’s security model. The Secret Key is a long series of randomly-selected letters and numbers, separated by dashes. It’s generated locally on your device when you set up your account, and just like your account password, is never sent to us.
But it doesn’t stop there. When you sign in to 1Password, your private information is further protected by a unique communication system. This is critical as you update your private vaults and sync those changes across your devices.
First, you’re protected by Transport Layer Security (TLS), which is an industry-standard protocol that you encounter every time you visit a website with a HTTPS connection. On top of that, this line of defense is bolstered by a custom protocol called Secure Remote Password (SRP). With SRP, another encryption key generated on-device protects your information while it’s in transit. So even if a criminal decrypted TLS, they wouldn’t have access to anything useful.
Why you don’t need to protect your 1Password account with 2FA
Let’s run through some (highly unlikely) scenarios, and how your data would stay secure - even if you didn’t have 2FA enabled on your 1Password account.
Scenario 1: A criminal manages to obtain an encrypted copy of your data from our servers.
All of your saved items are encrypted, which means the criminal would only have access to scrambled gibberish. The data would be useless because they wouldn’t have access to both your account password and Secret Key, which aren’t stored on our servers.
Scenario 2: A criminal guesses your account password.
They wouldn’t be able to sign in to your account from a new device without your Secret Key. That piece of information is only stored on your devices (so you don’t have to type it in every time you unlock 1Password) and your printable Emergency Kit.
Scenario 3: A criminal steals one of your devices.
In this situation, a criminal likely won’t waste time trying to unlock your device and guess your 1Password account password. Instead, they’ll use a different method to extract an encrypted copy of your 1Password data. (This local copy is how you can access your passwords without an internet connection.)
They would then have to unscramble the encrypted data, which would require both your account password and Secret Key. The latter might be stored on your device, but the former isn’t.
Does enabling 2FA offer any security benefits?
Yes. There’s one scenario where 2FA could help keep your private information secure. If a criminal somehow acquired both your 1Password account password and Secret Key, they could try to use them to sign in to your account from a new device.
For example, imagine a criminal created a fake version of the 1Password website with a URL like 1pas5word.com. They could then send a legitimate-sounding email asking you to sign in and update your account details.
In this scenario, 1Password would protect you against the criminal’s phishing attempt. How? Because 1Password will only autofill a password if the website matches the URL in your saved item. That includes the item for my.1Password.com that’s created as part of your Starter Kit when you first sign up for a new account.
So if you visited a scam site like 1pas5word.com, you would notice that 1Password wasn’t offering to autofill your account information. You would then inspect the URL, recognize that you’re on a fake site, and close the tab before entering your 1Password account password and Secret Key.
But what if you assumed that 1Password’s autofill wasn’t working correctly? And then manually entered your account password and Secret Key? If you had enabled 2FA, your account would be protected, because the criminal wouldn’t have access to the place where you retrieve your one-time codes.
It’s an edge case, but one that’s theoretically possible. But here’s the thing – you don’t need to set up 2FA to avoid this scenario. Instead, you can protect your account by making sure your account password and Secret Key never fall into the wrong hands.
How to keep your 1Password account secure
No-one can access your 1Password data without your account password and Secret Key. Here’s how you can keep them secure:
Choose a strong, unique account password. You can create a long but memorable one with our free password generator.
Don’t share your account password or Secret Key. Nobody else needs to know them.
Stop and think twice if 1Password doesn’t autofill your details on a site claiming to be my.1Password.com. It could be a phishing attempt designed to steal your account password and Secret Key.
Look after your Emergency Kit. This is a printable PDF that you can use to record your account details, including your account password and Secret Key.
The bottom line
1Password is secure by design. Our security model means you don’t need to use 2FA to keep your 1Password account secure.
Still want to protect your account with 2FA? No problem! You can use an authenticator app like Authy or Microsoft Authenticator, or a hardware security key, such as YubiKey or Titan Security Key.
Armed with this information, you can do what feels right for you, and rest easy knowing that your 1Password data is always secure, yet still convenient to access.
Editor’s Note: This article was last updated on August 31st, 2022.