1password TOTP as an option

pkondo · August 17, 2023, 1:39pm

I received an email from Evernote recently saying they were going to switch their security to use TOTP instead of SMS.

I’ve never done it before but it seems 1password can do it. Does anyone use 1PW for TOTP? Any drawbacks vs something like Google Authenticator?

cornchip · August 17, 2023, 1:49pm

I like it quite a bit.

Potential downsides:

If you want to export to another 2FA app, you won’t have a neat export of just your codes (you can reduce this list though)
Every now and then it won’t auto-detect a QR code in another app (when setting up a new login on Mac)

tjluoma · August 17, 2023, 1:50pm

I moved all of my TOTP stuff from Authy into 1Password awhile ago and it works great. They even send it to the clipboard after filling in your password.

geoffaire · August 17, 2023, 1:59pm

+1 for TOTP in 1Password. It’s great and after you paste your username and password in, it auto copies the One time code for you onto your clipboard ready to go.

rob · August 17, 2023, 2:48pm

I use 1Password for TOTP, even though it’s no longer real 2FA.

More info: 1Password & 2FA: Is it Safe to Store Passwords and 2FA Codes Together? | 1Password

(I hope we soon can use passkeys instead of username/password/TOTP everywhere)

pkondo · August 17, 2023, 3:07pm

Thank you. I think I read that article previously but forgot about it. I’m always wondering how safe it really is when I use my phone number as 2FA because it just comes to the same device in the open. It’s super easy to use Safari in this way because Safari will fill in the code with one click from the Messages app.

GraemeS · August 17, 2023, 3:26pm

Following the logic of that article, SMS as the authenticator seems ok: your password was secure until you unlocked 1Password. Once that is unlocked, the authentication is just confirming you have your device. Someone could intercept that, but it seems low risk to me. I might be wrong.

Alternatively, that article misses a key thing for me. Having the TOTP in a separate app means I can have 1P unlocked but still have the TOTP locked in Authy. This is maybe only significant if you don’t have 1P set to lock immediately.

Personally I have everything in one place, 1Password, except I have the TOTPs for 1P and Proton mail in Authy. The latter is because I use Proton mail for my banks, so I like the added security (even if it’s not necessarily useful).

rob · August 17, 2023, 5:24pm

It’s one of the weakest forms of 2FA (due to SIM swapping).

liminal · August 17, 2023, 6:20pm

I do this with Bitwarden and used to do it with 1Password.

BTW, when I switched to BW from 1P all of my TOTP codes came over in the export / import process when using 1P’s .1pux export file format.

pkondo · August 18, 2023, 11:30pm

Thank you all for the help. I just successfully did it for one account. For those that like to see a video to understand how it works, I watched this. As simple as it is, I didn’t want to mess it up and this was ridiculously easy.

WayneG · August 18, 2023, 11:35pm

Nothing wrong with being sure before you act.

“Measure twice and cut once”