- Apr 24, 2016
You’ve probably heard or read the advice: ‘Turn on two-factor authentication (2FA) everywhere it’s offered.’ After all, it’s a great way to add an extra layer of protection to your online accounts.
But should that include your 1Password account?
The short answer is no, it’s not necessary. But there’s also no harm in enabling 2FA if you have a special set of circumstances, or think it will give you a little more peace of mind. To explain why, we need to unpack what 2FA does, and how your data is protected by 1Password’s security model.
Why you don’t need to protect your 1Password account with 2FA
Let’s run through some (highly unlikely) scenarios, and how your data would stay secure - even if you didn’t have 2FA enabled on your 1Password account.
Scenario 1: A criminal manages to obtain an encrypted copy of your data from our servers.
All of your saved items are encrypted, which means the criminal would only have access to scrambled gibberish. The data would be useless because they wouldn’t have access to both your account password and Secret Key, which aren’t stored on our servers.
Scenario 2: A criminal guesses your account password.
They wouldn’t be able to sign in to your account from a new device without your Secret Key. That piece of information is only stored on your devices (so you don’t have to type it in every time you unlock 1Password) and your printable Emergency Kit.
Scenario 3: A criminal steals one of your devices.
In this situation, a criminal likely won’t waste time trying to unlock your device and guess your 1Password account password. Instead, they’ll use a different method to extract an encrypted copy of your 1Password data. (This local copy is how you can access your passwords without an internet connection.)
They would then have to unscramble the encrypted data, which would require both your account password and Secret Key. The latter might be stored on your device, but the former isn’t.
Should I protect my 1Password account with two-factor authentication? | 1Password
Two-factor authentication (2FA) is a great way to protect your online accounts. But it’s not necessary to secure your 1Password account. Read on to learn why.