Two passwords provide better security than two-factor authentication?

Question

While evaluating 1Password's new Teams service, I noticed rather curious absence of support for multifactor authentication.

When asked about the lack of MFA, they replied:

We use an Account Key combined with the Master Password for security that is better than two-factor. https://teams.1password.com/security/

That page says:

Security professionals recommend using multiple authentication factors: “something you know”, like your password, and “something you have”, like an authenticator app on your phone.

The Account Key takes this idea to the next level. It doesn’t just authenticate you with our servers; it also plays a direct role in encrypting your data. That’s important, because it strengthens your Master Password exponentially. And since it never gets sent over the network, your Account Key can’t be reset, intercepted, or evaded.

The "account key" is essentially a second password that is generated for you. When you sign up for the 1Password Teams service, you are sent an "Emergency Kit" PDF that you're meant to print out. It contains the account key and even encourages you to write down your master password.

The account key is stored in your browser's local storage. If you login from a new device, you must manually enter the account key after entering your password.

As far as I can tell, this approach is remarkably worse than real two-factor authentication. An attacker who:

• Obtains your printed Emergency Kit
• Obtains a copy of the PDF
• Can MITM your connection with 1password.com
• Installs malware on your computer
  • which can either steal the account key from local storage, or
  • observe when you type it in (along with your master password)

...has everything needed for unfettered, ongoing, remote, and undetectable access to an extremely sensitive account.

Contrast with real two-factor authentication: the secondary key is securely stored on a separate device.

• Obtaining the master password alone does not help; an attacker needs to take possession of the authenticator device.
• Even if you log in with a compromised device/connection, an attacker does not gain ongoing access to your account. The one-time password (TOTP) generated by the authenticatior device is useless for future access.

What am I missing here?

Answer 1

Ah marketing. (And they even trademarked the stupid thing)

The problem here lies in the fact that they really aren't comparing things correctly. They're mixing up authentication of the caller and protection of your secret data, jumbling them all together and then comparing that jumble with something tangentially related to just the first part, and then making a big bold claim that might be correct if you twist logic just a little too much. It's kind of like mixing ice cream and nuts and calling it healthier than vegetables because nuts make ice cream healthy-er (if the only takeaway you got from that is good analogies are hard...).

But really, no this is not better than 2FA because it doesn't actually introduce a separate factor, just another instance of an existing factor (something you know). It is marginally better than a single password, but if I can steal your password I can probably steal your other password with just a little bit more effort.

It might make the protection of your passwords a bit better if the decryption of the passwords occurs on the browser using the key from localStorage (it might do this, as they mention WebCrypto standards, and it doesn't seem to support IE).

With that being said the emergency kit is very much intended to not be secure, but to be available to you in an emergency. This is for break-glass scenarios where you absolutely need access. If you get this then its game over no matter what.

On the other hand, as it stands real 2FA might not solve all your attacks either. If you can still MITM the browser and server then you can get both the user password and account password and even the 2FA code (fail the request for the user, use the passwords and 2FA code and then pilfer the secrets).

Answer 2

[Disclosure: I work for AgileBits, the makers of 1Password for Teams]

Different threats, different defenses

As correctly noted, the Account Key is not the same thing as traditional 2FA. I will, in fact, be talking about this at PasswordsCon in Cambridge in a few weeks.

The most important thing to keep in mind is that the purpose of the Account Key isn't the same as the purpose of 2FA. It's purpose is to prevent password cracking attempts if our server is compromised.

Our server stores your SRP verifier and it stores your encrypted private key If an attacker gets hold of either of those (breach, insider attack, warrant) they could otherwise try to run a master password guessing routine against either of those. The purpose of the Account Key, is to make such password cracking attempts against a server-only compromise unfeasible.

Note that traditional concepts of 2FA do not offer any defense against a server breach, and to the extent that they encourage weaker or reused passwords, they make the consequences of a server breach worse. In some circumstances, 2FA is like putting two locks on this gate:

Theft of Account Keys

As also noted, Account Keys can be easily stolen from client computers. On iOS we can make use of the iOS keychain for some protection, but on the desktops, particularly with the browser clients, these are easy to snatch with just user privilege on the machine. Obviously, we would like a better way of protecting these, but going through a huge effort to obfuscate only to have that obfuscation be easily broken isn't really a solution.

Combining the best of security properties

The idea behind combining the master password with the account key is that

1. A Master Password (stored only in your head) is hard to steal but easy to guess.
2. An account key (128 bits of entropy stored on your device) is hard to guess but easy to steal from a client device

So this means that an attacker must do two things. And in particular, it means that a server breach does not give the attacker enough information to launch password cracking attack.

Answer 3

The account key is something that you have. It is generated on your computer:

Only you have your Account Key and it never leaves your devices.

You state

you are sent an "Emergency Kit" PDF that you're meant to print out. It contains the account key

I'm not sure what you mean by "sent" but it can't mean emailed as the page clearly states that the key never leaves your computer except when you write it down or copy it to another computer.

While I'm not sure I'd go as far as saying that this is a better solution than more common 2-factor authentication (2FA) implementations, they are correct in stating that your passwords can't be decrypted without your account key. That means that even if someone gets your master password and your password database, they still can't decrypt it. More common 2FA only stops you from logging into the site, it isn't required to complete decryption once the password database has been obtained.

As far as 1Password encouraging

you to write down your master password

that is an opinion held by many with Bruce Schneier]2 perhaps being the most famous. But it is also advocated by Digital Inspirations, the Washington Post, and LifeHacker. I'd say that whether it is a good solution or not is still debatable, but it is definitely not a harebrained idea.

One problem I see with the account key is that it every time you copy it to another computer you increase the risk that it will be exposed. With, for example, a mobile app based 2FA, you only need to worry about your mobile device. That said, you do tend to carry your mobile device around with you so perhaps it is less secure than some collection of computers that you have stored your account key on.

Answer 4

What am I missing here?

The threat model.

The threat model of a sync-capable password manager is to fully trust the client and zero or minimal trust on the server. This is significantly different from the threat model of regular web applications, which requires trust on both the server and the client.

In the threat model of a password manager, once your passwords in the vault are compromised, the game is already lost. If the client is compromised, you already lost. Once the client is compromised, you have to change all your passwords in all systems that having to create a new password vault with new account key is comparatively minor item.

The problem with 2FA is that it is a form of "authentication". Authentication system like 2FA is primarily intended to protect a server (not the user!) from unauthorized use. In the case of regular service, the server holds a large amount useful information and services, thus unauthorized use of the server is the primary type of threat; but in the case of a password manager, the sync server only hold encrypted blobs, which isn't useful at all to an attacker that don't already have the decryption key which is known only to the user and client.

In the threat model of a traditional password manager, you must assume that the attacker already have your encrypted password vault; when this model is brought forward to sync-capable password manager, you must assume that the sync server is malicious. When seen with this threat model in mind, 2FA doesn't add any useful security value as 2FA cannot be used as part of the encryption scheme.

Answer 5

I don't think the company has done themselves any favours with their very marketing oriented hype. However, arguing that the security is worse is probably going too far the other direction.

For private users, writing down your password is not the cardinal sin we are all told it is. Yes, there is a risk, but really, for most of us, it is a low risk. The people who have access to your home is limited and usually people you know. You don't have to write it down with the title "My super secret password" - you can write it down in such a way that even if someone did find it, it won't be obvious it is your password. In general, I would rather people wrote down their password and used a strong difficult to guess password than be restricted to less secure passwords that they can remember. In the business world, it is a little harder because you probably don't have the same control over who could snoop around your office/desk, so in that scenario, you need to be much more careful about writing your password down. For personal users, the big threat is from remote actors, so anything you have locally that is required to access your resources is going to increase your level of protection.

I think 1Password should have avoided the argument that their solution is 'better' than 2FA. However, there is so much misunderstanding regarding 2FA, it really doesn't matter. Most of what people are calling 2FA isn't 2FA anyway - it is really 2SA (two step authentication) and if you look at it that way, the 1Password approach is not actually that much different.

For 'real' 2FA, you must have a second 'factor' - this means something other than a second password. Systems which send SMS codes to your phone for example are not really 2FA, they are 2SA - what you have is two passwords - the second password might need to be sent to you, but it is still just a password.

Real 2FA requires a different factor. A smartcard or a retina scan are different factors. The user must have these things in addition to the password. As can be seen with the high profile google hacks using SMS messages, an attacker does not need to have your mobile phone to bypass the protection - they can just social engineer the telephone company to have the sms message redirected to a phone they have.

A 128 bit key is certainly going to increase your security more than a basic password. Having that key stored on your computer is a risk, but then again, if the user has access to your computer, it is game over already. Having the key stored on a separate read-only key or card would probably be better (assuming you only plug the key/card into your system when you need it and that the data is further protected with a password being required before data can be read from the card/key.

The big problem with all of this stuff for companies like 1Password is how do they come up with a scheme which is both secure enough and yet still convenient/useful for end users. the majority of end users don't really understand how all this stuff works and few have sufficient knowledge to know how to manage their keys and passwords securely. The problem is, users also want both - even worse, many users, on losing their key, will contact the company and say "Hi, sorry lost my key. Can you please recover my data for me" and then get upset when the vendor says "Sorry, we can't do that". These are the same people who get outraged when a news article talks about how vendors can see their private data.