While evaluating 1Password's new Teams service, I noticed rather curious absence of support for multifactor authentication.
When asked about the lack of MFA, they replied:
We use an Account Key combined with the Master Password for security that is better than two-factor. https://teams.1password.com/security/
That page says:
Security professionals recommend using multiple authentication factors: “something you know”, like your password, and “something you have”, like an authenticator app on your phone.
The Account Key takes this idea to the next level. It doesn’t just authenticate you with our servers; it also plays a direct role in encrypting your data. That’s important, because it strengthens your Master Password exponentially. And since it never gets sent over the network, your Account Key can’t be reset, intercepted, or evaded.
The "account key" is essentially a second password that is generated for you. When you sign up for the 1Password Teams service, you are sent an "Emergency Kit" PDF that you're meant to print out. It contains the account key and even encourages you to write down your master password.
The account key is stored in your browser's local storage. If you login from a new device, you must manually enter the account key after entering your password.
As far as I can tell, this approach is remarkably worse than real two-factor authentication. An attacker who:
- Obtains your printed Emergency Kit
- Obtains a copy of the PDF
- Can MITM your connection with 1password.com
- Installs malware on your computer
- which can either steal the account key from local storage, or
- observe when you type it in (along with your master password)
...has everything needed for unfettered, ongoing, remote, and undetectable access to an extremely sensitive account.
Contrast with real two-factor authentication: the secondary key is securely stored on a separate device.
- Obtaining the master password alone does not help; an attacker needs to take possession of the authenticator device.
- Even if you log in with a compromised device/connection, an attacker does not gain ongoing access to your account. The one-time password (TOTP) generated by the authenticatior device is useless for future access.
What am I missing here?