1Password and One-Time Passwords

There is this thing that is variously called “two-factor authentication” (TFA or 2FA) or “multi-factor authentication” (MFA) or just “one-time passwords.”

If you don’t know about it, it would be a good idea to set aside some time to learn: no matter whether you’re an information systems professional or a regular everyday civilian, while it will (slightly) complicate your digital life, it will also make your digital life more secure.

If you’ve ever logged into a service and have been required to enter your mobile number and then wait for a code to be sent to you by text message then you’ve already used TFA, and you already know most of the important bits: it’s simply a way of websites to ask you to login using more than one identifying piece of information (hence the “two” or “multi”). Like your username, your password and a code that gets texted to you.

There are generally two ways that the “second factor”–the additional code you must enter to continue–is communicated to you: by text message, or by a special “one time password” app that generates expiring 6-digit codes.

Google Authenticator for mobile phones is likely the most common example of the latter, but it’s got some serious limitations, most of all that you need to have your phone with you (and out of your pocket) every time you want to login, but also that if you happen to lose your phone (or need to reset your phone, or get a new phone), you can be left without the ability to login. Anywhere.

The alternative that I’ve settled on is to use the built-in one-time password support for 1Password.

If you’re not using 1Password, please stop reading right here and go and purchase and install it on all your devices.

Really. I’ll wait right here while you do this.

Are you done? Great. (If you resisted, please stop and, really, go and get 1Password: it will not only make your digital life far, far easier to manage and far, far more secure, but it will also save you the task of keeping track of which password is which on chits of paper).

There’s a lot more to 1Password than one-time passwords, and there’s a learning curve that you need to ride up before you’re comfortable, so you may want to bookmark this post and come back once you’re riding higher.

But to give you a taste, here’s what logging into a website with TFA enabled looks like, in this case my login to Amazon Web Services.

I go to the login page and, as you are used to from innumerable other websites, I enter my username and password (my password is a long and complex one, and one I only use for Amazon Web Service: this is easy to manage with 1Password):

AWS Login

At this point, rather than logging me in, Amazon Web Services prompts me for a one-time password (they call it an “authentication code”):

AWS Prompt for one-time password

I pop over to 1Password to get this:

1Password showing one-time password

I copy and paste that one-time password–191169–into the Amazon Web Services “authentication code” field, and, presto, I’m logged in (the one-time passwords expire every 60 seconds, so by the time you read this post that 191169 has long-expired).

The great thing about using 1Password to keep track of both my accounts and their passwords and to generate one-time passwords is that everything automatically gets synced between my laptop, my phone, and my tablet. Meaning that when I’m here in the office I use my laptop to login, but when I’m at home or out in the field I use my phone or tablet. And the loss of any of those, (or, indeed, all of those, as I can get the same information over the web, logging in using the 1Password Emergency Kit that I’ve printed off) doesn’t render me stranded.

Today an update was released for 1Password that makes doing all this even easier:

1Password Updated brings One-Time Password Copying

As it says there, “now when you fill an item into your browser 1Password will automatically copy its one-time password to the clipboard for easy pasting.”

Which is brilliant, and will be a huge remover of friction for me, as I enter one-time passwords from 1Password many, many, many times a day.

I’m happy to answer questions about any of this.

And I wasn’t being facetious about your need to use 1Password: go do it, now.