1Password 2FA to iCloud Keychain

I am a huge fan of 1Password. It’s an app / service that at this point I can’t live without.

If you aren’t familiar with 1Password, you should check it out. It is a password manager that is really easy to use, syncs across all of your devices, and has a lot of advanced features. You can set up different “vaults” to keep things organized, and you can even share certain vaults with certain people. You can even use a work account and a personal account at the same time, and it helps keep things organized and secure for you. My wife and I share a home vault for passwords and accounts that we both use and both need access to, while at work I have different vaults shared with different teams based on what they need as well.

I partially use 1Password because of all of these advanced features, but I specifically use it instead of iCloud Keychain because I do not use Safari on the Mac. I use Chrome for almost everything on a Mac, but Safari on iOS. 1Password works across all of this no problem so it makes things really easy.

2 Factor Authentication support is awesome in 1Password. 1Password supports adding TOTP (Time-based One Time Password) 2FA codes, similar to how Google Authenticator or Authy work, and it can keep this information right next to your password. It will even auto-fill the 2FA code automatically for you when you have 1Password fill in the username and password.

There are some specific cases where there’s a password I use a lot on my phone, and therefore in Safari, and I like having iCloud keychain store the username and password for me, since it will actually fill out slightly faster (since it is built in to the OS and is not a 3rd party app), however I want ALL my passwords in 1Password. That’s the vault where everything should be no matter what.

So how do you have them in both places? Well for username and password this is easy, you just create an entry for username and password in both locations. But Apple recently introduced the ability to also support TOTP 2FA, so can you have a code like that in both places? Yes! You can! It’s not super intuitive, but it’s definitely possible.

It’s much easier to set this up on the Mac if you can, then let it sync to your iOS device, even if you aren’t going to use Mac Safari. When you go in to the “Passwords” section in Safari’s preferences, you can easily see how to add new passwords for different sites. Once you create one, you can “Edit” it, and you’ll see the option for 2FA show up. The verbiage they use is not terribly standard, and can be a little confusing, but they call it Verification Code, and you’ll see the option to Enter Setup Key.

/safari_passwords.png#center

Enter Setup Key is also a little bit confusing wording, unless you only use Safari and never save these things anywhere else. Safari tries to make this easy when you log in on a website for the first time, and will offer to set this all up for you automatically. It’s pretty neat, but if you do it that way, you’re going to have a very hard time copying that info back out of Safari, so I’d recommend starting by creating it in 1Password first.

Many times, if a site supports 2FA, 1Password will automatically prompt you and tell you how to set up 2FA, however in some cases it doesn’t know that specifically. In those cases you can just add a “One Time Password” field to your login item, and then it will let you scan the QR code directly.

/1password-totp.png#center

Once a TOTP is saved in 1Password, you can then “Edit” that login, and you can see more info about the TOTP itself. You will see a long string of text that is saved in there that is actually generating the time based code. It includes the issuer (or site that it’s from) the username it is associated with, and most importantly a secret. The section that is secret=SomeTextString is the important part we are trying to get to.

/1password_secret.png#center

Simply copy the text string after secret=. In some cases there will be text after the secret, which will be separated by the & symbol. We want everything before the & and after secret=. You can just double click on the first couple of characters and it will hilight the correct section for you.

Now go back to Safari’s password settings, and use the secret you just copied and put that in to the Setup Key. That’s it! Now you will have the same TOTP code across both systems!