From d3febc72c50f973cec67a4a0f60e9ce820d6854c Mon Sep 17 00:00:00 2001 From: Adam Niedzielski <adamsunday@gmail.com> Date: Fri, 28 Oct 2016 08:59:51 +0200 Subject: [PATCH] Provide detailed instructions how to set up TOTP in 1Password. Closes #848. --- source/handbook/security/1password-totp.png | Bin 0 -> 5685 bytes source/handbook/security/index.html.md | 32 ++++++++++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 source/handbook/security/1password-totp.png diff --git a/source/handbook/security/1password-totp.png b/source/handbook/security/1password-totp.png new file mode 100644 index 0000000000000000000000000000000000000000..8fa0c4dda1dcb3d2d94ac5447832f5031e711397 GIT binary patch literal 5685 zcma)eWmuHo^Y_wS(!H=qNGu_>beEJ;0!u9|uymJn35ZB2Eg+yMA+mIXG=iuI(#_J1 z#DD$%1ih~3&2zsv*SY6Re$JekiPh0kA;PD_2LJ#>YO0F&0RZ$h)cy`GHfkm2=n?|} z@GBe?6m--S6o5MJa9al_8vsBx_IVnP-UA1!o|fZLdR`U^uKeR^bk+CyxTA6u^744M zyJdAMLE#|&f|3{urD#_CMD?eYfC3{@EJ`G~wT@0tTUbfS07hCxb%6IVa<Fduawuq~ zVY?YTBeg;TIF&X5sz%!YKF!+UDFjZ@>V6g=%%UMhBTjxStYhaPh~?7Oh6bptJMsDT zog{C~x5v8vYs<{ld-i_KfkglS3zXG5xM&Rw#NHK2l+C~b;JfA32x{;T+Te~wsD|S* z=PoZkba}ZP@vvE<nw_T;V~z~4V=ZEmK?qpGNU^i_NO=merfXjg<V#Ab;AkJpq7b2; zlZ<#GB$%eXuNHAgep#xuH{-~z>R2_=dn@N6jkY6TPY`PjIexX`eGczer5<cjAa`?* z8xh5fjr)`{UdVf#&M#xBJHoJ!5ZbU4Q(B~#?#a5Blp(%cC3Uf4luETF(&IFDUfsxJ z@STAmJz8~re~cPSb)BP%Eh}S<64Ik43IEElQW&8$<R${P`pjTg9C<eUem8kBvVc@= zSWO<@D{5;!blhz@+``R$d%&kTno~_?N>LlEmcz{V5d6tK{R>4Q&hT;W7O2<GHd;Mr zP@ecZ!|SSxu$2u=jUyaibTDb?ISr7(2%X#Fv1yQ;g~5E;nh=p>8i4_UUoY1~LQ!kS zTeLjVJzp{`9b7C4S`P?^F1xn3hX<$>dxlp|J~i|IO0Hhz&y5ctY;}MDMlbipgRGV9 zRl&~V3{Uw3M51$=Et1#Lu<zz!ehH--!C_am``Ai`U}gOE7)Xj;&?eZ5#s$Q{ZBwtH zaza1NBXz=QkP{cfO$?=TMbAPXoMo`bF>EDrrJuq`3Z)?oH?$xO#C%4IIS0g7j7$Z3 zsp1HR@vyKj68g!Z>EKcjbt&|cGT)MWls~A$qKE!mAv)i9m3o!u3o$g@KObiVco)AZ zyt$P#gK*43--ucyJhOrxNfO<rF=y?Im4&g=HaRPZxFt<2+P1kvbi%|FW!|>H8OoZ! z%1M-p7Z<xHi<NJsqsGbNC{+f~k1JCge`Tx-Es@|9SQlOwqKhvsptUFe0Qy1An7Ev0 znD^~f{K(QOohNxcc@U0N43k1gj}HGG8c+g8RAg*B8_d9JPoOB{&OOkw;4+gf%|2Ot z*J!1`k;GfD2;Iv#XgF{CR*#6qWJS|=7Ni()^n-TVxhz*XF%dq3^rXpniNuDOjSiv( z={YrDug2Tc^vvNa3m&^gC$JNO6X|n;b2hoCJOx)ECK)1PJi@A7SDt&0$})prE%o*~ zS$2$Nr`|lf6>VjXZ{|tHNsc0`LkdzYUQKdT`9AF$+u9w6<bzBe6%n?8WLPijo`}0} z-IMds^Bnp7)%&Jg0;xQGBI>+Lx0bk;o>A!c>BZgddj12b&oa(7&T**x0$2{(WN*3$ zQK{EE`*6U!_Dv9z7D`J(`*FZO6F;+B5JPaGO79`T1aN|If^`B`_03vk(bc`)-OSyz zPO=W<p1v4W!dXT&9^RMlQp{9jR!lrraaW2iK24pwFgx#Xq<e8`v3v=%XxMA`DL0*Z zOxF_%iO<mj7v~lnkF{`?+(B@$-Eq<{F<gC+p<|l2T9#2_l=nT)S9>@9mO`%vm!?DX z{pwM2n-5j_dsa)&`*2dh+%0CZCbNjp>O70KQY;dE3rdCOq|b%#sOZ(}ck7Sq1?gdx z1?YoIn+;yQsVgfg+q~b9CsL-R?_;o1x_!T;<T8b2*cDbN)JKz@AV5S(WKQ(7+wuw1 z6E#h#LDxakLF_>eV@2L#gOsm)<;3Lz&R(0cn>9bYevo+KLhfZ#WJ^Jy5b}Ee`lt0K zo-e&r4k!+d{Kfsf{F4s3&iKx_54aDv=`4scupO{}5xLN}M~OsnMNvl8CRl(>Ksld- zUzx!YDw_mm5Tm}W5l-{ADbDxp1nt#DiTDSFokfCR#m-c)j~#FOkqvcE{OV72_f@Fe zse-BMsLH9fd5Cz$(<sw?$~g_D4d~w*znwOwf5>6XT+s|ysKNU%VKrvCKlpXXz}^Hd z;rQB_8eTi>5~>En7K+a>+!Q$4I-*AoPlR|^cztpgTiSX3Di-!)L7?Ypq(1>UH4{{9 zv2d-^8-ir>wiWA<V0Nc!ut!ut??7|v9P8YnZ%oY*w1}d5MxTHMmn}X|xM%K;>yFXN z=jGVFgI%5-<ZjA7{_&k-|Ml{<Y$S9=Y8kdr-TiuydSPR`p~EM%sBgZ)@gXeOJ9y(9 za?yL4f4Ouyj82FVfmZ(5HP3u@sI@2FlWLb*80Rt2U}Pwdqs_mKJ1hj60A*-ISnckU z#wXXXK=Z$hAVy&M%pFr5aUD#N8`1IY60C(FE080IomC2?!P=#3tGiL)qR6eXUtnV8 zDnKTnFR-A|n1(bHWOzjWl6kU45587b^ev4GtYPjgtp!PB^noyuGt-9fTyjgqKzo_A zEp8(<Xcl~3k6g{%pmhz1SFu{Lw`0L6St;r%$|>0?KI}=wh{Dw3#$~^qK0o+_pa&$y zT7_6e`mZ&MREkBdXNBg4hW3_D9L|T99QzG<w<&4x_ORwDiMhSs(~zGLyb;VFD9Yr0 zcvlhW8GoQ86N6oyUCmu3Q=VYt=l>je=dx^TJnBvDyWpn_+57u+2XsR(5^LxliIy{( zu6*3u@wX3ZKT9Msrr#4Ggda>8RmUQ@oW}-D_oq^(NM3?OYnMxxod@X8+E$|L14{!f zFI%a4cyU4$uRi^%w0krDwaKJ~+LhoP^$Y4Ws$kxE3g}hu{OhXR;*YnTH@H6XN>?y8 zWVbYhME57YxHW+aIzRid#7l1hZ%X7@g@ns-&Hath@PL>A#ehy5G#lQ4nq!xlUp10N z=Vp-sN*&VAgG`P!kt<u<60`n!mwD@L?cwIcyTm_bkRFKA`?XaExJRl-PghhxiQX3j z=XD>|>&hzDO@v#FP08<%J$z(n5^!(H$c@pIql{jPDd7AFZ<w6-ko_>4ew8SaqfPB| zZ+c7T)o4iHm0pj-^4ggY#O_G=K0U#Uyy9_9*dW*7eA;T-bak+ugfXKDeTeWy%~@7= zUEKcON<5epya>&x&+u?-)Eqggm#PaY0li!JTvVdrBSGzRWO~#Rco=v5Tm$L?rG5{A zO8E@V{g~Jo*ccRbg5UL;^c0=`P&e@%HaX_mzh%(x{A;qji68)cP<K!>v)kyg#J92a zBp`n4@F@CthB=0jbY^9m*)REWcC!N+{VYjDx?7UZmvz7JptNtSZ-y}V5$R;yFo{30 zw+unhk$sHN!TRyQObhXf)N4s_Q2u3scc=T}RLSw`X1azMam%g77lGMV(MaZB)2l7w z`>!{0f5LQO9q>r_>uJg+Lx1y&wljqu-<^}OBwA(;4t!~@pt93}^Qptzd;Rgf&&}P; z`<rP4A6;x+UF_<0e@PAHwH{VQqnLNSe+#f(hL)#@A=^X*&~-Eb4b$9xvtfsO&XF_z zStyD#9pns%Xh0{8=u}YsqF_o~N14#cZwN4XsCLermT7GxZW8|`LG{^aY3Xr{NGB~| z$JxTsvC7YJ-Gp)!si4>sm^HpU#vX1@Z<wE6YuKu}aP(x>90?ZC!j@xdV9W*p(6Su# zj697r??GU2XFf}7xRni`ud^#^wgmtreIcl=vyG=E(AU|?#RK9i#rhuy1hxN72D1YH zWAS_>#cHIf15|*!+W>|6?(*@oO5+28KuLFNTgZJy<v-%6KPgswPfu3}80_QY!{;N! z2Y0sv3y6!0gZTx)f`Ys#4qgvG7f(xHUKbD0|CC(oQMB=ZxjVReI>23kzx7&L!M!}C zSXqA?y7~U+r;V?}UrR0?f5Jiq2>yKn7U1It-{?k(O8%xobR2wboQxD5oNZh@P&TAR z?+Q!)$N&GF{I&Rx<io#`cLo0y{O910pd|RW|Nq4EKd}CzqR^7YmjvG+FO6?WV%`b> z;AN;O%IW!{ZT{?Wq0pd-niCXX$?_PAAtaD>`X2hdVh%eH!xU3=mfoTRyAg=T&t0I( ziegZX@g#<?eGq<a;{<!$kT;WJQT+3#(75*S{KktG|FX-|=`c++ED9ajKT8Uk{j+=8 z$QX2d&b-h+iz1prJu~J%Ot;AS3pu>yk%|9sMS03#{3FB0ZlS7;jQGy@kJt~j8<m`S zvb2~vl76>{nWY(qa%Gs!ngeM`>U_4RE!V%4T7E82vTO}S>*d$;Bj~msie%Ki_K)I( z2z{nGh@hsXW^N>3!SV<>VR^9nIp1zLXE)odC797=x{+2Z8$wA1He>ku4od&y16T9+ z&g4saX<VhI#hxVQj&K|j`C6Bs@+dVOpI@nTB+v@YyTgL&1CCwnCqFvV2wJO#zx>$} zBI7D?Vc8KSjF^_WbM1I3KIzCKN5}SG$J-r!&$$(jw|>$i*C%V?3Q#C?^+(O4l6UX; zBul76GIiQK*G7wEN1V!}0#EpNyp%NPIDRwmP6(d{9c@lh=ST+`&kQeLYK<@SBz08V z4X+>f%ghOztY?Strc?g8kjGysEHJardvH&a&><I=jFT0-zbJmD;IH{?P2uHA2RV*L z$Yzd{3D>!~VDO>Sh+j_98HO-So}cc+q$oiP8fiQZ?i3erj~(CZD}H=0R8CplltvEj z0y8<{@(&%2eKjZrld1bTlq~@p9Lp54YhM}8?I_WG)t<`rVBU};!PUIcS6~X^1`515 z6DDMY+#Pr!%>CifH$Db2S6~9Oj5HyG7=Ky@a-y2!UaoXgGlk9ebdzOU7*@VY64Rm7 z{L4sKPhuq4yg7nV!aG9k8GEGLLU-iP2A^n~{<N<5&bT`qT3Ip7h(tz-sNQEBJ^pXc zs7rn2{Rl3W!yHa_=JLzR%B;$@Z!nQj2vsZilJ_hqgGU`?_xYV!6CE?Xu`TlvwAxm4 zsyOB<g=j6pFpQ^&YICwSNiL1`>MfaP8+)Gj>Ie(=n3FQ!#yj&CCY1p{MszS*=I5oa zj_~P5Ji~XUv7pI_6;yge1z(&+%7tThk#v=t)XqcBg3nKOjlvWV#X0AwjHw(BG-=(K zYVZL^9iTE6OL<`5eB3pVfSNA>Eo8h*UjXTm<)pz#^<-!GQT65c8^gIzPeE>-+4XPw zy0Nf=Y|{2)$UyUoasBDw=t@|Rfy=VT^(z7Tp;fW^I8RjBXk>`FSs}s04o`UB8&wwU zB<JYWX;A#ymQgpy%^0Y%VapuRv>2pgNe?ABpKS|Y;1qbA)eQ;bea6mp1$;Z*93(MW zGtR_uFM||Ou6=cRu~4YN?loExyHfBtKF+MkKhj~Wxa+bi5!TymHisTjac@xUNlUe~ zOw}NvHJ|l~gkjuiJee(Ti|;P$K&B7}wikQotyY0PQ9jaD^6maEK-4KPcc#bY#&IPy zY{_12%snD{k<JiFxMOCJv9a;R8-^4{wf79d90@}BnxO-IlDLTz-^e9z*_Z0u>1Bp$ z*Wvhx<&&k+jx!0_4!n1N^mW5J$YueRi8#vb4);`NMPy!U=O*?~gd`xySL<lz#CtlG zaFfoTkPw1)WhQ-P_<X%Lf9SVx&xlyRLLP>kUq%q1pXp5O^*`STe0N>HICnO%P$^;B z<T|Xb97@Z={vq+q>|1t?bkLc#_5!GXI9Dc#<)R~+q*5=cp-b<hQ(@B{TuE~KOX&lK zd?s;s>u|U>Cws;N|Mo82T4n3ZWUbA!VG%x38fWt+e=i0%xKjwjDSJVc8y`ZoitD;m zgroo{iS+o8Gc7Vs(~aWZ*@9-qu>RDB3iwmriR9p|sX8N8dCuDws4BP@qLu2ZC!+kK zdPJia#~jAbBGjc^ipNYE24=~^D`X&fMq!`&f!|H20WO~OC3XJ^I@*;Tz39gFXpsiO zbxxiKHdhc0@nw&+-G17{-v73LeYTD~kwt23SNBg@zhpz}^WhRj7093qMctgSs@PXV zybm^8o0UGYDL{&75?IMq@m3=g)uDGdz=Ee_o_#W$pDp~R8~r|~<n?k&8p=jI2xIqJ z`||kph}c@f5qzdu3LD;Mm2r|OEDw?MLq)Tz9pTihX1|t%XNf?SJ~6bgD(3ZXe!SBh zGgZ35E>emac6zx4IZ^7cy<hcjukWUiO?G0ZSo7sPk@8;tFO`04<-QbAmnoywe73{* zS5q#@73%gyjo}Rqq*@PcJ2RhJqc2QU+rdWIGRS8grtb4|N9Vtdd}?nNF53syv>nQ# z#gMoy@YbX`&@X?dQT$>tEW!l*(O}_Y+yvWL_w+Lzt*h@}i?5BJm!g~0x;zoxoQ;lq zG4|1Ul4?cjok{IG@t0R0ol!-Wi19W{QzdD?|CVig3B1`xc=fa)d$HEz;Z4V!-KMaZ ztt>8PpGJf;-|3s_gGe|kk8G^3&$qgId3n8E{`8e{HzQCLjNWyu_qT@yVB)T$I@oTy zVkX8XC?*$2u>d$(&_Uf4aVQGfO2w!CNw}tzi#B6^V<=A_6Y+qlg{?1%!RGeZfMua{ z_SqpaTEL`8NV74Pr3nvc$bFr8_?#m@(7TeBYLCc%1^?TV`A|Li9CJeI`q9ch-ov9A z?e`gyvieKv#3Eda%>_2RzD9{tM;cAR|8%HM<>uBnlM$gTQoH2V$JcEI4XcmCLKQqC zejIaMr_r!(QKROB;4oy)&72^6ib=S(B(cI&`Ij`09(B;Eo&58`4L+Q?p)5^-D^nnY z8<MJNYjVyBURA)~c$QF8NcwhGK<8glECJ0Zxs05*_FvorQQG&iJ(7%WNI*AKIP)Bz vwr-v(eyVnBvRSjo7TI46+5SJly2L^pYs4_}b)#l!06<MiOYxn&McDrV&sa2c literal 0 HcmV?d00001 diff --git a/source/handbook/security/index.html.md b/source/handbook/security/index.html.md index ea8a83fd8ce..d2aab334db4 100644 --- a/source/handbook/security/index.html.md +++ b/source/handbook/security/index.html.md @@ -18,7 +18,7 @@ title: Security Handbook For all credentials that are not stored in a shared vault on 1Password there should be one secure note in the 'Shared' vault. This can be services that have individual accounts or OAuth access. Locate the 'secure note' in the team's 'Shared' vault with the name of the service you are trying to access. The note should list whom can give you access in case it has individual accounts, or it may link to the onboarding checklist. You should be added to most of these services during onboarding. -1. If 2FA should be on for the new user account, make sure to store recovery codes in the login, and consider using [auto-generated TOTP] if useful. +1. If 2FA should be on for the new user account, make sure to store recovery codes in the login, and use [1Password TOTP]. 1. If you need to give more people access to credentials [move them](https://discussions.agilebits.com/discussion/comment/133692/#Comment_133692) to a vault that they can access. Never duplicate credentials! If needed put them in the 'Shared' vault that the whole company can access or make a suggestion to create a new vault in the "1Password Shared Folders" Google Sheet. Do not share passwords on a per person basis by sharing them via 1Password, this makes it hard to reason about the sharing and doesn't change when the responsibilities change. 1. When asked security questions (what is your favorite pet, etc.) do not answer truthfully since that is easy to research. Make up an answer and write both the question and answer in 1Password. 1. Do not share credentials via email, issue comments, chat etc. This includes @@ -35,7 +35,7 @@ individual accounts, or it may link to the onboarding checklist. You should be a service. 1. Do not let your password manager store the **master password**. It is okay to store the login. -1. Enable two-factor authentication (2FA) with 1Password [auto-generated TOTP] for your Google, Slack, GitLab.com, and dev.gitlab.org accounts. The nice thing about 1Password is that it migrates when you have a new phone, unlike Google Authenticator. +1. Enable two-factor authentication (2FA) with [1Password TOTP] for your Google, Slack, GitLab.com, and dev.gitlab.org accounts. 1. You can also consider using a [Yubikey](https://about.gitlab.com/2016/06/22/gitlab-adds-support-for-u2f/) with GitLab. 1. **Encrypt** your computer's home folder. For Mac users: Use [FileVault] to encrypt the entire disk.<a name="encrypt-home-folder"></a> @@ -68,7 +68,7 @@ individual accounts, or it may link to the onboarding checklist. You should be a [1Password]: https://1password.com [generate strong passwords]: https://support.1password.com/guides/mac/generate-a-strong-password.html -[auto-generated TOTP]: https://blog.agilebits.com/2015/01/26/totp-for-1password-users/ +[1Password TOTP]: #1password-totp [Google Authenticator]: https://support.google.com/accounts/answer/1066447?hl=en [FileVault]: https://support.apple.com/en-us/HT204837 [team call agenda]: https://docs.google.com/document/d/1JiLWsTOm0yprPVIW9W-hM4iUsRxkBt_1bpm3VXV4Muc/edit @@ -249,6 +249,32 @@ To create a personal local vault: 1. A new local vault (**Primary**) is created outside the GitLab team account 1. If you want to setup sync for your new local vault, go to **Preferences > Sync** +### Two Factor Authentication and Time-based One Time Passwords<a name="1password-totp"></a> + +There are several ways to get your Two Factor Authentication (2FA) codes. +You can get them sent via SMS or use an app like Google Authenticator to +generate them. 1Password provides an alternative solution that does not +require using your smartphone: 1Password Time-based One Time Passwords +(TOTP). 2FA codes are displayed directly in the 1Password app running on your +laptop. + +To enable TOTP for a saved account: + +1. Open 1Password app +1. Go to the item for which you want to set up TOTP +1. Click **Edit** in the bottom right corner +1. Click 3 dots icon + ![3 little dots](/handbook/security/1password-totp.png) +1. Select **One-Time Password** +1. Click QR code icon that appeared +1. Scan QR code using the transparent window +1. Click **Save** +1. 2FA code should be displayed now + +Please refer to the [1Password blog] for more information on how TOTP works. + +[1Password blog]: https://blog.agilebits.com/2015/01/26/totp-for-1password-users/ + ### Example Usage<a name="1password-example-usage"></a> This is an example of how <a href="https://gitlab.com/u/rspeicher">Robert</a>, -- GitLab