Yet another U2F thread

Hey,
I know, I know. You probably heard enough about the YubiKey and U2F but hear me out.

1Password thankfully allows for 2FA which cannot be reset without the login and I really like this.
But whats irritating me is that it would be still theoretically be possible fall for a phishing attack or something like that. Its unlikely but its possible. Even my Secure-Key wouldn't do anything to protect me in such a scenario. And 2FA can prevent this from happening, my YubiKey is also helping with this but someone who really is trying could get around it.
U2F solves this problem.(I don't want to explain it in depth because I want to keep this a simple and short summary)
U2F would help a lot to protect my 1Password account and my whole online life.
I don't know how much afford it would be to implement it for the web and mobile versions but I personalty wouldn't mind paying a bit more each year just to get this feature. I mean, I already pay nearly as much as I would at a competitor which supports this feature. (Since I live in Germany 19% VAT are added which makes it more expensiv)
Sure you got other maybe even more important things to do but at least put something like this in a high priority. Not only I, but also many others would like to have U2F support.
Its just something the almost perfect password manager needs to become the perfect one!

I hope I have convince one or the other of U2F support, and possibly also someone of the 1Password Team so they can bring this idea forward.

Thanks for reading!
~ Alexander


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • @Kavatch — I've just spent some time arguing in favor of U2F instead of TOTP 2FA, and I don't get the impression that AgileBits takes the particular type of phishing attack that it addresses seriously, so don't hold your breath. According to @brenty:

    We offer two-factor authentication because it is a regulatory requirement for many enterprises.

    …strongly implying that they think it has little real value. If not for the web client, I would agree with them (the native apps should be immune to the type of phishing proxy attack that U2F would foil, but against which TOTP is nearly useless). The frustrating thing is that there seem to be several functions that are only available via the web client.

    I'm much more hopeful that AgileBits will add those web client exclusive functions to at least one of the native apps at this point.

  • BenBen AWS Team

    Team Member

    I'm much more hopeful that AgileBits will add those web client exclusive functions to at least one of the native apps at this point.

    We've done some brainstorming on how we might best be able to accomplish this. There are a couple of ideas out there. The obvious one is, as you say, to include access to those APIs in the existing native clients. Another less obvious but perhaps quicker to build option would be a wrapper for the web client that would be codesigned. All of the client-side code (HTML, JavaScript, CSS, etc) could be included and signed. Unfortunately I'm not in a position to make any promises on this front at this point, but it is something that we're very aware of and are actively discussing.

    We also haven't ruled out the possibility of implementing U2F. As I've said a few times we do think it is interesting technology and are evaluating how it might fit into the 1Password environment. That said we don't implement features simply because competitors have. We prefer to take a well-reasoned approach. What makes sense in one environment does not always make sense in another.

    Ben

  • brentybrenty

    Team Member

    @gedankenexperimenter: I really don't see that your comments add anything here. Please consider that before hijacking other people's threads. You could have contributed something instead of trying to shift the conversation toward your own agenda, as you have already done in the other discussion. I say this because you clearly do have something to contribute. I just wish you'd do so, and in a way that is productive, non-aggressive, and respectful to others. Thanks. :blush:

  • brentybrenty

    Team Member

    @Kavatch: To answer your inquiry directly, we are evaluating U2F, and perhaps it will find its way into 1Password accounts in the future. Thank you for letting us know it's a feature you'd like as well! :)

    And if you are interested in the actual context of the discussion gedankenexperimenter made an offhanded reference to, it can be found here:

    About the new security audit.

    Cheers! :)

  • @benty — I'm sorry that my comment offended you.

    @Kavatch — If you feel that I hijacked your topic in my response to @benty, I likewise apologize. My intention was only to summarize the information that I had gleaned on the subject of the possibility of U2F support without asking you to read what is now a very long discussion.

    If I may take the liberty of further summarizing the relevant bits that I left out in my first response here, I'm fairly certain that @Kavatch is referring to the same type of phishing attack that I brought up before (victim is tricked into entering credentials in a fake 1Password web client). U2F is the only available method for protecting the user from this class of phishing attack, but I have been told more than once that AgileBits is concerned about users possibly choosing weak Master Passwords if U2F is available.

    I wholeheartedly agree that weak Master Passwords are very bad, but I disagree that this is a good reason to deny users the option to protect themselves from the phishing attacks in question.

    I brought up the idea of native clients supporting all functions currently exclusive to the web client because that seems to me nearly as effective (for those of us with the understanding and discipline to never use the web client) at foiling the class of phishing attack that appeared to be at the root of @Kavatch's original post. AgileBits seems much more receptive to this idea that U2F, and I thought it possible that @Kavatch had not considered that idea yet. Again, to anyone who considered this to be out of scope because of the title, I apologize.

    U2F is extremely effective against certain phishing attacks that can currently be used to gain access to 1Password user data. It is not a good excuse to use weaker Master Passwords (or, as I have been accused of believing, a "panacea"). Whether or not the existing TOTP 2FA system (which is not effective against those phishing attacks) has already been used by 1Password users as an excuse to use weaker Master Passwords is, as far as I can tell, unknown.

  • BenBen AWS Team

    Team Member

    The primary goal is to avoid having the same conversation in multiple threads, causing a duplication of effort. We have a lot of customers that are anxious for responses from us, so responding to the same thoughts from the same customer(s) across multiple threads or multiple communications channels (e.x. both email and forum) slows the whole support process down. Thus we actively try to discourage that. We're happy to have a conversation about any of the above mentioned points, but let's keep the coversation together in one spot, please. :)

    Considering this thread and the above mentioned thread seem to be on the same topic I'm going to lock this one and suggest that we continue any further conversation over there. Thanks for understanding.

    Ben

  • brentybrenty

    Team Member

    @gedankenexperimenter: No offense taken. Thanks for understanding. I just want to make sure everyone has a seat at the table. :)

This discussion has been closed.