Add a Second YubiKey for two Factor Authentication

Yubikey recommends that you register multiple keys, to deal with possible future loss of a key. The procedure for setting up a YubiKey for second Level Authentication on 1Password calls for you to Enable Two Factor Authentication. That step apparently triggers off the next step, but when I try to register the second key, Two Factor Authentication is already enabled, so I can't do it, and I don't see any way to proceed.

I may be missing something, but I don't see any way to register the second YubiKey to 1Password. Is it not possible?


1Password Version: 7.3.657
Extension Version: Not Provided
OS Version: W10 Home Version 1809 build 17763.379
Sync Type: Not Provided

Comments

  • @Vicw The reason YubiKey recommend a backup hardware device is in the event you lose one.

    1Password doesn't use the YubiKey as part of its encryption, it uses it for its authentication.

    The major difference here is that 1Password can disable the OTP if you lock yourself out therefore a backup YubiKey is unnecessary.

    1. For PGP a lost YubiKey would involve locking yourself out of your data permanently.
    2. With 1Password you only lock yourself out of your data permanently if you lose either your master password and/or secret key.
  • ag_anaag_ana

    Team Member

    Hi @Vicw!

    @gazu is absolutely correct! However, you can still configure multiple Yubikeys with 1Password too if you want, but you need to have your 2FA QR code available (or your 2FA secret) in order to configure a new authenticator device. Both the QR code and the secret are shown to you when you first enable 2FA for your 1Password account.

    If you make a copy of these, you can configure a new Yubikey. If you didn't make a copy of these, you can temporarily disable 2FA, enable it again, and configure both authenticator devices at the same time, or store the QR code/2FA secret for later.

    I hope this helps!

  • It took me a while, but I finally figured out how to get a second YubiKey working to all generate valid 6-digit Two-Factor Authentication codes for 1Password. I first thought that it would work similar to U2F, used by Google and Dropbox, where you can register multiple keys, with no drama, and no data entering to be done, but it doesn't do that for 1Password. It seems that 1Password allows for an Authenticator app, without regard for registration of multiple keys.The result is that the 26 character Secret key has to be identical for the Credentials for the app in every Yubikey.

    I'm detailing the process I ended up using, in case someone else struggles with this as I did, and to remind me what to do the next time I need to replace a key, if ever. This process invalidates the codes on the original key, and a new code is generated, so I think it's important to verify carefully that everything is working with the data coming from each key before subsequently exiting out of 1Password.

    While logged into 1Password via my browser, I had to:
    1) Disable Two-Factor Authentication,
    2) Enter the 1Password Master Password,
    3) Enable Two-Factor Authentication,
    4) copy the 24 character Secret Key that 1Password provides to a Word or Google Doc for later use creating a valid Credential for each YubiKey.

    5) open the YubiKey Authenticator app, and
    6) delete the old Credential from my original YubiKey, ( it was not longer valid)
    7) create a new Credential, Entering the 1Password name, my account UserID,
    8) paste in the 24 character Secret Key and
    9) save the Credential, (the Authenticator app then starts showing 6-digit codes for 1Password.)
    10) enter the currently displayed 6-digit code back into awaiting 1Password, which confirms success after accepting the code.

    I followed the same basic process to generate an identical key on my new backup YubiKey. At that point 1Password was no longer requesting a 6-digit Authenticator code, but I was able to compare the 6-digit Authentication codes from each key on the YubiKey Authenticator, to verify that they were identical during the 30 second periods.

    As long as I retain the current 24 character 1Password Secret Key, I could generate valid Credentials for 1Password on any new YubiKey. That would be very convenient, but bad practice, from a security standpoint. I don't plan to retain that code. I can always generate a new set of codes if I have to replace a key in the future, and generating a new 24 character Secret Key for 1Password will invalidate the old one, in case a key was stolen or lost.

  • ag_anaag_ana

    Team Member

    Thank you for sharing these instructions @Vicw! I am happy to hear this worked, and I am sure other users will find this useful.

    :)

  • Thanks for that eg_ana.
    I just realized that I repeatedly misstated the number of characters in the Secret Key. It has 16 characters, not 24. I can't seem to edit it, tells me I need some kind of vanilla whatever.

  • I appreciate the helpful comments from @gazu & @eg_ana. I didn't see them until I made my second post, though. I guess I didn't renew the thread, and didn't think to refresh it, assuming there had been none, and hadn't received any email notifications. I will have to see if I can select to get notifications of posts in the forum.

    They would have helped solve the problem for me more quickly, but I was able to get it done in the end, once I better understood the difference with the 1Password utilization of the key.

  • ag_anaag_ana

    Team Member

    @Vicw

    If you want to check your 1Password Forum notification settings, go to your Profile > select icon with person on the right side of your profile page > click Edit Profile > on the left side click Notification Preferences >. Here you can customize your notifications the way they work best for you.

    I believe that the most important thing is that you manage to get this sorted out in the end, and I am very happy about it :)

    Have a wonderful day!

  • @ag_ana
    I set all of the Notification Preferences, so I should be aware of responses in the future. Somehow, I assumed that the email notification would be enabled by default, and hadn't checked it. I apologize for seeming to ignore your help initially.

    Now that I'm beginning to comprehend the Security Key/Yubikey functionalities and use for 2FA and/or 6-Digit code generation, I'm curious if 1Password has any plans to start supporting the full 2FA functionality, as Dropbox and Google do, which I've found to be enormously more convenient, and possibly more secure, in regular use, than the 6-digit 2nd level code generation.

  • ag_anaag_ana

    Team Member

    @Vicw

    Let's see if you get this notification :)

    Also, thank you for your feedback! We cannot comment on future plans because that would be a great way to be wrong most of the time :P What I can tell you though, is that a product like 1Password doesn't benefit from 2FA as much as other products. This is because 1Password is an encryption-based product, and 2FA does not enhance the strength of your encryption because that's an additional authentication layer.

    So while 2FA can be very useful for services like Dropbox and Google, which are authentication based, the usefulness of 2FA when it comes to a product such as 1Password is not the same, because your data is protected by encryption, and not by authentication.

  • VicwVicw
    edited 4:29PM

    @ag_ana

    I checked all of the Notification settings, and my email address in my Profile a couple of days ago, but no, I didn't get one from your response. I just decided to take a look to see. I wonder what that is telling me?

    RE: encryption vs authentication, as I understand your comment, all of the data in 1Password is apparently encrypted locally, in transit and in the cloud, right? If someone is able to log in to my account, however, the encryption would be broken to that person, so the second level authentication provided by the Key and Authentication app still has great value to prevent that from occurring, by use of the 6-digit codes that can only be generated by the Key.

    To further tap your expertise, if you will allow me - I've been considering the potential risks of also using an alternative Android app, such as Authy, which can also generate the same 6-digit codes, but which exchange data between the app and a remote server. I'm thinking it would be more secure to avoid having the data in Authy as a backup source for me, due to the perceived added risk, and only use the Yubikey.

  • ag_anaag_ana

    Team Member

    @vicw

    I checked all of the Notification settings, and my email address in my Profile a couple of days ago, but no, I didn't get one from your response. I just decided to take a look to see. I wonder what that is telling me?

    Can you please check your Spam folder too? It would be interesting to know if the notifications are ending there, or if they don't even reach your inbox (in this case, we would have to do some digging to find out why this is happening).

    RE: encryption vs authentication, as I understand your comment, all of the data in 1Password is apparently encrypted locally, in transit and in the cloud, right?

    That's correct. Data is encrypted on your device, and only ever leaves it in encrypted form. It's encrypted end-to-end.

    If someone is able to log in to my account, however, the encryption would be broken to that person, so the second level authentication provided by the Key and Authentication app still has great value to prevent that from occurring, by use of the 6-digit codes that can only be generated by the Key.

    If someone somehow gets a hold of your 1Password data, you are safe because the data is encrypted. However, your 1Password data is encrypted with your Master Password and your Secret Key. In this sense, the 2FA code doesn't play any role in the encryption. So an attacker with access to your data, to your Master Password and to your Secret Key wouldn't need your 2FA code to be able to access your data.

    What 2FA protects you from is when you try to authenticate to a service. When you try to login to 1Password, what is happening is that your data is being decrypted, it's not an authentication step like a normal website. Although, to the user, they look exactly the same, so I understand where you are coming from :)

    In other words, when you login to the website, the system is not verifying that you are you. It's verifying that you know the secrets to decrypt your data.

    To further tap your expertise, if you will allow me - I've been considering the potential risks of also using an alternative Android app, such as Authy, which can also generate the same 6-digit codes, but which exchange data between the app and a remote server. I'm thinking it would be more secure to avoid having the data in Authy as a backup source for me, due to the perceived added risk, and only use the Yubikey.

    I think you could also use Authy without the backup option, so that could be a possibility. But to answer your question directly: as I mentioned in the previous paragraph, the security of 1Password comes from its encryption. To decrypt your data, you only need your Master Password and Secret Key, not the 2FA code. This means that if someone managed to get your authenticator codes, they wouldn't be able to do anything without the other two important pieces of information.

    I hope this helps!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file