Add a Second YubiKey for two Factor Authentication

Yubikey recommends that you register multiple keys, to deal with possible future loss of a key. The procedure for setting up a YubiKey for second Level Authentication on 1Password calls for you to Enable Two Factor Authentication. That step apparently triggers off the next step, but when I try to register the second key, Two Factor Authentication is already enabled, so I can't do it, and I don't see any way to proceed.

I may be missing something, but I don't see any way to register the second YubiKey to 1Password. Is it not possible?


1Password Version: 7.3.657
Extension Version: Not Provided
OS Version: W10 Home Version 1809 build 17763.379
Sync Type: Not Provided

Comments

  • @Vicw The reason YubiKey recommend a backup hardware device is in the event you lose one.

    1Password doesn't use the YubiKey as part of its encryption, it uses it for its authentication.

    The major difference here is that 1Password can disable the OTP if you lock yourself out therefore a backup YubiKey is unnecessary.

    1. For PGP a lost YubiKey would involve locking yourself out of your data permanently.
    2. With 1Password you only lock yourself out of your data permanently if you lose either your master password and/or secret key.
  • ag_anaag_ana

    Team Member

    Hi @Vicw!

    @gazu is absolutely correct! However, you can still configure multiple Yubikeys with 1Password too if you want, but you need to have your 2FA QR code available (or your 2FA secret) in order to configure a new authenticator device. Both the QR code and the secret are shown to you when you first enable 2FA for your 1Password account.

    If you make a copy of these, you can configure a new Yubikey. If you didn't make a copy of these, you can temporarily disable 2FA, enable it again, and configure both authenticator devices at the same time, or store the QR code/2FA secret for later.

    I hope this helps!

  • It took me a while, but I finally figured out how to get a second YubiKey working to all generate valid 6-digit Two-Factor Authentication codes for 1Password. I first thought that it would work similar to U2F, used by Google and Dropbox, where you can register multiple keys, with no drama, and no data entering to be done, but it doesn't do that for 1Password. It seems that 1Password allows for an Authenticator app, without regard for registration of multiple keys.The result is that the 26 character Secret key has to be identical for the Credentials for the app in every Yubikey.

    I'm detailing the process I ended up using, in case someone else struggles with this as I did, and to remind me what to do the next time I need to replace a key, if ever. This process invalidates the codes on the original key, and a new code is generated, so I think it's important to verify carefully that everything is working with the data coming from each key before subsequently exiting out of 1Password.

    While logged into 1Password via my browser, I had to:
    1) Disable Two-Factor Authentication,
    2) Enter the 1Password Master Password,
    3) Enable Two-Factor Authentication,
    4) copy the 24 character Secret Key that 1Password provides to a Word or Google Doc for later use creating a valid Credential for each YubiKey.

    5) open the YubiKey Authenticator app, and
    6) delete the old Credential from my original YubiKey, ( it was not longer valid)
    7) create a new Credential, Entering the 1Password name, my account UserID,
    8) paste in the 24 character Secret Key and
    9) save the Credential, (the Authenticator app then starts showing 6-digit codes for 1Password.)
    10) enter the currently displayed 6-digit code back into awaiting 1Password, which confirms success after accepting the code.

    I followed the same basic process to generate an identical key on my new backup YubiKey. At that point 1Password was no longer requesting a 6-digit Authenticator code, but I was able to compare the 6-digit Authentication codes from each key on the YubiKey Authenticator, to verify that they were identical during the 30 second periods.

    As long as I retain the current 24 character 1Password Secret Key, I could generate valid Credentials for 1Password on any new YubiKey. That would be very convenient, but bad practice, from a security standpoint. I don't plan to retain that code. I can always generate a new set of codes if I have to replace a key in the future, and generating a new 24 character Secret Key for 1Password will invalidate the old one, in case a key was stolen or lost.

  • ag_anaag_ana

    Team Member

    Thank you for sharing these instructions @Vicw! I am happy to hear this worked, and I am sure other users will find this useful.

    :)

  • Thanks for that eg_ana.
    I just realized that I repeatedly misstated the number of characters in the Secret Key. It has 16 characters, not 24. I can't seem to edit it, tells me I need some kind of vanilla whatever.

  • I appreciate the helpful comments from @gazu & @eg_ana. I didn't see them until I made my second post, though. I guess I didn't renew the thread, and didn't think to refresh it, assuming there had been none, and hadn't received any email notifications. I will have to see if I can select to get notifications of posts in the forum.

    They would have helped solve the problem for me more quickly, but I was able to get it done in the end, once I better understood the difference with the 1Password utilization of the key.

  • ag_anaag_ana

    Team Member

    @Vicw

    If you want to check your 1Password Forum notification settings, go to your Profile > select icon with person on the right side of your profile page > click Edit Profile > on the left side click Notification Preferences >. Here you can customize your notifications the way they work best for you.

    I believe that the most important thing is that you manage to get this sorted out in the end, and I am very happy about it :)

    Have a wonderful day!

  • @ag_ana
    I set all of the Notification Preferences, so I should be aware of responses in the future. Somehow, I assumed that the email notification would be enabled by default, and hadn't checked it. I apologize for seeming to ignore your help initially.

    Now that I'm beginning to comprehend the Security Key/Yubikey functionalities and use for 2FA and/or 6-Digit code generation, I'm curious if 1Password has any plans to start supporting the full 2FA functionality, as Dropbox and Google do, which I've found to be enormously more convenient, and possibly more secure, in regular use, than the 6-digit 2nd level code generation.

  • ag_anaag_ana

    Team Member

    @Vicw

    Let's see if you get this notification :)

    Also, thank you for your feedback! We cannot comment on future plans because that would be a great way to be wrong most of the time :P What I can tell you though, is that a product like 1Password doesn't benefit from 2FA as much as other products. This is because 1Password is an encryption-based product, and 2FA does not enhance the strength of your encryption because that's an additional authentication layer.

    So while 2FA can be very useful for services like Dropbox and Google, which are authentication based, the usefulness of 2FA when it comes to a product such as 1Password is not the same, because your data is protected by encryption, and not by authentication.

  • VicwVicw
    edited March 18

    @ag_ana

    I checked all of the Notification settings, and my email address in my Profile a couple of days ago, but no, I didn't get one from your response. I just decided to take a look to see. I wonder what that is telling me?

    RE: encryption vs authentication, as I understand your comment, all of the data in 1Password is apparently encrypted locally, in transit and in the cloud, right? If someone is able to log in to my account, however, the encryption would be broken to that person, so the second level authentication provided by the Key and Authentication app still has great value to prevent that from occurring, by use of the 6-digit codes that can only be generated by the Key.

    To further tap your expertise, if you will allow me - I've been considering the potential risks of also using an alternative Android app, such as Authy, which can also generate the same 6-digit codes, but which exchange data between the app and a remote server. I'm thinking it would be more secure to avoid having the data in Authy as a backup source for me, due to the perceived added risk, and only use the Yubikey.

  • ag_anaag_ana

    Team Member

    @vicw

    I checked all of the Notification settings, and my email address in my Profile a couple of days ago, but no, I didn't get one from your response. I just decided to take a look to see. I wonder what that is telling me?

    Can you please check your Spam folder too? It would be interesting to know if the notifications are ending there, or if they don't even reach your inbox (in this case, we would have to do some digging to find out why this is happening).

    RE: encryption vs authentication, as I understand your comment, all of the data in 1Password is apparently encrypted locally, in transit and in the cloud, right?

    That's correct. Data is encrypted on your device, and only ever leaves it in encrypted form. It's encrypted end-to-end.

    If someone is able to log in to my account, however, the encryption would be broken to that person, so the second level authentication provided by the Key and Authentication app still has great value to prevent that from occurring, by use of the 6-digit codes that can only be generated by the Key.

    If someone somehow gets a hold of your 1Password data, you are safe because the data is encrypted. However, your 1Password data is encrypted with your Master Password and your Secret Key. In this sense, the 2FA code doesn't play any role in the encryption. So an attacker with access to your data, to your Master Password and to your Secret Key wouldn't need your 2FA code to be able to access your data.

    What 2FA protects you from is when you try to authenticate to a service. When you try to login to 1Password, what is happening is that your data is being decrypted, it's not an authentication step like a normal website. Although, to the user, they look exactly the same, so I understand where you are coming from :)

    In other words, when you login to the website, the system is not verifying that you are you. It's verifying that you know the secrets to decrypt your data.

    To further tap your expertise, if you will allow me - I've been considering the potential risks of also using an alternative Android app, such as Authy, which can also generate the same 6-digit codes, but which exchange data between the app and a remote server. I'm thinking it would be more secure to avoid having the data in Authy as a backup source for me, due to the perceived added risk, and only use the Yubikey.

    I think you could also use Authy without the backup option, so that could be a possibility. But to answer your question directly: as I mentioned in the previous paragraph, the security of 1Password comes from its encryption. To decrypt your data, you only need your Master Password and Secret Key, not the 2FA code. This means that if someone managed to get your authenticator codes, they wouldn't be able to do anything without the other two important pieces of information.

    I hope this helps!

  • @ag_ana

    I don't see any emailed Notifications going to Spam at all. I also checked my email filters to make sure there was nothing in there that could act on any emails from 1Password. It's a bit of a mystery to me.

    I really appreciate your time and effort to share your knowledge of the security structure affecting the 1Password data. It''s beginning to penetrate. Hopefully, your comments might help others like me, who are also a bit baffled by the complexities and subtleties of the various encryption and account access structures.

    It's reassuring that you have confirmed that data encryption is in place throughout. I've found that some services don't necessarily provide fully end-to-end encryption, so that's important to know.

    In my concern about someone else logging in, I hadn't taken into account the importance of the Secret Key in protecting the raw data against decryption, irrespective of the normal site login pathway.

  • BenBen AWS Team

    Team Member

    Thanks @Vicw.

    I don't see any emailed Notifications going to Spam at all. I also checked my email filters to make sure there was nothing in there that could act on any emails from 1Password. It's a bit of a mystery to me.

    We are currently investigating some reports of this type of difficulty. Our forum provider sends these emails on our behalf. We've reached out to them to investigate further. I'll add your comments to the issue on this.

    I really appreciate your time and effort to share your knowledge of the security structure affecting the 1Password data. It''s beginning to penetrate. Hopefully, your comments might help others like me, who are also a bit baffled by the complexities and subtleties of the various encryption and account access structures.

    I'm glad to hear that Ana has been able to help in this regard. :)

    It's reassuring that you have confirmed that data encryption is in place throughout. I've found that some services don't necessarily provide fully end-to-end encryption, so that's important to know.

    I would say that the vast majority of services do not. Any time you're able to do a "forgot your password?" operation... they likely aren't doing end-to-end encryption.

    In my concern about someone else logging in, I hadn't taken into account the importance of the Secret Key in protecting the raw data against decryption, irrespective of the normal site login pathway.

    The Secret Key is one of the big differences between us and many other services. It protects you even from us.

    Ben

  • VicwVicw
    edited March 18

    @Ben

    I just found 2 "mention" emails on Feb 25th from Miket, but those were the only ones. I do see all of the Notifications listed, but no emails more to me.

    I love the "The Secret Key is one of the big differences between us and many other services. It protects you even from us." response from you. It sounds like a bit of a joke, but it's a very important and meaningful statement, I think.

  • LarsLars Junior Member

    Team Member
    edited March 18

    @Vicw - that's disappointing. We've added your experience to the list of people who've experienced similar rejection of emails and we'll be investigating it. In the meantime, the best I can do is suggest you manually monitor any threads you're participating in here on the forum, until we can clear up what might be going on.

    It sounds like a bit of a joke, but it's a very important and meaningful statement, I think.

    I mean, it IS a bit of a joke...but not completely. You should trust the tools and process, but not necessarily the provider, when it comes to critical stuff like your most important data. Nevertheless, the main function of the Secret Key isn't to protect you in the case that we suddenly turn evil (though it will protect you against that as well). It's more about: what if some nefarious hackers manage to squeak past all the considerable defenses we put into place to protect you on 1password.com, and are able to steal a copy of your encrypted data from our servers?

    In the old days (pre-1password.com accounts), in order to get a copy of your data, someone would have to literally steal a device of yours (unless you used an approved cloud sync service like iCloud or Dropbox, and even then, they'd have to know how to target you specifically on either of those services -- pretty unlikely). But with 1password.com, we knew this would be a target no matter how well we defended it, so we added the Secret Key to make sure that even if someone DOES manage to bypass all our defenses and grab a copy of your encrypted data from our servers, they would not only need your Master Password but ALSO this randomly-generated Secret Key which does not leave your own device. With 1password.com, those two secrets combined are what's used to derive the actual encryption keys that can decrypt your data -- and we never have either one. :)

  • VicwVicw
    edited March 19

    @Lars

    I am checking the forum periodically, to make sure I don't ignore any updates. I really miss the notification emails, of course, but knowing that it's being investigated, and that I'm not the only one having the problem gives me hope it will be resolved.

    The responses from support on this thread have been enormously helpful to me.

    I am sure that any Password Manager app is a prime target for an aspiring hacker, who wants to cause as much havoc and pain to as many people as possible, and perhaps gain a bit of infamy and personal gain. As you have described - the Secret Key, along with the Master Password are both required to decipher the data, and as long as I don't share the secret key online, my data should be protected. The trick is that I need to keep that printed Secret Key safely stored, but accessible. The Safety Deposit box at the bank would be a really safe storage location, but inconvenient. I'm now shopping for a reasonably secure home safe.

  • LarsLars Junior Member

    Team Member

    @Vicw - a floor safe or similar is an excellent idea. One other idea you might not have seen but which has been discussed on this forum in the past is the idea of a trusted (hired) third party such as a trustworthy lawyer. I'd guess fees for such a thing might vary, but the attorney-client privilege created by paying a nominal retainer to a lawyer to hold your Emergency Kit in a safe place for you might be an even better option. Just another idea. :)

  • @Lars
    Good suggestions. I think that the safe would be best for pure convenience. I also have an immediate family member living close who I trust absolutely. Maybe both places would make sense.

  • BenBen AWS Team

    Team Member

    It may not be a bad idea at all to keep a couple copies in secure locations. By far the bigger risk for most people is that they lose their Secret Key, vs being the target of an attacker.

    Ben

  • Belts and Suspenders - good idea @Ben. It would be a major mess to have lost the Key, when needed.

  • LarsLars Junior Member

    Team Member

    @Vicw - absolutely. Just make sure your copies are safe and secure. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file