How do I configure 2FA to ONLY utilize U2F?

AzesAzes

I want to configure 2 factor authentication to only work with my U2F security keys.

I specifically don't want the code from an authenticator app to be an option for 2 factor authentication for my 1Password account.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:u2f

Comments

  • BenBen AWS Team

    Team Member

    Hi @Azes

    That isn't currently possible because not all of our clients support U2F yet. If you didn't have TOTP you’d be locked out of every one of our native apps. As we continue to iterate on the feature it may be possible in the future.

    Ben

  • AzesAzes

    Ben,

    Using a code from an authenticator app is fine for users that don't have U2F configured.

    But for those that do, being able to bypass U2F with a code from an authenticator app kind of defeats the purpose and extra security that U2F affords.

  • BenBen AWS Team

    Team Member

    Thanks for taking the time to share your perspective @Azes.

    Ben

  • Hi Ben.
    So to clarify, if I have 2FA enabled (TOTP) and I remove it and try to add a Yubikey, the system won't allow this? I must enable a soft token first before being able to register a hard token U2F?

    I agree with Azes that being able to bypass U2F with a TOTP 2FA does defeat SOME of the extra security afforded by U2F, specifically the risk, albeit very small, of a database breach at 1PW where the TOTP seed is stored (I assume encrypted at same level as one's own stored data).
    However, using the U2F instead of the TOTP (even if still enabled as it apparently is on 1PW) still does significantly reduce the phishing threat which is a much bigger threat than a database breach.

    But yes ultimately, it would be better from a security standpoint if TOTP could be deactivated and one could use the U2F as the sole 2FA option. Since one can register as many tokens as one wants, the risk of being locked out should be no different than having the app generated TOTP.
    Additionally, I think it would make people who may be nervous about storing passwords on-line less so (even with all the security protocols in place) and perhaps attract more customers for 1 PW. Everyone wins!

    I hope 1PW will allow this U2F-only option soon.
    Thanks

  • BenBen AWS Team

    Team Member

    Hi @1pwuser31547

    So to clarify, if I have 2FA enabled (TOTP) and I remove it and try to add a Yubikey, the system won't allow this? I must enable a soft token first before being able to register a hard token U2F?

    Sort of. I don't see why you couldn't also use the Yubikey to generate TOTP codes. So while TOTP is currently required for U2F with 1Password I believe it is possible to use the Yubikey to do that (while also using it to do U2F). I haven't had an opportunity to test this personally, but I don't see why it wouldn't work. If you want a Yubikey-only option it may be worth a try. I'd still recommend printing the QR code for the TOTP secret in case you lose or damage that Yubikey and need to set up a new one.

    I would suspect that other U2F keys might offer the same capability.

    I agree with Azes that being able to bypass U2F with a TOTP 2FA does defeat SOME of the extra security afforded by U2F, specifically the risk, albeit very small, of a database breach at 1PW where the TOTP seed is stored (I assume encrypted at same level as one's own stored data).

    2FA doesn't protect against an attacker that is able to steal your encrypted data. If someone were able to steal that data from us then your Secret Key (as well as your Master Password) would protect you:

    About your Secret Key

    But if they steal it from you they're also going to be able to steal the Secret Key. In that case a strong Master Password is essential, and is what will protect your data.

    2FA is a second step in obtaining the encrypted data from the server only. It isn't involved in the encryption of your data, and doesn't protect data that has already been downloaded to your device (e.g. if your device is stolen).

    But yes ultimately, it would be better from a security standpoint if TOTP could be deactivated and one could use the U2F as the sole 2FA option. Since one can register as many tokens as one wants, the risk of being locked out should be no different than having the app generated TOTP.

    While in theory that is true there are two issues with that:

    1. None of the 1Password client apps support U2F at this point, so without TOTP enabling U2F would prevent you from signing in from any of 1Password for Mac, 1Password for Windows, 1Password for Android, or 1Password for iOS.
    2. I would not suspect that the majority of people have multiple U2F keys available to them. It is much more likely that they have a U2F key and a smartphone.

    That isn't to say that as the technology becomes more prevalent (including within our own apps) we won't reconsider. This is a "right now" answer, not a "going forward" answer. :)

    Additionally, I think it would make people who may be nervous about storing passwords on-line less so (even with all the security protocols in place) and perhaps attract more customers for 1 PW. Everyone wins!

    While I have no doubt that you are correct, we want to be very cautious about the claims we make about the security of people's data. It is important to us that it is clear to people what protections something like U2F actually offers. There are many folks who believe that 2FA is some sort of silver bullet, and that with it you're completely protected and it doesn't matter if you use a weak or reused password. That just simply isn't true, and we don't want to further foster, or onboard customers under, those types of false beliefs. There are some benefits to 2FA, but it is not the be-all-end-all that some have come to think it is. The scope of attacks it actually protects against is much narrower than commonly held belief.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file