Does it make my 1PW account safer using a YubiKey?

Hey guys,
I am in the decision buying a Yubikey or not to protect my passwords on 1PW. But then something came into my mind
Right now I am using 2 factor authentication with my phone and Google Authentificator.
But when I am using a YubiKey its after all possible to avoid it by clicking on "Choose another option" and then use the Mobile Authentificator instead. So whats the difference ?? In which way does it make my account more safe??


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited July 8

    Does it make my 1PW account safer using a YubiKey?

    @Mephisto_Pheles: Two-factor authentication can be really important for things which are protected only by authentication. But since 1Password's security is based on encryption, it is less critical and protects only against a very specific type of attack: someone having all of your account credentials except your second factor.

    But when I am using a YubiKey its after all possible to avoid it by clicking on "Choose another option" and then use the Mobile Authentificator instead.

    No.

    So whats the difference ?? In which way does it make my account more safe??

    The benefit is the same whether you use a U2F dongle or TOTP, so it's more a matter of personal preference. You don't have to choose between them though; you can use both for your account. :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @Mephisto_Pheles, I'm going to slightly modify what my colleague @brenty has said, though I'll also repeat most of it as well (as it is mostly correct.)

    As he correctly noted we need to separate out two separate questions. The security gain of using 2FA for signing into 1Password and the relative security of U2F and TOTP.

    Security gain of 2FA for signing into 1Password

    This is probably the toughest part of the implied question. When you enter your Master Password (and Secret Key) you are doing two things at once. You are signing into 1Password and you are unlocking 1Password. This is a distinction that we hide from the user as it just makes things more confusing.

    • Signing in means proving to 1Password.com that you are who you are and that you can received your encrypted data from our servers.
    • Unlocking means deriving the cryptographic keys needed to decrypt your encrypted data (whether or not a copy of that encrypted data is stored locally).

    2FA, in whatever form only adds to the security of signing in. This is why we insist that even you you used a dozen different factors, you still need a strong Master Password. 2FA does not protect you if someone gets your encrypted data from your own machine. So whatever protection 2FA adds to signing into 1Password it does not allow you to get away with a weaker Master Password.

    This can be a useful protection. If someone phishes you (tricks you into "signing in" to a fake malicious 1Password look-alike page) and gains your Master Password and Secret key, they still will not be able sign in without also compromising the second factor. So even though they will have enough information to decrypt your encrypted data, should they get it, our server won't give it to them.

    So there is a value to using 2FA for signing into 1Password. It is a different sort of value than how 2FA works with other services. In particularly, using 2FA for signing into 1Password does not mean that you can get by with a weaker Master Password.

    TOTP v U2F for 1Password sign-in

    If you decide to use 2FA for signing in to 1Password, U2F is more secure. There are attacks on TOTP that will not work against U2F. For example, it is possible for a phishing site to obtain the one time (6 digit code) used by TOTP. With U2F there isn't. With U2F the web page also has to prove to your device that it is who it says it is. The further reduces the threat of phishing.

    Using U2F on the desktop and on some devices is much easier than using TOTP, though it can be much harder on other devices. So that has to play a role in your decision.

    U2F also costs more. You need to buy at least two devices (you will need to keep a backup device somewhere in case you lose the one you more regularly use.) For some people the additional cost will be worth it, and for others it won't be.

    So from a security perspective, U2F is better than TOTP. But there may be practical and financial reasons to prefer TOTP. But in either case, remember that 2FA only protects the sign in process. It does not protect unlocking data already stored on the same device. So whatever 2FA mechanism you choose, have a good, unique Master Password.

  • So a YubiKey, a U2F , only gives an unauthorized device more protection and protects my account from "attacks" from outside, because as I take it, on all the devices I already logged in, like my Home PC (Mac), Tablet and Phone, there is only my masterkey needed to get access. (??)

  • brentybrenty

    Team Member

    @Mephisto_Pheles: Goldberg is right. I glossed over this a bit:

    So whats the difference ?? In which way does it make my account more safe??

    The benefit is the same other you use a U2F dongle or TOTP

    As I was thinking of it in terms of "to 2FA or not to 2FA", as I misunderstood the context of your question:

    Does it make my 1PW account safer using a YubiKey?

    Sorry! His answer is much clearer:

    So from a security perspective, U2F is better than TOTP. But there may be practical and financial reasons to prefer TOTP. But in either case, remember that 2FA only protects the sign in process. It does not protect unlocking data already stored on the same device. So whatever 2FA mechanism you choose, have a good, unique Master Password.

    I think that also addresses your more recent question:

    So a YubiKey, a U2F , only gives an unauthorized device more protection and protects my account from "attacks" from outside, because as I take it, on all the devices I already logged in, like my Home PC (Mac), Tablet and Phone, there is only my masterkey needed to get access. (??)

    But to answer directly, this goes back to my original comments:

    Two-factor authentication can be really important for things which are protected only by authentication [i.e. signing into your account]. But [...] 1Password's security is based on encryption

    Two-factor authentication of any kind -- whether U2F or TOTP -- is not involved at all with the data on your devices. That is protected using encryption. If someone steals your device, they do not need to sign into the server to get your encrypted data; they already have it. So at that point, what is protecting your data is the Master Password you used to encrypt it. But as long as you use a long, strong, unique Master Password, you're in good shape. Two-factor authentication means that someone would be unable to sign in on a new device without your second factor. :)

  • Alright thank uuuu, that helps me a lot ^^

    Last question, is it advisable to change the master password over time? Like my computer science teacher says, a pw should be like a toothbrush : only used by oneself and changed over a period of time xD

    I know why he said it to our class, like when servers got hacked and passwords been leaked or got found out by someone however, it takes months or even years till they been sold on the black market. And when I change my pw every half a year , I should be in the safe side, shouldn't I ?

    Like I've got a Apple-only Setup with a Mac and iOS devices and as far as I know , they've got a pretty closed OS system which shouldn't be as vulnerable as windows systems..

    Is it then better to just have one very strong and long master key forever? ^^'

  • brentybrenty

    Team Member

    @Mephisto_Pheles: You're welcome! Glad to be able to help. :chuffed:

    There are three (good) reasons to change a password:

    • Weak: easy to guess, either by a human or a machine
    • Reused: easier to find out, because it's being used elsewhere
    • Compromised: someone else has it, and therefore could use it

    There is, of course, a fourth (bad) reason to change a password:

    You're right that there can be mitigating circumstances why you might want to change a password otherwise...but they don't apply to 1Password because your Master Password is never transmitted to us or stored. So even if we were attacked, it couldn't be stolen from us in a breach.

    So, yes, if you have a long, strong, unique Master Password already which only you know (not weak, reused, or compromised), there is no need to change it. I'm hesitant to say "forever", but certainly if it's already sufficiently strong and you haven't told it to anyone else or entered it on an untrusted device, there's no need. Changing it would mean having to re-memorize and get used to typing it, and that would understandably encourage anyone to use a weaker password than they would otherwise. We're only human, after all. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file