Which physical security can I use as 2FA for 1Password service?

lixinyanglixinyang
edited July 20 in Mac

I read the article posted at https://support.1password.com/security-key/ and watched the video in the post. I went to YubiKey site, however, there are many keys. Keys like SECURITY KEY SERIES, YUBIKEY 5 SERIES, and FIPS SERIES. On their site, they have specifically highlighted that for LastPass service YUBIKET 5 SERIES should be used.

My question is that the same case for 1Password service?

Reference https://www.yubico.com/products/yubikey-hardware/compare-products-series/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_anaag_ana

    Team Member

    Hi @lixinyang!

    I do not believe that there are limitations when it comes to specific models of YubiKey that you can use with your 1Password account. I can however confirm that the one you have selected, the YubiKey 5 Series, definitely works with 1Password because I have one here :)

  • 5 series is 25 USD more expensive than the basic SECURITY KEY SERIES I wonder why do it need 5 Series if the basic would work with 1Password service.

  • ag_anaag_ana

    Team Member

    @lixinyang,

    You don't need the 5 Series if you just want to use it for 1Password. If you do not need the additional features in the 5 Series, you don't need to buy it.

    If you have any questions about the differences between the different YubiKey options, I recommend reaching out to their support team and I am sure they will be able to help you choose which YubiKey is the best for you.

    In the meantime, you can see the list of compatible YubiKeys here. Which one you choose is completely up to you :)

  • Hi @ag_ana
    Further to this, if I enable 2FA with an authenticator app, AND I setup a YubiKey, which method will be requested when I need to provide the second factor of authentication?
    And if I loose one method (lose the Authenticator app or lose the YubiKey), I presume I can use the method that I haven't lost in order to authenticate on my account??
    Thanks!

  • BenBen AWS Team

    Team Member
    edited August 14

    @friskydingo

    We support two types of 2FA using the Yubikey products. Not all Yubikeys support both. For example, the Yubikey Security Key Series only does U2F, and not TOTP. Please check Yubico's site to see which keys support which technologies.

    • TOTP: This is the option that generates a 6-digit code based on the current time which is valid for 30 seconds. If you've used 2FA elsewhere, that is not SMS based, this is probably what you've used. These codes can also be generated by an authenticator app such as Google Authenticator, Authy, or Microsoft Authenticator.
    • U2F: Hardware authentication - no "code" required. Supported by the 1Password.com web interface (your web browser must support this option) and 1Password for iOS only, at present. 1Password for iOS only supports the Yubikey 5Ci, which may not yet be widely available. 1Password for Mac does not support U2F at this time. For now, enabling U2F requires enabling TOTP, as otherwise you'd be unable to use your 1Password account in the majority of our apps.

    Some Yubikeys can do both TOTP and U2F. I would not recommend using a single Yubikey for both unless you have a second Yubikey set up or you also set up an authenticator app. In other words, I would strongly recommend setting up an authenticator app in addition to a Yubikey, or two Yubikeys. To set up multiple authenticators for TOTP scan the QR code (or manually enter the TOTP secret) in each when enabling TOTP for your 1Password.com account. You can also print the QR code (and/or the TOTP secret) so that additional authenticators can be established in the future. Instructions for setting up a second U2F key can be found in our U2F guide.

    which method will be requested when I need to provide the second factor of authentication?

    If you use U2F with your 1Password.com account either U2F or TOTP will be accepted. If you only set up TOTP then only TOTP will be accepted.

    And if I loose one method (lose the Authenticator app or lose the YubiKey), I presume I can use the method that I haven't lost in order to authenticate on my account??

    Correct, assuming you followed my advice above of having at least two separate authenticators. It is possible, with some models of Yubikey, to have a single key be set up for both U2F and TOTP. Again, this is fine, so long as you also either set up a second Yubikey or an authenticator app. You likely don't want to be in a situation where only one physical key is capable of meeting the 2FA requirement for your account, as losing that is going to mean waiting for our security team to conduct a thorough investigation and turn off 2FA for you.

    I hope that helps. Please let me know if any of this is unclear.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file