Stuck asking for FIDO key on iOS - can't use TOTP code instead

Hi,

Yesterday I got a FIDO security key and immediately set it up to authenticate me with 1Password on the web (I have a business account).

Today when I open 1Password on my iPad I get a "Plug in key" screen with a cancel button. I can't plug my key in to my iPad because it doesn't have Lightning port compatiiblity. But I can't see a way to use a TOTP (authenticator app) code instead. All I can do is cancel, and then it asks me again the next time.

What am I doing wrong here? How can I get rid of the Plug In Key screen on my iPad and use an authenticator app code instead?

Thanks


1Password Version: 7.4.2
Extension Version: Not Provided
OS Version: iOS 13.3.1
Sync Type: 1Password account

Comments

  • BenBen AWS Team

    Team Member

    Hi @rwintle,

    That's odd. You shouldn't be able to set up U2F without first setting up TOTP. If you turn U2F off, does TOTP work?

    Ben

  • I did set up TOTP first on the web app. I think my iPhone gave me an option to use TOTP instead of U2F but the iPad didn’t. I’ll turn U2F off and step through bit again and let you know what happens.

  • OK. Here's my walkthrough:

    1. Log in on the web and disable U2F key
    2. iPad now asks for TOTP code instead of UTF key
    3. iPhone doesn't ask for anything other than master password
    4. Back on the web, add the U2F key again
    5. Neither iPhone nor iPad ask for any second factor now - I guess they've both done their 2 Factor auth and it's not needed again

    I want to try and replicate what happened before so I'm going to have a go at disabling 2-factor entirely and starting again

  • So - here we go:

    1. Turn off two factor entirely through the web interface
    2. Re-enable 2FA using TOTP through the web interface
    3. Re-add U2F key
    4. Open iPhone app - it asks for the master password/touch ID and then the Key. I press cancel and it prompts for the TOTP code. I enter TOTP code and I'm in.
    5. Open iPad app, it asks for master password/touch ID and then the Key. I press cancel and it asks for TOTP code. I swear this didn't happen before - pressing cancel just closed the 2FA prompt and I could only get a prompt for the key.

    Oh well, the iPad is OK now.

    As a step 6 I did:

    1. Open the MacOS app - this asked me for a TOTP code, not the U2F key. Does the Mac app not support U2F yet?

    Thanks

  • BenBen AWS Team

    Team Member

    Does the Mac app not support U2F yet?

    Correct.

    I swear this didn't happen before

    I believe you. :)

    Oh well, the iPad is OK now.

    I'm glad to hear it worked out. We'll keep an eye out for similar reports in case there is a bug in the process somewhere. :+1:

    Ben

  • I had a similar experience 2 days ago on my iPhoneX. I have a family account and had set up U2F for me a few weeks ago. On the iPhone, I use FaceID. So far, both worked perfectly fine. 2 days ago, 1Password on the iPhone asked me to plug in the key. Canceling it somehow proceeded to the FaceID based authentication. This happened 2-3 times in a row. I’ve not experienced it since.

  • BenBen AWS Team

    Team Member

    Thanks for letting us know @RenaldoW. Can you please confirm your data is syncing to all of your devices?

    Ben

  • Confirmed. Syncing is working just fine across all devices (including items in the shared family vault)

  • BenBen AWS Team

    Team Member

    Great; thank you.

    Ben

  • I ran into this as well just now. It asked me to plug in my key but I can't because it's a USB key. When I hit cancel as described above it let me put in my TOTP instead. I would suggest changing this confusing UI so instead of it demanding a key and then allowing a TOTP on Cancel it would just offer either option.

  • BenBen AWS Team

    Team Member

    Thanks for the suggestion, @Anki.

    Ben

  • I'm having a similar issue. I had a YubiKey 5Ci (USB C + Lightning) configured on my 1Password account. Today I replaced that key with a YubiKey 5 (USB + NFC), in addition to a YubiKey 5C (USB C only) I already had. My current 2FA setup is: TOTP + 2 security keys as you can see in the image.

    Then I signed out on the app and, when tried to sign back in, I was asked to "Plug in key". Of course I can cancel the popup and type the TOTP, but I was expecting to be asked to scan the NFC key.

  • BenBen AWS Team

    Team Member

    @fainpablo,

    1Password doesn't do NFC. The only U2F we support on iOS is though the Lightning port, with the Yubikey 5Ci. The YubiKey 5C cannot be used with 1Password for iOS for U2F.

    From our Use your U2F security key as a second factor for your 1Password account guide:

    You can use your security key as a second factor for your 1Password account:

    • on 1Password.com
    • on your iPhone or iPad with a Lightning port (YubiKey 5Ci required)

    (emphasis mine)

    Ben

  • I would swear to have read that 1Password already had NFC support on iOS. Jeez. Alright, I guess this will be a feature request now that Apple has opened the NFC capabilities to the whole world :smile:

  • BenBen AWS Team

    Team Member

    Indeed. :) Hopefully as NFC support and Yubico's libraries evolve we'll be able to bring NFC support to 1Password for iOS. Thanks!

    Ben

  • I’ve heard good things about yubikeys and physical 2FA in general but I’m not sure I fully understand how this works/would eventually work with 1Password.

    I see mainly two use case :

    1. Yubikey is required in addition (or as a replacement) of my master password, whenever FaceId doesn’t work or is not activated. This of course would be an addition to the requirement of yubikey to set vault on a new device.

    2. Yubikey is used within 1Password to replace OTP whenever I log into a website.

    Am I missing something? Thanks!

  • BenBen AWS Team

    Team Member

    Hi @kebel87.

    I see mainly two use case

    Neither of those is applicable to 1Password + U2F / Yubikey. The function U2F serves in relation to 1Password membership accounts is for authorizing new devices. When you go to sign in on a new device you'll need the following information:

    • Sign-in address (URL)
    • Email address
    • Secret Key
    • Master Password

    and, if U2F is enabled you would additionally need:

    • Your security key (which could be a Yubikey) or
    • A TOTP code generated by an app like Authy, Google Authenticator, or even 1Password itself (though 1Password should never be the sole source of TOTP codes for your 1Password account)

    The reason I say or for that last bit is not all of our apps support U2F at this time. For apps that do not support it, you'll need TOTP. At present we have two apps that do support U2F:

    • The 1Password.com web app via a compatible web browser
    • 1Password for iOS (requires the Yubikey 5ci via Lightning)

    I hope that helps clarify the purpose of U2F and where it is available. Please let me know if you have further questions. :)

    Ben

  • Thanks @Ben your answer have been very informative and appreciated. :)

  • ag_tommyag_tommy

    Team Member
    edited December 2019

    I am glad Ben was able to help you and on behalf of Ben your welcome. If you need any help now or in the future, please stop in. We're always here to help.

  • tseregtsereg
    edited February 14

    Hi. I couldn't solve my similar issue described above. I have a TOTP and some Yubikeys set up, none of them are 5Ci. Setting 1password up on a brand new iPad I get "Compatible Security Key Required" warning after tapping "Sign in", and there is no "Cancel" button to fall back to TOTP. Is there any way to enforce using TOTP instead of Yk in this case? Thanks!

  • rudyrudy

    Team Member

    @tsereg,

    I see the logic flaw, we'll get that fixed in the next update.

  • Is there any chance of getting support for the 5Ci’s usb-C side? I also ran into this bug when resetting up my iPad Pro that has USB-C (where you can’t click cancel to sign in with an Authenticator instead) but I could use it to log into the 1Password site with mobile safari on the iPad which is kinda goofy.

  • BenBen AWS Team

    Team Member

    My understanding is that we need support from Yubikey for interfacing with a key over USB-C on iOS, but I'll follow up with the development team and see if there has been any change on that front. :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file