YubiKey for 2FA with iPad Pro

I’ve recently tried to setup 2FA using a YubiKey 5 NFC for my account. This works fine on my Mac mini and iPhone 11 Pro, but on my 3rd gen iPad Pro the app was just crashing on launch.

After trying a reset of the iPad I eventually deleted the 1Password app and reinstalled, at which point I discovered that the source of the problem is that it’s saying that the iPad is not compatible with any of the supported 2FA keys.

I realise that the iPad doesn’t have NFC, but the YubiKey 5 NFC does seem to be compatible with the iPad Pro using a USB-C to A adapter (although it’s obviously not working for 1Password).

Is this something that will eventually be supported by 1Password in software, or is there still some limitation in iOS or the iPad or YubiKey that will prevent this combination working?

Thanks


1Password Version: 7.4.5
Extension Version: Not Provided
OS Version: IPadOS 13.3.1
Sync Type: Family Account

Comments

  • BenBen AWS Team

    Team Member

    Hi @markmat

    As far as I'm aware, on iOS, we're only able to support Yubikeys over Lightning (Yubikey 5Ci only) or NFC. It is possible that may change in the future, but I couldn't speculate on that.

    Sorry I don't have further information to share at this point.

    Ben

  • Thanks Ben,
    I also saw this update earlier in the week. I’ve not had a chance to test whether this has helped with the issue I was seeing.

  • BenBen AWS Team

    Team Member

    Please let us know how it turns out @markmat. :)

    Ben

  • It works for me, at least. It asks for 2FA from my mobile app and doesn't enforce Yubikey anymore.

  • BenBen AWS Team

    Team Member

    Thanks for letting us know @Naxterra. Which Yubikey and which iOS device are you using?

    Ben

  • I have iPad Pro 11 (latest gen) and Yubikey 5 NFC

  • BenBen AWS Team

    Team Member

    Gotcha. That is what I'd expect to happen, then. Thanks again @Naxterra. Just wanted to be sure it wasn't a Yubikey 5Ci, which should now work over USB-C with the iPad Pro 11. :+1:

    Ben

  • @Ben I’ve just tested this (USB-C iPad Pro with YubiKey 5 NFC), results below.

    Basically I think I’m seeing the same results as @Naxterra
    The app launches fine, and when prompted for the code I enter the code from the YubiKey app on my iPhone and it’s worked fine.

    So it’s all fixed for me now, and sounds like I can use either a YubiKey 5 NFC or 5Ci with my combination of devices 👍🏼

    For the record, results using the YubiKey 5 NFC with the Apple USB-C to A adapter were as follows:

    • The key lights up
    • Tapping the key does result in a string of characters being entered into 1Password, although that’s obviously not what it’s expecting and it doesn’t authenticate successfully
  • BenBen AWS Team

    Team Member
    edited March 6

    The Yubikey 5Ci can be used for U2F with a USB-C iPad Pro. A YubiKey 5 NFC can only be used for TOTP with such a device.

    Correction: As of writing, YubiKeys can only be used for TOTP (not U2F) on USB-C iOS devices. This is due to a hardware limitation of the keys themselves, and as such it is unlikely that it is a situation that will be able to be addressed in software.

    Ben

  • dberkdberk Junior Member

    Ben, I have a Yuikey 5Ci and have successful used it to log in to my 1password web account in safari on my iPad Pro using USB-C. However, when I try to log in using the 1password app on the iPad Pro, it only allows an Authenticator app OTP. So is the iPad 1password app capable of using this hardware key? The same hardware key works fine on my iPhone 1password app.

  • BenBen AWS Team

    Team Member

    @dberk

    The release notes for v7.4.6 say:

    Fixed an issue that would prevent you from logging in to your 1Password account when configured with a security key on an iPad with a USB-C port.

    It is possible that I misinterpreted this note. I'm going to clarify with our development team and will follow up here with further. Thanks!

    Ben

  • BenBen AWS Team

    Team Member
    edited March 6

    Doh. My apologies folks. It appears I did read too much into that statement. The YubiKey 5Ci's USB-C connector is not connected to an MFi chip, and as such, as far as we're aware, will never work on iOS via USB-C. I will correct my statement above.

    Ben

  • dberkdberk Junior Member

    Ben, thanks for the update. If it is an MFi chip issue, why does the 5Ci hardware key work with the 1password web account in safari on the iPad Pro but not in the 1password iPad app? Is it an app api issue?

  • BenBen AWS Team

    Team Member

    @dberk

    It does appear Safari is handling the device differently, and more generically, while we're using the official Yubico integration. It is in theory possible that we could switch over to the same thing Safari is doing, but it seems that has its own set of caveats. As such that probably isn't the way we're going to head, and it certainly isn't something on the radar at the moment.

    Ben

  • lsmithlsmith Junior Member

    I am quite confused now.
    So if I heavily use an iPad Pro, do I have a path to also use a Yubikey of any type?
    Or will I effectively not be able to then log into any site and app I protect via Yubikey on the iPhone or my laptop while using the iPad Pro?

    Any hope that the up coming “ YubiKey 5C NFC” improve the situation in case the current options do not work?

  • rudyrudy

    Team Member
    edited June 3

    @lsmith,

    Unfortunately, not in the native iOS 1Password application. You might be able to get it to work on the iPad Pro to login via https://my.1password.com. i don't have an iPad Pro myself to say for certain if this combination works or not.

    Any hope that the up coming “ YubiKey 5C NFC” improve the situation in case the current options do not work?

    I think its pretty unlikely to change anything, the iPad Pro lacks a NFC reader entirely, and the USB-C side of the device would need to have a MFi (Made for iPhone/iPod/iPad) chip in order for it to work with their native app integration.

  • lsmithlsmith Junior Member

    slightly off-topic but related .. are there any other keys supported that would work better?

    like Librem Key / NitroKey / Thetis / Google Titan / TurtleAuth / Gemalto

  • BenBen AWS Team

    Team Member

    @lsmith

    I'm not aware of any. The USB-C connection of such a key would need to be MFi-enabled, and I haven't heard of any that are. At this time we're only able to test and support a limited set of keys, so I don't have first hand experience with any of the ones you mentioned. If anyone has one and wants to try it out there isn't any harm in trying it.

    Ben

  • gigneil78gigneil78
    edited August 1

    @Ben, @rudy there is no such thing a a USB-C MFI device and never will be. MFI only applies to devices that are compatible with lightning (which would include a Lightning to USB-C adapter) , the iPod Dock Connector, as well as software that implements AirPlay.

    Requiring such would be in violation of the use of the standards, and would obviate the whole point of Apple implementing USB-C on the iPad.

    The USB-C side of the YubiKey 5Ci , along with all of their other USB-C keys, is both fully and natively supported by Yubico and Apple on the iPad Pro as well other competitors of yours. That’s why it can be used in Safari, Chrome, as well as any other iPadOS applications you want. Other USB-C keys or in fact any USB key used with any adapter are also fully supported. Note that the use of Google products requires installation of the Google Smart Lock app.

    You have no barriers to supporting it at all, as there are no limitations to the use of the USB-C port at all. And however you get access to the device on Android or any other platform will work fine - since you can’t install a driver of any kind for it on Android and one is not required elsewhere. It’s just your average everyday USB HID device.

  • BenBen AWS Team

    Team Member

    @gigneil78

    On iOS we're using the Yubico SDK. The keys that we're able to support are defined by that SDK. I wouldn't be in a position to comment on the Android side of things but if you're having trouble there I'd recommend starting a thread in our Android category. One of my colleagues will be happy to help.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file