Use Yubikey UFC device to enter master password on iPhone

Doctor_Dan
Doctor_Dan
Community Member

I notice that there are a number of posts that are related to my question that relates to the need to enter the master password.
1 - I presume that there is general agreement that a good master password should be somewhat long and complex.
2 - Entering long, complex things using the "keyboard" on an iPhone can be a challenge and is definitely a pain in the a...
3 - It is annoyingly common for 1PW to prompt for the master password instead of using Face-ID to gain access.
4 - Your description of the Yubikey NFC device describes its use as a second factor. This implies, again, that there will be instances when mone is forces to enter the master password using the "keyboard".
5 - It is not clear to me why the user should not be able to, if they choose, to use either Face-ID or an NFC device as a substitute for the master password.

I have to tell you that every time I get the master password prompt on the iPhone 11 it makes me seriously question whether 1Password is worth the trouble. Entering that password is totally onerous.

You may consider that these alternate methods of signing-in are undesirable but if you offered them then the user could choose when convenience should trump absolute security. Until you offer the option the user (me) has no choice but to suffer.

Or are you suggesting that the use of 2FA means that the master password can be trivially simple?

I would appreciate getting your reaction, and hopefully, some change in the behavior of the app.

Thank you,
Dan


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Use Yubikey UFC device to enter master password on iPhone

Comments

  • Hi @DoctorDan

    1 - I presume that there is general agreement that a good master password should be somewhat long and complex.

    The longer the better. As far as complexity is concerned the important bit is that there is some randomness to it so that it isn't either human or computer guessable. For example correct horse battery staple might not be a terrible password if it weren't plastered all over the internet. :) And it is probably longer than a 'complex' password that someone could realistically memorize.

    2 - Entering long, complex things using the "keyboard" on an iPhone can be a challenge and is definitely a pain in the a...

    Sure; which is another reason you might consider using a words based passphrase:

    How to choose a good Master Password

    3 - It is annoyingly common for 1PW to prompt for the master password instead of using Face-ID to gain access.

    I believe we've discussed this at length in other threads but if I'm mistaken or there is still help to be had here please let me know and we can troubleshoot.

    4 - Your description of the Yubikey NFC device describes its use as a second factor. This implies, again, that there will be instances when mone is forces to enter the master password using the "keyboard".

    For 1Password accounts second factors are only required once per device unless the device is deauthorized or somehow forgets its authorization (such as what would happen if you were to uninstall the 1Password for iOS app).

    5 - It is not clear to me why the user should not be able to, if they choose, to use either Face-ID or an NFC device as a substitute for the master password.

    Neither of these things can be used in the encryption of your data. The core protection that 1Password provides customers is encryption.

    I have to tell you that every time I get the master password prompt on the iPhone 11 it makes me seriously question whether 1Password is worth the trouble. Entering that password is totally onerous.

    You may want to consider a different Master Password in that case.

    You may consider that these alternate methods of signing-in are undesirable but if you offered them then the user could choose when convenience should trump absolute security. Until you offer the option the user (me) has no choice but to suffer.

    It certainly isn't our intention to see you suffer. 1Password should make life easier, not harder. But the Master Password isn't going away, so you may need to adjust your approach to account for that.

    Or are you suggesting that the use of 2FA means that the master password can be trivially simple?

    Not at all. They protect against different threats. Our Chief Defender Against the Dark Arts elaborated on this here:

    Two-factor apps — 1Password Forum

    (specifically, in this post)

    Does that help?

    Ben

  • Doctor_Dan
    Doctor_Dan
    Community Member

    I appreciate what you are saying. Regarding "For 1Password accounts second factors are only required once per device unless the device is deauthorized or somehow forgets its authorization (such as what would happen if you were to uninstall the 1Password for iOS app)."

    The yubikeys that i bought in the past could be programmed to transmit a string when the button was touched that was fed into the keyboard buffer. So, your password would go to whatever field had focus and the cursor. All I'm looking for is the ability to do that on ios.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the clarification @Doctor_Dan :+1: I don't know if this is possible on iOS, but we will keep your feedback in mind :)

This discussion has been closed.