1Password, Yubikey and Yubico Authenticator

guillaumesertonguillaumeserton Junior Member

Hi All,

I'm thinking of buying Yubikeys.
Today, I'm using 1Password Families and Teams on mac and Android mainly. Rarely the web version
I'm keeping all my credentials in 1password. For website with MFA, I enabled them with TOTP when it's available, so my TOTP are stored in 1P too.

I haven't already read enought on Yubikey, but I'm wondering what I could achieve in my current workflow if I'm buying Yubikey to add with 1password.

Do I need to replace 1password app by the Yubico Authenticator, what I will not be able to achieve if I'm not using this Yubico Authenticator app and I keep 1password (that I will prefer).

Thanks for your help.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • guillaumesertonguillaumeserton Junior Member

    Hi,

    is there anyone using Yubikey and also 1password app?

  • BenBen AWS Team

    Team Member

    Hi @guillaumeserton

    The difference between having a Yubikey do your TOTP vs having 1Password do it is that you would need your Yubikey in order to generate TOTP codes, instead of needing a device you've authorized 1Password on + your Master Password. Which would be more convenient is up to you, but i use 1Password. :)

    Ben

  • guillaumesertonguillaumeserton Junior Member

    Thanks @ben
    That was my thoughts.
    Yubikey seems more secure to me because it's hardware but pain in the #ss on usability.
    However I think I'm going to try.

  • ag_anaag_ana

    Team Member

    Sounds good @guillaumeserton, let us know how it goes :+1::)

  • guillaumesertonguillaumeserton Junior Member

    It goes very well :)
    I have registered my 2FA TOTP on my two Yubikey (using Yubico Authenticator) then register my both Yubikey as well for the U2F.

    All seems working fine.
    Now my Family account and my business account are more secured.

    Just I don't understand why we cannot disabled the TOTP. I would prefer to get a backup code instead. Maybe it's because U2F is not yet supported by all apps.

  • BenBen AWS Team

    Team Member

    That's exactly it. :)

    Ben

  • Maybe it's because U2F is not yet supported by all apps.

    @Ben ...... when? I’m dying for this :lol:

  • ag_anaag_ana

    Team Member

    @prime:

    We are working on it, but unfortunately we don't have an ETA to share yet, sorry!

  • I generally like the convenience of having TOTPs generated in 1Password for the websites. However wouldn't be it beneficial of having something like Yubico Authenticator to generate TOTP for 1Password online account only? Let's assume we are going to log in from unauthorized device without having any of the 1PW authorized devices next to us. Then having 1Password doing TOTP for 1Password account we won't be able to access the data.

  • guillaumesertonguillaumeserton Junior Member

    @Malbec
    That's my workflow today. My 1P TOTP is on my Yubico. Not only 1password but other website too. For some I keep the TOTP generated by 1P, but for my "high sensitivity" accounts, I put them on my Yubikey.

  • BenBen AWS Team

    Team Member

    @Malbec

    I'm not entirely sure I understand what you're saying, but if I follow... We don't recommend having 1Password be the only place you store your TOTP secret for your 1Password account. We recommend also using Authy, Google Authenticator, or similar. Yubico Authenticator could work too. :)

    Ben

  • @guillaumeserton Thanks for sharing your work flow. Make sense to not put all TOTP codes in one basket.

    @Ben yes, exactly this was my question. Keeping TOTP for 1Password online account with 1Password only could become problematic should we find ourself in a situation without authorized devices. Correct me if I am wrong but it is possible for 1Password staff to disable 2FA on the account after some verification.

    Also the emergency kit doesn't store any info about 2FA such as QR or secret code. So this should be added by the user himself to such kit, right? Because as I understand in order to use "authenticator apps" they would need to scan exactly the same code, is that right?

  • BenBen AWS Team

    Team Member

    Correct on all counts. :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file