U2F support for Yubikey

2»

Comments

  • brentybrenty

    Team Member

    That does sound really cool. It's only a dream now, but maybe someday. :chuffed:

  • This would be great. Some type of integration would be great to consolidate personal authentication processes.

  • brentybrenty

    Team Member

    Thanks for letting us know you'd like additional authentication options for 1Password Teams. Cheers! :)

  • I too would prefer to have hardware u2f support. I am not a team member but would pay extra to have it as a third level. Apple has finally opened up nfc api for third parties. All that awaits I think is for third parties like Agile to build in support to their apps along with yubico. I know these things take time but others have gotten this taken care of. I will give it three more months and if nothing changes I will be forced to change providers. Please, please, work on this.

  • brentybrenty

    Team Member
    edited January 12

    Just to clarify, it isn't necessary to post the same thing in multiple places (as it doesn't count as an extra "vote" or anything). I don't see it happening in "three more months", but thank you for letting us know it's a feature you'd like us to add in the future. Cheers! :)

  • I'd like to add my voice to those calling for 2 factor authentication with U2F via Yubikey. I was a bit confused about some of the earlier comments regarding the strength of 1PW's encryption. This isn't really the point. All the encryption in the world won't protect you if you've been duped into entering your master password on a phishing site. U2F protects against phishing because the URL of the genuine website forms part of the protocol so the brower simply won't transmit the one time password to a fake site making it pretty much phishing-proof authentication.

  • LarsLars Junior Member

    Team Member

    @petalhanger - thanks for weighing in. :) As mentioned in previous replies, we are looking into adding support for U2F, but I've nothing tho announce on that front just yet.

  • I would love to see U2F support for example in combination with one of the crypto hardware wallets.

  • rickfillionrickfillion Junior Member

    Team Member

    Thanks for your feedback @mrgreen.

    Rick

  • Wish 1Password for Mac could support yubikey authentication.
    As I have a long enough Master password, in iOS, I just need to re-enter it by every reboot, and daily authentication could be done by fingerprint
    But in Mac, it is a nightmare, every daily usage require a long keyboard work.
    The mac login process could be shorten by yubikey PIV mode(use yubikey and PIN to instead of normal password), if yubikey support for mac could be done, it should save me lots of time.
    Don't care it be implemented by U2F or PIV mode, it saves time!

  • Hello everyone,

    Id like to see the Yubikeys, certainly the newest Yubikey 4 also supported, like it is for other minimalist password managers.

    It could even offer features to make it friendlier for people not really of "Guru" status concerning x509,PGP etc.

    XCA is rather complete for generating, but it lacks compatibility on my system for a reason I ignore. I'd need 1Password to generate CA, Intermediate and Certificate for company internal use (mobile deployment, profiles management, ....) I 'm never quite totally sure about the extensions I must add, which are recommended, mandatory for a particular feature etc. Till now, I haven't found a single well clear and for me readable ressource for me to learn this. Certainly not the Help feature of the Server.app on macOS, and even not in expensive books I bought about learning to configure it.

    At first, maybe yet just to protect the 1Password local storage on the computer. Or to unlock when you don't have TouchID on your not-brand-new-macbookpro

    Or for the OTP feature in the items. to add other types of 2nd factor to the skills of 1Password

    I'm still experimenting with Duo and pam_yubikey and Saaspass, just to see what I can do with tools provided for free with an active directory, crl generation, auto-requests signing, etc. I'd like to see the field of possibilities it can give

  • LarsLars Junior Member

    Team Member

    @ppcharlier - Thanks for adding your voice to those looking for this feature. :)

  • brentybrenty

    Team Member

    @bigboyq: Likewise, thanks for the suggestion! :)

  • IMHO the biggest problem with U2F in 1password would being able to support backup keys. Otherwise it would be simple to just encrypt the internal data using the key's response value.

  • brentybrenty

    Team Member

    Indeed, there are a lot of factors to consider. We want to make sure if and when we do something in this area it's a win for users, both with regard to security and usability!

  • Hi,

    There are a bunch of Password Managers which already support Yubikeys: https://www.yubico.com/solutions/#password-management
    Also it's a corporate standard in such companies as Google, Facebook, etc.
    As an active 1Password user I hope it will get higher priority in your backlog :)

    Thanks,

  • BenBen AWS Team

    Team Member

    Thanks for the feedback, @ell. We don't have any plans to support the use of Yubikey with 1Password at the moment. We have a fairly in-depth discussion happening about MFA / 2SV in regards to 1Password here:

    Why not use 2 factor authentication to secure my 1Password Vault? — AgileBits Support Forum

    You may be interested in reading through that thread.

    Thanks.

    Ben

  • I really want to see 1Password support for the YubiKey 4C Nano, too. I use it not only on mobile, but also macOS.

  • brentybrenty

    Team Member
    edited May 9

    Thanks for letting us know your preference! :)

    While we don't currently have plans for that (and it couldn't work with local vaults anyway, since there is no authentication in that case), 1Password.com accounts already support two-factor authentication via TOTP. Cheers! :)

  • I'm a recent 1Password convert, but I've also used Keepass, LastPass, and Bitwarden over the last few years. I use U2F for the sites that will support it, and for the remaining sites, including 1Password's web vault, I use Authy.

    Brenty, you mentioned that 1Password.com already supports 2FA via TOTP, but I like using the Yubikey for one main reason - convenience. It's much quicker to simply press a button on the device than to paste in a numerical code, and I'm also able to use devices like Kensington's Verimark Key to further protect my U2F keys via biometrics.

    This also has the advantage of keeping my private TOTP keys on a separate hardware device. It may not increase the password vault's protection level since the decryption keys are already present on the device running 1Password, but it allows me to better protect my TOTP secrets. This is the same reason why I'm considering switching to Yubico's Authenticator over Authy. I could even access my 1Password web vault if my phone died, since the Yubikeys are easily portable and require no battery power. Right now I'll most likely have to copy the TOTP key to Yubico Authenticator to use as a backup.

    Is it really that cost-prohibitive to provide support for both U2F and TOTP at the same time à la Google? U2F allows for both convenience and security. What solution do you currently see as being more effective than U2F? Surely not TOTP. As it stands, 1Password is already a premium password management product for security-conscious users - exactly the sort of users who would stand to benefit from the extra convenience and security that U2F has to offer.

  • brentybrenty

    Team Member

    @chewie198: Thanks for chiming in! Indeed, there are certainly benefits to using something like a separate hardware device. But at the same time, there are drawbacks as well, so it's something we have to weigh carefully. I'm not sure what you have in mind in terms of cost, but while I don't have a good sense of the big picture we've definitely had an increase in support requests since introducing two-factor authentication from people locking themselves out of their accounts. And again, these are security-conscious people who have opted-in to this feature. So there are a number or factors to consider.

  • @brenty: Thanks for your quick response. I hadn't considered the support costs. That said, if you provided both options simultaneously, then the incidence of people locking themselves out of their accounts should go down, not up, because they now have multiple methods to access a working 2FA key.

    For instance, if you made TOTP mandatory when enabling MFA and U2F was optional, then users such as myself could store the TOTP key offline as a backup while still using U2F with, say, a two key minimum. Everyone else could just continue to use TOTP, in which case the risk of locking themselves out would be unchanged. If anything, I would expect the incidence of U2F + TOTP users being locked out of their account to be lower than the remainder. That seems like a win across the board in every area except the initial development costs, which could be offset by the decrease in ongoing support costs versus TOTP alone and the increase in paid, security-conscious customers such as myself.

    I think you also have an opportunity for differentiation here - while Bitwarden and Dashlane already support U2F, LastPass only supports Yubico's OTP mode, which isn't as prevalent nor as useful.

  • BenBen AWS Team

    Team Member

    Thanks for the continued feedback on this @chewie198. While we don’t currently have definite plans we do agree that U2F is very cool technology and we’re evaluating how/where/if it’ll best fit into the 1Password ecosystem. Fingers crossed. :)

    Ben

  • @Ben: Thanks for listening. Just trying to add my straw to the camel's back :chuffed:

  • BenBen AWS Team

    Team Member

    You’re welcome! :)

    Just trying to add my straw to the camel's back :chuffed:

    ;)

    Ben

  • Perhaps a more realistic first step would be to simply expose the U2F authentication offered by DuoSecurity to the 1Password Teams Pro integration of it?

    The current authentication integration with DuoSecurity is a bit limiting and inconsistent between the web login and Desktop application login.

  • LarsLars Junior Member

    Team Member

    @DariusR - thanks for the suggestion. :)

  • EtherealmindEtherealmind Junior Member

    Another vote for U2F

  • AgileBits has an opportunity here. Having missed the initial boat on FIDO/U2F, you now have the opportunity to be one of the first to implement FIDO2. There are probably other implications for AgileBits with FIDO2 that fall into the "big picture" category, so it might be worth a look at any rate.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback, folks. We'll certainly take your thoughts into consideration. As I mentioned above I'm not aware of any definite plans at this point for U2F/FIDO, but that isn't to say we might not make some. :)

    Ben

2»

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file