Bluetooth or other key as pin replacement

virtualbartek
virtualbartek
Community Member

I'm happy to type my Master password on a keyboard, but on a touchscreen it's just too much to ask. That means that anyone can access my vault with just a numeric pin. Couldn't there be a second authentication method in this case? I would especially like it if that was some sort of external physical key, or even a token like banks use at times. Even Google Authenticator would be a step up in security here. What's the best thing to do here? I use iOS and Android, and MacOSX and even Windows at times, to my dismay.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Bluetooth or other key as pin replacement

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm happy to type my Master password on a keyboard, but on a touchscreen it's just too much to ask.

    @virtualbartek: I hear you. I find it helps to use a long, strong, unique Master Password that is more mobile-friendly. And I'd still rather have to spend a few seconds typing than put my data security at risk by using a PIN or weak password.

    That means that anyone can access my vault with just a numeric pin.

    What?! Why? 1Password will only accept a PIN if you've set it up to do so. And certainly don't give it to anyone!

    Couldn't there be a second authentication method in this case? I would especially like it if that was some sort of external physical key, or even a token like banks use at times. Even Google Authenticator would be a step up in security here.

    To be clear, this isn't authentication: 1Password uses encryption to protect our data, so having it phone home to a server to authenticate would be either:

    • Impossible, if you don't have an internet connection;
    • Silly, if you're using a local vault which is designed to be used locally;
    • Dangerous, since you could lose your dongle-dealie and lock yourself out.

    TOTP is a possibility for 1Password.com accounts in the future since there 1) is a server and 2) it could be used for authorizing a new device for the first time. But again, on a fundamental level, 1Password data needs to be secure even if the attacker has it. We don't want to assume that someone couldn't get your data if they wanted to (by stealing your device, etc.), so the encryption needs to be able to withstand attack once any other measures are bypassed.

    What's the best thing to do here? I use iOS and Android, and MacOSX and even Windows at times, to my dismay.

    It's hard for me to give concrete recommendations about this as that would amount to suggesting Master Passwords for you and others. And obviously following my pattern would not be a great move for security for any involved. However, I've found that the suggestion I made above has been helpful for me and others, and we have a more in-depth take on the topic as well:

    How to choose a good Master Password

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • virtualbartek
    virtualbartek
    Community Member

    "That means that anyone can access my vault with just a numeric pin."
    What?! Why? 1Password will only accept a PIN if you've set it up to do so. And certainly don't give it to anyone!

    Because I use a pin. I don't the better part of a minute to type out my master password, just to be told that it's wrong and need to do it again.

    "To be clear, this isn't authentication: 1Password uses encryption to protect our data, so having it phone home to a server to authenticate would be either..."

    Yes, I understand that. Neither is using a PIN. I'm not talking about replacing a the master password. I'm talking about once I have input the master password and have switched over to the PIN for the day, using a second factor would strengthen the PIN access. Any mobile friendly pass phrase would not be secure, in my opinion. Anything more than a 6 digit pin is tedious.

    Anyhow, the answer appears to be that, no, you don't have nor do you intend to make the process easier for people while keeping things very secure. If I was to lose a physical key then that would be my own problem, not depriving me of access since I would still know my Master Password.

    Thanks

  • AGAlumB
    AGAlumB
    1Password Alumni

    Because I use a pin. I don't the better part of a minute to type out my master password, just to be told that it's wrong and need to do it again.

    @virtualbartek: Gotcha. I misunderstood what you were saying.

    Yes, I understand that. Neither is using a PIN. I'm not talking about replacing a the master password. I'm talking about once I have input the master password and have switched over to the PIN for the day, using a second factor would strengthen the PIN access. Any mobile friendly pass phrase would not be secure, in my opinion. Anything more than a 6 digit pin is tedious.

    I've got to tell you you're wrong on this one: randomly-generated, word-based passwords can be both secure and easy to type on a mobile keyboard. You can even use 1Password to generate one. 4 words is the minimum we'd recommend using, and personally, I use numbers and symbols as well to further strengthen it. But someone guessing 4 random words correctly is infeasible today, and 1Password protects against brute force attacks by slowing down guesses considerably.

    Anyhow, the answer appears to be that, no, you don't have nor do you intend to make the process easier for people while keeping things very secure. If I was to lose a physical key then that would be my own problem, not depriving me of access since I would still know my Master Password.

    Please don't put words into my mouth. ;)

    In fact, dingle-dongles are not easier for most people. And if you've been keeping up with the news, these can be insecure as well and are hard to fix (shout out to Yubico though for getting out replacements to people so quickly).

    As much as we can agree that "it would be your own problem" if you lost yours or it was compromised, part of what our customers pay for is us helping them navigate digital security and not pushing them into doing things that will hurt them, either by being insecure or by losing access to their data.

    And, ultimately, the thing is, there are already secure, table solutions to this problem: 1Password.com (with the Secret Key and Touch ID can help on both the security and convenience fronts. Is up to you if you choose to use these or not, so I don't think it's fair to say that we're the ones holding you back in that regard just because we're not doing the exact thing you're asking for.

  • virtualbartek
    virtualbartek
    Community Member
    edited October 2017

    I didn't mean to say that you're holding me back. My words were meant to sound more along the lines of that to make a story short, I don't think it's possible to do what I'm trying to do, and I'm stuck using a rather insecure pin (I've got an android phone and 1st gen iPad air).

    Ok, so here's a randomly generated pass phrase with just 4 words and no symbols cause changing screens adds hugely to the annoyance factor:

    chrism mask decry soignee

    Mine is about double that with symbols and numbers,, but let's just say that that it's the one above. I'll time how long it takes to type that out without mistakes: 20 seconds. That's a long time when standing in a cue/line somewhere and you are asked your National ID number, for example. I'm usually nervous in those situations cause I hate to keep people waiting, so I end up messing up. Or worse yet, when I have a classroom full of students waiting for me to show them something on the screen, and I just need to log in to some website to accomplish that. Yeah, I wish I could have the time to log in before hand, but sessions time out, etc. I need quick access to my vault, and at the moment a PIN seems to be my only option. Should someone steal my phone, my only hope is that they don't realize that it has 1Password. That's likely to be the case.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I didn't mean to say that you're holding me back. My words were meant to sound more along the lines of that to make a story short, I don't think it's possible to do what I'm trying to do, and I'm stuck using a rather insecure pin (I've got an android phone and 1st gen iPad air).

    @virtualbartek: Ahh. At first I read that as "first get iPad" and I was in awe. :lol:

    Ok, so here's a randomly generated pass phrase with just 4 words and no symbols cause changing screens adds hugely to the annoyance factor: chrism mask decry soignee

    ++ on the "symbols add annoyance factor". I'm right there with you, so I prefer numbers since that's much easier to deal with on an iPhone.

    Mine is about double that with symbols and numbers,, but let's just say that that it's the one above. I'll time how long it takes to type that out without mistakes: 20 seconds.

    Wait, really? Based on my observations of millennials, I really don't think I am a fast iPhone keyboardist, but it takes me about 7 seconds. Now, that's a bit of a cheat since I typed "soingee"...but I think in that particular example I'd regenerate and hope for something other than "soignee". Also, full disclosure, that's on an iPhone. I am TERRIBLE on my Android phone for some reason... :crazy:

    That's a long time when standing in a cue/line somewhere and you are asked your National ID number, for example. I'm usually nervous in those situations cause I hate to keep people waiting, so I end up messing up. Or worse yet, when I have a classroom full of students waiting for me to show them something on the screen, and I just need to log in to some website to accomplish that. Yeah, I wish I could have the time to log in before hand, but sessions time out, etc. I need quick access to my vault, and at the moment a PIN seems to be my only option. Should someone steal my phone, my only hope is that they don't realize that it has 1Password. That's likely to be the case.

    Yeah those are good real-world examples. But, in lieu of a fingerprint sensor, I'm not sure there's a good solution apart from finding a better middle ground between easy-to-type and super-secure. Even if we were to do some kind of dongley thing in the future (this is very, very unlikely), that's another thing to lose. What if you forget it? Maybe you're sure you won't, but that doesn't help anyone else in similar situations. And god forbid bluetooth fails at a key moment...

    Anyway, definitely important to consider alternatives. I just don't think this is the right one for most people, and therefore not a good fit for 1Password.

This discussion has been closed.