Support for Yubico "Security Key"?

XIIIXIII
edited April 2018 in Lounge

Yesterday Yubico introduced their new Security Key, including this:

  • strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go

I would love to see support for this in the Windows and Mac App as a replacement for the password for family members who have trouble remembering a strong master password.

«1

Comments

  • brentybrenty

    Team Member

    @XIII: This has been possible with Yubikey and similar devices for years. It's just not something we recommend since, unlike a password you forget, which you could potentially remember, you're completely out of luck if you lose it. Also, unlike a password that's only stored in your brain, someone could steal it. Using account recovery in a family or team environment can let you sort of have it both ways, without having something that can be lost or stolen, but also having a way to help your loved ones get in if they lock themselves out, if you're an admin. Yubikey does interesting stuff and we'll continue to evaluate to see if there's a good fit with 1Password in the future. Cheers! :)

  • I get it.

    Still: maybe a very secure password on a device that never leaves the house might be better than a weak master password (that's used online)?

  • brentybrenty

    Team Member

    Yeah, that's an interesting trade-off. I wouldn't personally be able to live with being able to access 1Password only at home, but perhaps others would. :)

  • iPhone (with TouchID) on the go, desktop Windows PC at home (for the family members having a hard time remembering strong passwords).

  • brentybrenty

    Team Member

    :) :+1:

  • Even though I understand the risks of separate hardware tokens, I also see them as an added value for elevated security. And it shouldn't be the only form of 2FA, but an additional form of 2FA.

  • brentybrenty

    Team Member

    @mvandam: I think that's reasonable. Perhaps we'll be able to add additional options like that in the future. Thanks for weighing in! :)

  • You're welcome :)

  • brentybrenty

    Team Member

    :chuffed: :+1:

  • XIIIXIII
    edited May 2018

    YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support” - Yubico

    https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-sdk-for-ios-and-lastpass-support/

    Does AgileBits have any plans for this kind of 2FA?


    Sync Type: 1Password.com

  • brentybrenty

    Team Member

    @XIII: While I don't have any plans to share, it's something we've been evaluating. :)

  • +1 on wanting this to happen

  • brentybrenty

    Team Member

    Thanks for chiming in! :)

  • also +1 on this feature

  • roustemroustem AgileBits Founder

    Team Member
    edited May 2018

    I do not think this is a support for FIDO U2F but for a less secure, proprietary YubiKey protocol. I thought that Yubico switched to U2F completely but it seems that they are still keeping their old technology in place.

    In this case, I would have to agree with most of the points made in the YCombinator thread here: https://news.ycombinator.com/item?id=17125329

    We do not have unlimited resources and I would rather spend ours on adding support for U2F.

  • I too have a yubikey but to be honest with you I'm a bit underwhelmed with what it offers.

    My assumption was that I'd be able to go through my various accounts and delete phone numbers, 2FA settings etc and solely use the Yubikey but in practise that isn't what I can do.

    Every site I've register the key with still need phone numbers and 2FA before you can then add the key which just defeats the purpose of having the key. It's become an alternative way of logging in rather than THE way to login.

    It's a good idea but will only work as I think it should when humans stop begin forgetful. Until then it doesn't add anything to my digital life.

    In fact, the ONLY thing I've found that works as I imagine it should is the Yubi Authenticator app for Android where you have to tap the key to the phone (NFC) before it unlocks the... 2FA number list! An extra step for small gain.

    For the time being it's sitting in a USB port and allowing me to log into my Windows 10 computer automatically without having to type in password, PIN code etc. A saving of a massive 10 seconds!

  • brentybrenty

    Team Member

    Hey, those 10 seconds add up though! But I agree: that's a bit confusing as a user too. I don't think humans will stop being forgetful, but fortunately there are a lot of smart people working on these problems. Thanks for sharing your experiences! :)

  • @richardburt and @brenty, I think part of the point of using a physical security key is being missed here. Yes, you have to often enable SMS or some other method, but that's not the security hole. It's using those methods that provides the most risk. These keys are used mainly to address phishing attempts where someone might be tricked into putting in a code, thereby giving an attacker immediate access to the account. For mobile, you're either stuck being extra mindful or using a NFC / BLE key. You still have the alternate code options (like SMS or Authenticator) but eliminate the phishing risk when using the physical key.

  • jpinnixjpinnix Junior Member

    +1 For Yubikey Neo support. Longtime 1P user, but have some projects where I need this.

  • A vote here. I was on the fence because of the “what if” I lost it. But it’s my responsibility for this and I rather be locked out of my 1Password account then it falls into the wrong hands.

  • jpinnixjpinnix Junior Member

    @prime Most of the time there is a backup method if the physical key is lost

  • rudyrudy

    Team Member
    edited August 2018

    @prime,

    you voted three times, I believe that nullifies like 100 votes?

  • primeprime
    edited August 2018

    @rudy I’m from Chicago. In Chicago you vote early and you vote often. :lol:

  • BenBen AWS Team

    Team Member

    Oi vey. :pirate:

    Ben

  • jpinnixjpinnix Junior Member

    @prime LOL

  • rickfillionrickfillion Junior Member

    Team Member

    That's hilarious. :)

    Rick

  • Not to distract but SOME sort of hardware key would be very welcome.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback, @Davert.

    Ben

  • I'd also throw in that multiple security keys alleviate this issue. At google I had one that was always at work, and another on my keychain. For personal use, I'd like to have one on my keychain, and one at home (in a safe or somesuch). This way if I was robbed, I could later login and reject the compromised key. That way I'd always have one on me, but it isn't my last resort.

  • XIIIXIII
    edited September 2018

    In my Twitter feed I saw this today:

    Maybe I misunderstand, but isn't this just a "workaround" and not a full YubiKey implementation?

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file