Yesterday Yubico introduced their new Security Key, including this:
I would love to see support for this in the Windows and Mac App as a replacement for the password for family members who have trouble remembering a strong master password.
@XIII: This has been possible with Yubikey and similar devices for years. It's just not something we recommend since, unlike a password you forget, which you could potentially remember, you're completely out of luck if you lose it. Also, unlike a password that's only stored in your brain, someone could steal it. Using account recovery in a family or team environment can let you sort of have it both ways, without having something that can be lost or stolen, but also having a way to help your loved ones get in if they lock themselves out, if you're an admin. Yubikey does interesting stuff and we'll continue to evaluate to see if there's a good fit with 1Password in the future. Cheers!
I get it.
Still: maybe a very secure password on a device that never leaves the house might be better than a weak master password (that's used online)?
Yeah, that's an interesting trade-off. I wouldn't personally be able to live with being able to access 1Password only at home, but perhaps others would.
iPhone (with TouchID) on the go, desktop Windows PC at home (for the family members having a hard time remembering strong passwords).
Even though I understand the risks of separate hardware tokens, I also see them as an added value for elevated security. And it shouldn't be the only form of 2FA, but an additional form of 2FA.
@mvandam: I think that's reasonable. Perhaps we'll be able to add additional options like that in the future. Thanks for weighing in!
“YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support” - Yubico
Does AgileBits have any plans for this kind of 2FA?
Sync Type: 1Password.com
@XIII: While I don't have any plans to share, it's something we've been evaluating.
+1 on wanting this to happen
Thanks for chiming in!
also +1 on this feature
I do not think this is a support for FIDO U2F but for a less secure, proprietary YubiKey protocol. I thought that Yubico switched to U2F completely but it seems that they are still keeping their old technology in place.
In this case, I would have to agree with most of the points made in the YCombinator thread here: https://news.ycombinator.com/item?id=17125329
We do not have unlimited resources and I would rather spend ours on adding support for U2F.
I too have a yubikey but to be honest with you I'm a bit underwhelmed with what it offers.
My assumption was that I'd be able to go through my various accounts and delete phone numbers, 2FA settings etc and solely use the Yubikey but in practise that isn't what I can do.
Every site I've register the key with still need phone numbers and 2FA before you can then add the key which just defeats the purpose of having the key. It's become an alternative way of logging in rather than THE way to login.
It's a good idea but will only work as I think it should when humans stop begin forgetful. Until then it doesn't add anything to my digital life.
In fact, the ONLY thing I've found that works as I imagine it should is the Yubi Authenticator app for Android where you have to tap the key to the phone (NFC) before it unlocks the... 2FA number list! An extra step for small gain.
For the time being it's sitting in a USB port and allowing me to log into my Windows 10 computer automatically without having to type in password, PIN code etc. A saving of a massive 10 seconds!
Hey, those 10 seconds add up though! But I agree: that's a bit confusing as a user too. I don't think humans will stop being forgetful, but fortunately there are a lot of smart people working on these problems. Thanks for sharing your experiences!
@richardburt and @brenty, I think part of the point of using a physical security key is being missed here. Yes, you have to often enable SMS or some other method, but that's not the security hole. It's using those methods that provides the most risk. These keys are used mainly to address phishing attempts where someone might be tricked into putting in a code, thereby giving an attacker immediate access to the account. For mobile, you're either stuck being extra mindful or using a NFC / BLE key. You still have the alternate code options (like SMS or Authenticator) but eliminate the phishing risk when using the physical key.
+1 For Yubikey Neo support. Longtime 1P user, but have some projects where I need this.
A vote here. I was on the fence because of the “what if” I lost it. But it’s my responsibility for this and I rather be locked out of my 1Password account then it falls into the wrong hands.
@prime Most of the time there is a backup method if the physical key is lost
you voted three times, I believe that nullifies like 100 votes?
@rudy I’m from Chicago. In Chicago you vote early and you vote often.
Not to distract but SOME sort of hardware key would be very welcome.
Thanks for the feedback, @Davert.
I'd also throw in that multiple security keys alleviate this issue. At google I had one that was always at work, and another on my keychain. For personal use, I'd like to have one on my keychain, and one at home (in a safe or somesuch). This way if I was robbed, I could later login and reject the compromised key. That way I'd always have one on me, but it isn't my last resort.
In my Twitter feed I saw this today:
Maybe I misunderstand, but isn't this just a "workaround" and not a full YubiKey implementation?