Any plans to add support for yubikeys via NFC?

13»

Comments

  • LastPass got something good before 1Password? Now I’ve seen everything. +1

  • BenBen AWS Team

    Team Member

    Now I’ve seen everything.

    ;)

    Ben

  • Ah, I think I am understanding a bit more having read through this thread. I also had hoped to use my Yubikey NFC to unlock my 1Password app on my iOS phone. But reading a couple of responses stating that 1Password is more about protecting data through encryption rather than authenticating (even though it is storing authentication data), when I enter my Master Password to get in I am actually entering the encryption phrase used to encrypt the data. So it's not really a Master Password, more my encryption key or passphrase. If that is the case, that I can understand.

    But why then can I use FaceID to unlock the app? It seems to me if I could use FaceID I could use the Yubikey as well.

  • brentybrenty

    Team Member

    @hbottjer: That's a fantastic question, and I am not sure I've seen anyone come out and ask it before. Probably most people are content to just have the convenience of it. Face ID and Touch ID have great security (or we wouldn't use them ourselves either), and they let us use strong passwords without having to enter them all the time -- sort of the best of both worlds.

    The way it works is, crucially, that your face/fingerprint is not used to decrypt your actual data. In order for that to work, 1Password (and any app using these biometric features) would need to get your biometric data. And that's terrifying on so many levels. We don't want that. Instead, biometric information is stored in hardware, the Secure Enclave chip, where even the OS cannot read it. 1Password itself stores its own secret derived from your Master Password in the device Keychain, which can be used to unlock 1Password only when your face/fingerprint is recognized, because the secrets cannot be decrypted without a biometric match, and likewise the data cannot be decrypted without the secrets. Something generated mathematically from someone else's face/fingerprint will be different from what's in the Secure Enclave.

    You can find more information about these as they relate to 1Password on our support site:

    About Face ID security in 1Password for iOS

    About Touch ID security in 1Password for Mac

    Getting back to your earlier comments, while there may certainly be a use for devices like YubiKey, and it's something we'll continue to evaluate with regard to 1Password, it is a bit different than, say, a website which is protected solely by authentication, not encryption, where something like this could play a much more crucial role. :)

  • Got it. Thanks! I'm okay using biometrics on the phone to gain access, to be honest using NFC with the iPhone is more a matter of the "cool" factor.

  • brentybrenty

    Team Member

    :) :+1:

  • Would switch from LastPass to 1Password if NFC YubiKeys would be supported.

  • BenBen AWS Team

    Team Member

    We have made some progress with U2F:

    Introducing support for U2F security keys

    That said I don't have anything to announce at this time about NFC.

    Ben

  • @Ben Very awesome! I do have a question, will this eventually work for the desktops and mobile apps? I read:

    So while it works great as your second factor in those browsers, for now you’ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers).

    https://blog.1password.com/introducing-support-for-u2f-security-keys/

  • brentybrenty

    Team Member

    I do have a question, will this eventually work for the desktops and mobile apps?

    @prime: It's a possibility. We'll keep at it. ;) :+1:

    One benefit of U2F may be less reliance on the whole time thing. :lol:

  • +1 NFC Yubico on iOS. I understand in the past there have been some limitations in iOS 12 that made this solution not very easy to implement. However, given that Apple seems to be moving to open up NFC more with iOS 13, I would hope 1Password would consider adding this feature.
    https://9to5mac.com/2019/06/12/scan-nfc-chips/

  • brentybrenty

    Team Member

    Nothing new to say at this time. We've already said it's something we're evaluating. :)

  • @brenty, I saw this yesterday :)

  • brentybrenty

    Team Member

    ;) :+1:

  • @brenty I can’t wait! So I won’t need a TOTP anymore with this?

  • brentybrenty

    Team Member

    @prime: It's good to keep TOTP around as a backup authentication option, in case you lose the dongle (or just don't have it on you). But yeah, you probably won't need to use TOTP if you've got a YubiKey that works with all of your devices. :)

  • LarsLars Junior Member

    Team Member

    @prime - be aware that AFAIK the 5Ci Yubikey does NOT have a NFC chip in it. I could be wrong about that, but that's the most-recent information I have.

  • I’m just curious why 1Password did not yet choose to support the nfc version yet for the iPhone? Support is out for quite a while already. I know there as a YubiKey coming out which you physically have to mount on your lightning connector of the iPhone. But As an UX researcher I believe this usability is just a step too much, for a simple MFA authentication. A simple tap from a device that’s on your keychain will make things so much easier.

  • brentybrenty

    Team Member

    @Dennis_van_Lith: The SDK does not support NFC for U2F anyway, but we'll see how things develop in the future and continue to evaluate our options. Cheers! :)

  • primeprime
    edited August 20

    @brenty

    @Dennis_van_Lith: The SDK does not support NFC for U2F anyway, but we'll see how things develop in the future and continue to evaluate our options. Cheers! :)

    Is there any U2F for NFC for 1Password? I haven’t read too much on this yet (a lot going on), so I might have questions about this.

    This new 5Ci is cool, but it won’t work work my laptop. Now do I get 2 keys, one for the iPhone and one that works with the laptop?

    Edit: my laptop does have USB-C.

    But what if it didn’t, get 2 keys?

  • brentybrenty

    Team Member

    @prime: Not currently, but hopefully that will be possible in the future -- though if we do we're going to proceed cautiously to avoid the types of vulnerabilities that have affected other NFC implementations.

    As far as the specific device to get, I think that's a tough question for almost anybody. :lol: Personally, I'm used to having adapters for this stuff now anyway though, so I would probably just choose based on the main device and then use adapters as needed for any others.

  • @brenty, it looks like yubico will be adding nfc support for u2f to the yubikey SDK shortly, so it should be possible in the near term.

    https://www.yubico.com/2019/09/yubico-ios-authentication-expands-to-include-nfc/

  • brentybrenty

    Team Member

    Thanks! We'll have to see how it goes. :)

  • I can't seem to find a solid answer on the KB and this is the topmost topic that comes up for a Google search regarding Yubikey NFC support within 1PW mobile apps - does the Android 1PW app support 2FA with an NFC-enabled Yubikey?

  • brentybrenty

    Team Member

    @dragonshardz: Good question! I don't recall it being asked before, but currently NFC is not supported. A Yubikey also requires a WebAuthn-compliant browser to sign into 1Password, so TOTP can be used as a fallback otherwise (e.g. in 1Password for Android). I'll let the team know you're specifically interested in that though. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file