Any plans to add support for yubikeys via NFC?

13»

Comments

  • LastPass got something good before 1Password? Now I’ve seen everything. +1

  • BenBen AWS Team

    Team Member

    Now I’ve seen everything.

    ;)

    Ben

  • Ah, I think I am understanding a bit more having read through this thread. I also had hoped to use my Yubikey NFC to unlock my 1Password app on my iOS phone. But reading a couple of responses stating that 1Password is more about protecting data through encryption rather than authenticating (even though it is storing authentication data), when I enter my Master Password to get in I am actually entering the encryption phrase used to encrypt the data. So it's not really a Master Password, more my encryption key or passphrase. If that is the case, that I can understand.

    But why then can I use FaceID to unlock the app? It seems to me if I could use FaceID I could use the Yubikey as well.

  • brentybrenty

    Team Member

    @hbottjer: That's a fantastic question, and I am not sure I've seen anyone come out and ask it before. Probably most people are content to just have the convenience of it. Face ID and Touch ID have great security (or we wouldn't use them ourselves either), and they let us use strong passwords without having to enter them all the time -- sort of the best of both worlds.

    The way it works is, crucially, that your face/fingerprint is not used to decrypt your actual data. In order for that to work, 1Password (and any app using these biometric features) would need to get your biometric data. And that's terrifying on so many levels. We don't want that. Instead, biometric information is stored in hardware, the Secure Enclave chip, where even the OS cannot read it. 1Password itself stores its own secret derived from your Master Password in the device Keychain, which can be used to unlock 1Password only when your face/fingerprint is recognized, because the secrets cannot be decrypted without a biometric match, and likewise the data cannot be decrypted without the secrets. Something generated mathematically from someone else's face/fingerprint will be different from what's in the Secure Enclave.

    You can find more information about these as they relate to 1Password on our support site:

    About Face ID security in 1Password for iOS

    About Touch ID security in 1Password for Mac

    Getting back to your earlier comments, while there may certainly be a use for devices like YubiKey, and it's something we'll continue to evaluate with regard to 1Password, it is a bit different than, say, a website which is protected solely by authentication, not encryption, where something like this could play a much more crucial role. :)

  • Got it. Thanks! I'm okay using biometrics on the phone to gain access, to be honest using NFC with the iPhone is more a matter of the "cool" factor.

  • brentybrenty

    Team Member

    :) :+1:

  • Would switch from LastPass to 1Password if NFC YubiKeys would be supported.

  • BenBen AWS Team

    Team Member

    We have made some progress with U2F:

    Introducing support for U2F security keys

    That said I don't have anything to announce at this time about NFC.

    Ben

  • @Ben Very awesome! I do have a question, will this eventually work for the desktops and mobile apps? I read:

    So while it works great as your second factor in those browsers, for now you’ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers).

    https://blog.1password.com/introducing-support-for-u2f-security-keys/

  • brentybrenty

    Team Member

    I do have a question, will this eventually work for the desktops and mobile apps?

    @prime: It's a possibility. We'll keep at it. ;) :+1:

    One benefit of U2F may be less reliance on the whole time thing. :lol:

  • +1 NFC Yubico on iOS. I understand in the past there have been some limitations in iOS 12 that made this solution not very easy to implement. However, given that Apple seems to be moving to open up NFC more with iOS 13, I would hope 1Password would consider adding this feature.
    https://9to5mac.com/2019/06/12/scan-nfc-chips/

  • brentybrenty

    Team Member

    Nothing new to say at this time. We've already said it's something we're evaluating. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file