Backup Yubikey support?

I recently purchased a Yubikey and enabled 2FA on my 1Password account. Reading about Yubikeys (and 2FA devices in general), it is highly recommended to have two Yubikeys associated with sites (such as 1Password) to ensure one is not locked out in case a Yubikey is lost, stolen, or breaks.

How does one go about configuring a 2nd Yubikey with a 1Password account? After I added my key, my only option appears to be to disable 2FA.

Thanks...


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @ctaranto: No, only one Yubikey is supported currently. However, you'll be able to disable it in your account in a browser you've already authorized. The second factor is only required for a new sign in, during authentication (hence two-factor authentication). I hope this helps. Be sure to let me know if you have any other questions! :)

  • @brenty: Thanks for the response. I do understand that the "way out" is to use one of the previously authorized browsers. That seems reasonable for the short term, but having the ability to configure two keys is the recommended approach (see https://www.yubico.com/2017/04/backup-recovery-plan/). Considering that 1Password is storing all account passwords, credit card information, etc., it does not seem unreasonable for the service to accommodate a more thorough secure key backup strategy.

    The one scenario off the top of my head (though rare) is a house fire. All systems that were authenticated, and the primary Yubikey, would be gone. A backup key, stored possibly in a safe deposit box or other off-premises location, would be safe and provide continued access to 1Password.

    Thanks again..

  • XIIIXIII
    edited October 2018

    Maybe I misunderstand, but I believe 1Password is not using the regular YubiKey functionality. Since it is only using the key as a TOTP App alternative (programmed using 1Password's secret key and a TOTP secret key that you both have to enter manually in a Yubico App), can't you just program 2 keys with the same credentials?

  • That's a good question. I thought of the same thing last night and spent some time searching, but did not find the answer.

    To clarify, the suggestion is to enable 2FA, and when the QR code/secret key comes up, use that single secret key to program two Yubikeys in the Yubi Auth app.

    Is that correct?

  • BenBen AWS Team

    Team Member

    @ctaranto

    Yes. You can add the TOTP secret to multiple Yubikeys. You’d need to use the same secret in both. It isn’t possible to have two different secrets in two different Yubikeys.

    Ben

  • @Ben: Sounds good - Thanks. I'll give that a shot.

    One follow up question: Is there a way to retrieve the secret key that I previously used? Or do I have to disable/re-enable 2FA to generate another key and use it on both Yubikeys?

  • BenBen AWS Team

    Team Member

    You would need to disable and re-enable to get a new secret. You cannot recover an existing one.

    Ben

  • brentybrenty

    Team Member

    @XIII: I was the one who misunderstood. I thought they wanted to have different TOTP secrets with multiple Yubikeys. Thank you!

  • brentybrenty

    Team Member

    @ctaranto: Ben isn't wrong, but some software does allow you to view or "export" the TOTP secret in use. The guaranteed way to get it though, from 1Password, is by disabling and setting it up again to save it this time. Cheers! :)

  • brentybrenty

    Team Member

    Likewise, thanks for bringing it up! :chuffed:

  • edited December 2018

    I'm just wondering if this method of re-initiating 2FA to trigger a new secret key for use on more than one YubiKey was successful in producing two usable keys. And more importantly, what are the precise steps? I successfully followed the online guide to create a single hardware key, and I successfully authenticated on new browsers and devices (including existing devices that had already accessed vaults, all of which asked for my second factor when I tested them). However, that method called for creating a "New Credential" in the Yubico Authenticator app (I'm on Mac High Sierra). Admittedly, I did not dig deep into the menus, but I did not see anything suggesting the ability (in the Yubico Authenticator) to duplicate or "clone" an existing key. I do get the rationale of (temporarily) recording the newly generated secret 2FA key for use in setting up a second key/device; I just don't know how to implement it. Building on what ctaranto mentioned previously, I'm a bit uncomfortable using a lone hardware key with no backup. For my needs (niche they may be), having the second functioning key in my safe or offsite lockbox is sufficiently secure. Tiny things (like my cheap Walgreens reading glasses) sometimes get lost, regardless of how much care one takes to avoid it.

    In short, thanks for all the info, and I'm thrilled that hardware 2FA is an option, and even more thrilled to know that setting up more than one key is possible, even if it's a bit technical. I just don't want to accidentally lock myself out of my entire 1Password "house" if I botch the attempted second key.

  • brentybrenty

    Team Member

    @TampaGatorDad: I think you're misunderstanding. 1Password accounts only support a single Secret Key and a single two-factor authentication secret (whether that be setup as a TOTP, Yubikey, or Duo). You can regenerate a new Secret Key and/or disable/enable two-factor authentication for your account from the Profile page though:

    https://start.1password.com/profile

    While any Yubikey-specific questions would need to be directed to them, you should be able to setup multiple Yubikey devices to use the same TOTP secret* to generate codes:

    https://support.1password.com/yubikey/

    *Confusingly, the Yubico Authenticator app refers to the TOTP secret as the "Secret Key".

    I think maybe the thing that's throwing you off is that the Yubikey device is merely generating a code from the TOTP secret, just as an authenticator app would. 1Password doesn't care where the code comes from, so long as it's valid.

  • Sorry, you're right: I see that I'm both misunderstanding as well as doing a poor job of articulating my questions. I'm new to hardware-based 2FA. Based on your reply, which has clarified some things for me, I'll try to revise my current understanding as follows:

    1. Sorry for reuse of the term "secret key." For this discussion, I am referring solely to the two-factor authentication secret (which I'll refer to here as the TOTP secret), NOT my 1Password account Secret Key.
    2. Once I set up the first YubiKey (which I've done once successfully and know I can do again), I just need to remember/record the TOTP secret created by 1Password when activating 2FA, the same one I used to create a new credential in the Yubico Authenticator, after which 1Password "tests" the new key by requesting a code, the YubiKey dongle/Yubico Authenticator combo on my end spits out codes, and 1Password authenticates me.
    3. The next step in my process would be to repeat the "create new credential" process on the Yubico Authenticator app with a second YubiKey, using the same TOTP secret I entered while setting up the first key (what you refer to as "setup multiple Yubikey devices to use the same TOTP secret* to generate codes"). The main difference the second time would be that I can't "test" the new key the same way I did for the first one. However, as long as I correctly entered the TOTP secret, I shouldn't need to repeat that test (and I could just test by logging in from a new device, triggering the 2FA code request).
    4. If I'm understanding correctly, I could (if desired) produce multiple spare YubiKeys via the same process, essentially reusing the TOTP secret created when activating 2FA. All the repeating parts of the process are done on client side.

    Sorry for the length, but does that capture it? Thanks again for your help.

  • BenBen AWS Team

    Team Member

    That is all correct. :+1:

    Ben

  • brentybrenty

    Team Member

    @TampaGatorDad: Indeed, you're spot-on. No need to apologize. I agree that, while really cool, Yubikey is a bit confusing...and I certainly don't blame you for the fact that they chose to use the term "secret key" for the TOTP secret. ;)

  • Michael TennesMichael Tennes Junior Member

    With as innovative as 1Password has always been, I am baffled that LastPass has beaten them in supporting Yubico's line of FIDO U2F Keys.

  • BenBen AWS Team

    Team Member

    @Michael Tennes

    I'm not aware of any definite plans to support U2F at this point. We do believe it is interesting technology and are taking a close look at how it might benefit 1Password customers. That said, just because it makes sense in one context doesn't necessarily mean it adds anything to another. 1Password is primarily built around protecting your data with encryption opposed to authentication. U2F is a form of the latter, and adds the most benefit to services that rely on strong authentication methods as the only form of protecting your account. Adding U2F support to 1Password would not strengthen the encryption of the data. That isn't to say that there may not be any merit to it, and indeed there may be yet, but at this point we haven't committed to it.

    Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add U2F support, but we want to make sure there is a solid benefit to doing so.

    Ben

  • Thanks again for the clarification, guys. The deep-dive, knowledgeable support (i.e., not the typical, “First, let’s try rebooting” type of help, but infinitely better) is just yet another reason I’ve been a fan of 1Password for so long.

    I’m also thinking that for my own situation, a paper copy of my TOTP secret might be a good thing to keep with the (securely stored) hard copy of my 1Password emergency kit.

  • BenBen AWS Team

    Team Member

    “First, let’s try rebooting”

    Have you tried turning it off and on again? :tongue: In all seriousness: it is the first troubleshooting step for a reason. There is a good portion of the time things improve! :wink:

    I’m also thinking that for my own situation, a paper copy of my TOTP secret might be a good thing to keep with the (securely stored) hard copy of my 1Password emergency kit.

    I think that is an excellent idea so long as you have safe and secure storage for paper documents (i.e. a fire safe).

    Thanks again for the clarification, guys.

    You're very welcome.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file