Feature Request: Unlock 1Password with a security key (yubikey)

This isn't Mac specific but there does not seem to be a "general discussion" forum or a feature request forum.

I would love to be able to unlock 1Password (web site, browser app, phone app) using my yubikey security keys, rather than typing my master password.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited December 2018

    @drumboots: We have no plans to have any hardware device that could easily be lost, stolen, or destroyed replace the Master Password*. You can, however, use Yubikey as a second factor for a 1Password account, and we're also looking at possibly supporting other integrations as well. Cheers! :)

    *Edit: clarification: technically you can do that anyway, but it isn't something we recommend or support.

  • edited June 2019

    I also think this would be an incredibly useful feature, but only as a secondary method of conveniently unlocking post-initial unlock, e.g. after the lock timeout or resumption from sleep; the master password would still be required after a cold boot/login.

    I imagine this feature as being similar to how Github allows you to use a hardware key in lieu of your password to authenticate when attempting to perform sensitive actions, but only after you've already logged in using a password and 2FA mechanism.

  • BenBen AWS Team

    Team Member

    @confusingboat

    A bit has changed since this thread (December 2018). You may find this post interesting:

    Introducing support for U2F security keys

    Ben

  • I would also like this feature. To be able to unlock 1Password with a Yubikey, much like using our fingerprint now on the touchbar.

  • BenBen AWS Team

    Team Member

    Hi @bbeyer

    YubiKey is intended to be used as a second factor, not the sole factor. Also consider that if we were to design 1Password in the way you're suggesting the loss of the physical YubiKey device could make your data unrecoverable.

    Ben

  • I would assume you would be able to use your master password as a backup just like you can for Touch ID.

  • BenBen AWS Team

    Team Member

    I see. If that's the sort of setup you'd like @bbeyer then you may be able to configure your YubiKey to type your Master Password for you:

    Understanding Core Static Password Features : Yubico Support

    I'm not sure that is something we'd be able to recommend doing... just pointing out the fact that the technology exists. :)

    Ben

  • Yubikey is a 2nd factor, the name says it all. As former lastpass user, I prefer the way how its browser extension works: after (re)starting the browser I have to authenticate myself with the master password AND the 2nd factor (yubikey) to activate the extension, but the extension keeps working until I stop the browser.

    An optional 1-day timeout would have been nice (to handle the case of not restarting the browser at all), though.

    Yubikey should be used as 2FA at least for registering a new Android or IOS device, too.

    Is there any chance to have such features?

  • BenBen AWS Team

    Team Member

    @tsereg

    We don't have any plans to require a second factor for unlocking 1Password. If a second factor is set up, it is required when adding a new / unrecognized device.

    Ben

  • I also would like to see a implementation like Microsoft did. A U2F replaces the password with a PIN. So PIN + Hardware Key = Login.
    There are smart ways to get this done on 1PW too.
    As bbeyer said TouchID and 1PW works fine, it asks you from time to time or on reboots for the master pw, why only TouchID? Why not also a Key like a yubikey?

    I hope we will see solutions to replace or half replace the master PW with a pin or something.

  • kobi97kobi97
    edited February 5

    I hope at least when they release the YubiKey Bio with a fingerprint sensor, 1PW will adopt the same mechanism like TouchID.

    https://www.yubico.com/blog/yubico-reveals-first-biometric-yubikey-at-microsoft-ignite/

    Greetings

  • BenBen AWS Team

    Team Member
  • kobi97kobi97
    edited February 5

    @Ben yes I read that. It is a possibility but not an optimal solution in my opinion.
    Exposing the Master PW is easy, because you only need to press the Yubikey for example 1-2 seconds in a Textfile and the static pw will be exposed. A direct feature from 1PW would be better.
    A Solution like Windows or Apple did, directly from 1Password would be so cool. So passwordless would be a YubiKey Bio or a normal YubiKey plus a Pin.
    That would be my dream 1PW Setup.

    Please consider this feature request in the next meeting :)

  • BenBen AWS Team

    Team Member

    We don't have any plans for that, but perhaps it is something we can consider for the future. :+1:

    Ben

  • @Ben Thanks for considering it. I mean you already implemented it with TouchID. After a reboot a Master PW is still required and so on.
    The same implementation from TouchID with a YubiKey Bio on all devices (Windows, Android, MacBook(when closed or without TouchID...) would be possible. Isn't that a great new feature? :)

  • BenBen AWS Team

    Team Member

    :+1::)

    Ben

  • Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?

    I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?

  • BenBen AWS Team

    Team Member

    Hi @Malbec,

    It sounds like you've got the gist of it.

    Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?

    Correct.

    I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?

    Yubikey is not involved in the unlocking process; just the device authorization process.

    Ben

  • MalbecMalbec
    edited March 1

    Thanks @Ben.
    Is it now possible to add multiple Yubikeys to 1Password account? I remember reading before introduction of U2F, that only 1 Yubikey could be associated with 1Password account. Has it changed?

  • ag_anaag_ana

    Team Member

    @Malbec:

    Yes, you can add multiple Yubikeys to a 1Password account :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file