Feature Request: Unlock 1Password with a security key (yubikey)

This isn't Mac specific but there does not seem to be a "general discussion" forum or a feature request forum.

I would love to be able to unlock 1Password (web site, browser app, phone app) using my yubikey security keys, rather than typing my master password.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited December 2018

    @drumboots: We have no plans to have any hardware device that could easily be lost, stolen, or destroyed replace the Master Password*. You can, however, use Yubikey as a second factor for a 1Password account, and we're also looking at possibly supporting other integrations as well. Cheers! :)

    *Edit: clarification: technically you can do that anyway, but it isn't something we recommend or support.

  • edited June 2019

    I also think this would be an incredibly useful feature, but only as a secondary method of conveniently unlocking post-initial unlock, e.g. after the lock timeout or resumption from sleep; the master password would still be required after a cold boot/login.

    I imagine this feature as being similar to how Github allows you to use a hardware key in lieu of your password to authenticate when attempting to perform sensitive actions, but only after you've already logged in using a password and 2FA mechanism.

  • BenBen AWS Team

    Team Member

    @confusingboat

    A bit has changed since this thread (December 2018). You may find this post interesting:

    Introducing support for U2F security keys

    Ben

  • I would also like this feature. To be able to unlock 1Password with a Yubikey, much like using our fingerprint now on the touchbar.

  • BenBen AWS Team

    Team Member

    Hi @bbeyer

    YubiKey is intended to be used as a second factor, not the sole factor. Also consider that if we were to design 1Password in the way you're suggesting the loss of the physical YubiKey device could make your data unrecoverable.

    Ben

  • I would assume you would be able to use your master password as a backup just like you can for Touch ID.

  • BenBen AWS Team

    Team Member

    I see. If that's the sort of setup you'd like @bbeyer then you may be able to configure your YubiKey to type your Master Password for you:

    Understanding Core Static Password Features : Yubico Support

    I'm not sure that is something we'd be able to recommend doing... just pointing out the fact that the technology exists. :)

    Ben

  • Yubikey is a 2nd factor, the name says it all. As former lastpass user, I prefer the way how its browser extension works: after (re)starting the browser I have to authenticate myself with the master password AND the 2nd factor (yubikey) to activate the extension, but the extension keeps working until I stop the browser.

    An optional 1-day timeout would have been nice (to handle the case of not restarting the browser at all), though.

    Yubikey should be used as 2FA at least for registering a new Android or IOS device, too.

    Is there any chance to have such features?

  • BenBen AWS Team

    Team Member

    @tsereg

    We don't have any plans to require a second factor for unlocking 1Password. If a second factor is set up, it is required when adding a new / unrecognized device.

    Ben

  • I also would like to see a implementation like Microsoft did. A U2F replaces the password with a PIN. So PIN + Hardware Key = Login.
    There are smart ways to get this done on 1PW too.
    As bbeyer said TouchID and 1PW works fine, it asks you from time to time or on reboots for the master pw, why only TouchID? Why not also a Key like a yubikey?

    I hope we will see solutions to replace or half replace the master PW with a pin or something.

  • kobi97kobi97
    edited February 5

    I hope at least when they release the YubiKey Bio with a fingerprint sensor, 1PW will adopt the same mechanism like TouchID.

    https://www.yubico.com/blog/yubico-reveals-first-biometric-yubikey-at-microsoft-ignite/

    Greetings

  • BenBen AWS Team

    Team Member
  • kobi97kobi97
    edited February 5

    @Ben yes I read that. It is a possibility but not an optimal solution in my opinion.
    Exposing the Master PW is easy, because you only need to press the Yubikey for example 1-2 seconds in a Textfile and the static pw will be exposed. A direct feature from 1PW would be better.
    A Solution like Windows or Apple did, directly from 1Password would be so cool. So passwordless would be a YubiKey Bio or a normal YubiKey plus a Pin.
    That would be my dream 1PW Setup.

    Please consider this feature request in the next meeting :)

  • BenBen AWS Team

    Team Member

    We don't have any plans for that, but perhaps it is something we can consider for the future. :+1:

    Ben

  • @Ben Thanks for considering it. I mean you already implemented it with TouchID. After a reboot a Master PW is still required and so on.
    The same implementation from TouchID with a YubiKey Bio on all devices (Windows, Android, MacBook(when closed or without TouchID...) would be possible. Isn't that a great new feature? :)

  • BenBen AWS Team

    Team Member

    :+1::)

    Ben

  • Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?

    I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?

  • BenBen AWS Team

    Team Member

    Hi @Malbec,

    It sounds like you've got the gist of it.

    Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?

    Correct.

    I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?

    Yubikey is not involved in the unlocking process; just the device authorization process.

    Ben

  • MalbecMalbec
    edited March 1

    Thanks @Ben.
    Is it now possible to add multiple Yubikeys to 1Password account? I remember reading before introduction of U2F, that only 1 Yubikey could be associated with 1Password account. Has it changed?

  • ag_anaag_ana

    Team Member

    @Malbec:

    Yes, you can add multiple Yubikeys to a 1Password account :)

  • Thanks everyone. So I have added 2 Yubikeys to my 1P account and have 2 questions:

    1. I thought I can remove "authenticator app" and rely only on hardware Yubikeys authentication. However although I can remove any Yuibkey I have added, the only option that appears next to "authenticator app" is to "replace". Is there no way to remove/disable it and rely only on Yubikey?

    2. With the above scenario, when I force my iPhone via 1Password online account to "require 2FA" on next log in, it always show me 3 choices: NFC, authenticator OTP and lightning USB. If I choose NFC and authorize via Yubikey NFC, although it says "success" nothing happens and I get the 3 choices once again. The only way to go past this screen is if I choose authenticator OTP codes.

    Is this a bug? Any idea how to resolve it?

  • ag_anaag_ana

    Team Member

    @Malbec:

    I thought I can remove "authenticator app" and rely only on hardware Yubikeys authentication. However although I can remove any Yuibkey I have added, the only option that appears next to "authenticator app" is to "replace". Is there no way to remove/disable it and rely only on Yubikey?

    Not currently: you can ignore the TOTP option, but at the moment it cannot be removed, even when there is a Yubikey added to the account.

    With the above scenario, when I force my iPhone via 1Password online account to "require 2FA" on next log in, it always show me 3 choices: NFC, authenticator OTP and lightning USB. If I choose NFC and authorize via Yubikey NFC, although it says "success" nothing happens and I get the 3 choices once again. The only way to go past this screen is if I choose authenticator OTP codes.

    Is this by chance a Yubikey NFC Neo?

  • @ag_ana Thank you. It is YubiKey 5 NFC. I have also just downloaded 1Password 7 to my Macbook Pro as well (having first done it with Mac Pro and iOS) and updated it to the 1PW online account. It asked me for OTP code, there was no option for Yuibkey. I inserted Yubikey thinking it may work but 1PW was insisting on OTP. There was no option to ignore OTP.

    So what's the use of Yubikey if things are not working as they should and OTP is always required despite having 2 Yubikeys registered on the account?

  • ag_anaag_ana

    Team Member

    @Malbec:

    That's because not all of the 1Password clients support Yubikeys yet, which is why we still require a TOTP to be present. In clients that already support Yubikeys (such as the web app on 1Password.com), you can use them instead of TOTP. In clients such as 1Password for Mac, you are currently prompted for TOTP instead, which is why you need to have one configured in your account.

  • @ag_ana Thank you. So 1Password desktop Mac app does not have support for WebAuthn yet - okay. Why 1Password iOS app is asking me for NFC repeatedly, despite showing "success"? I thought it should work with YubiKey 5 NFC?

  • BenBen AWS Team

    Team Member

    @Malbec

    YubiKey 5 NFC should indeed work. I'd like to ask you to create a diagnostics report from your iOS device:

    Sending Diagnostics Reports (iOS)

    Attach the diagnostics to an email message addressed to [email protected].

    With your email please include:

    • A link to this thread: https://discussions.agilebits.com/discussion/comment/561311/#Comment_561311
    • Your forum username: Malbec
    • A screenshot of the NFC prompt and a screenshot of the "success" message: ▷ How to take a screenshot

    That way I can "connect the dots" when I see your diagnostics in our inbox.

    You should receive an automated reply from our BitBot assistant with a Support ID number.  Please post that number here so I can track down the diagnostics and ensure that this issue is dealt with quickly. :)

    Once I see the diagnostics I'll be able to better assist you. Thanks very much!

    Ben

  • @Ben It's already being taken care of by the support team, which were able to confirm the same issue. Thanks.

  • BenBen AWS Team

    Team Member

    Great :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file