Feature Request: YubiKey Support

13»

Comments

  • benfdcbenfdc Perspective Giving Member
    edited December 2013

    From @Khad in #41:

    We are working on some 1Password socks that will analyze your feet to authenticate you. They are mighty soft (and fuzzy).

    It's been over three years since that post, but all I see in the Agile Goods Store are t-shirts. With hardware support for bluetooth 4.0 now pretty much ubiquitous, the lack of a USB port on iOS devices is no longer a concern. What’s the hold-up here?

    Also, why are the men’s tees only available in S, XL, and XXL?

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I would quibble with @poof over the appropriateness of "authorization" to describer what 1Password does, but the labels don't matter that much, it's the overall concept.

    To get what looks like 2FA with 1Password is a very different thing than how it is usually done. And this is exactly because there isn't an authentication process. It is sometimes (though not always) a mistake to think that an extra layer adds meaningful security. For example, double encryption does far far less than simply improving ones password by a single character. That is one 42 bit password is stronger than layering two 40 bit passwords. I'm not saying that adding an additional layer though key splitting wouldn't be adding meaningful security, but unless it is done right, it may be more security theater than actual security.

    @benfdc is correct that the ability to get data via sneakernet to iOS and Android devices is easier than ever. So this changes the situation from "not practical" to "not implausible". The fact of the matter is that we don't know in detail what difficulties we face until we try. And on that, the "hold up" is priorities.

    I started playing with a YubiKey some month back, just to get an idea of the protocol. But once it became clear that there wasn't any scenario in which key splitting could make it into the initial releases of 1Password 4, it fell back into the "well we might explore this further down the road."

    The biggest case for key splitting is that in 1Password, as in any well designed crypto system, the weakest point is people's Master Password. And so building up defenses there is what makes the most sense, and key splitting is one approach. But we need to make it reliable and easy enough so that it will work for the people who need it most. If it takes some expertise to set it up and manage it, then it will be used correctly only by those people who already know to use a strong Master Password.

    Anyway, as you see, I am arguing both sides here. And let me add, that from a cryptographic point of view, key splitting is very attractive. The cryptography is simple, elegant, and powerful. It's the key management that gets messy.

    Merry Boxing Day!

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • benfdcbenfdc Perspective Giving Member
    edited December 2013

    But we need to make it reliable and easy enough so that it will work for the people who need it most. If it takes some expertise to set it up and manage it, then it will be used correctly only by those people who already know to use a strong Master Password.

    That’s a very powerful point IMO.

    @Poof wrote:

    The real question is: how can 1Password be made more secure by adding some an additional security layer without breaking usability too much? And the answer to that could simply be "we are not going to because it is not our intent to be a full fledged max security product, we only want to make it easier to manage your passwords for the forums you visit".

    I don't agree with that framing of the issue. I see the real question as being whether adding YubiKey support would increase or decrease security across the user base. I find it very plausible that YubiKey support would decrease security for the majority of 1Password users by greatly increasing the risk of losing access to one’s data. A YubiKey is like a handgun in that respect. In well-trained hands, it affords enhanced protection. In less than well-trained hands, well, maybe you’d be safer without it.

    One approach to reconciling these competing concerns might be to make two-factor authentication available as an in-app purchase for a more-than-nominal sum. Lots of ramifications, but part of the point would be to dissuade casual users from activating the feature.

    I wonder how much real-world data is out there addressing this point. Have vendors like LastPass published any reports on how 2FA is working out for their user base? It would be very interesting to know what percentage of YubiKey users have gotten themselves into trouble.

  • Thanks jpgoldberg for your answer. We mustn't think that adding an additional layer of security will actually make things safer, it is something that you need to look into. As for the 2FA people here seem to want: Dutch banks use it for example. You have this challenge code you get before each payment. The payment only passes when you enter the correct challenge code. This system has been researched and proven to be the safest there is at the moment (you need to have the username, password, bank card and the challenge code generator). Funny thing is, 1Password uses this in version 3 for iOS (you use a pin code to enter the app but you need to enter the master password when opening the high security entries). The reason why people want it is probably because they know passwords suck in general.

    So to compare it with the handgun: if you are going to hand out handguns give people training so they can properly use them and put a safety pin in place so they don't accidentally go off.

    The major thing I wanted to point out if it is even necessary to have something like this. 1Password isn't an application for military secrets. Most people use it for storing all their login data for forums and such. How much security does one need for storing such information? Personally I think that having just a password is enough for that (especially if you use a different password than for your user account on the computer). Use the appropriate security measure for your data.

  • benfdcbenfdc Perspective Giving Member
    edited January 2014

    Most people use it for storing all their login data for forums and such. How much security does one need for storing such information?

    Personally, I store credit cards, bank account numbers, router logins and Wi-Fi shared keys, drivers licenses, passports, SSNs, insurance policy info (health, auto, life, etc.) and pretty much everything else that the app is specifically designed for. And not just forum logins, but also email, chat, and financial stuff.

    You can't be safe on the internet unless you use use strong, unique passwords; you can't use strong, unique passwords for dozens of accounts unless you have a password manager; and of all the password managers I have tried, I find 1Password to be the most comfortable.

    if you are going to hand out handguns give people training so they can properly use them and put a safety pin in place so they don't accidentally go off.

    I don't understand what you mean by this. If putting a safety pin in place means building in a back door to allow data recovery if a YubiKey is lost, then perhaps the YubiKey is not a great idea to begin with. Also, it is in the nature of a product like 1Password that it must be usable by, and beneficial to, people who are never going to RTFM. You can offer your users training, but you can't train them. My suggestion of a two-tier approach is an effort to reckon with that reality.

  • rhordernrhordern
    edited January 2014

    Hello,

    There are two concerns that I don't think need to be worried about :

    1) Compatibility with all devices :

    Yubikey neo is NFC compatible, it's currently been tested on Android, RIM, Windows Phone and Symbian devices. iPhone don't have NFC support yet but I'm pretty sure that it will be added soon.

    You can implement NFC support inside your applications, to request that the user swipes the back of the phone with the yubikey.

    Yubikey is compatible with all desktop devices that have a usb port.

    2) Worry about loosing your yubikey :

    The whole principle about having a yubikey is to have more than one. You would have 2 or 3 yubikey's (I have a yubikey neo on my keyring, a yubikey nano plugged permanently into my computer, and a yubikey standard kept in a safe place as a backup key.

    3) People who don't want to invest in a yubikey or who don't like the idea :

    A yubiky implementation should be optional, people who want it can activate it and people who don't want it can disable it

    4) Worries about making it less secure :

    You would not allow one or the other but enforce yubikey + password. A hacker would have to physicaly have your yubikey and also have your password, making it almost impossible to bruteforce your 1Password master password.

    5) You would need internet access to log into 1Password :

    This would not be a problem for users who use 1Password for only accessing data online. I personaly print out my passwords and keep them in a safe place.

    My current worry is a hacker bruteforcing my passwords, it makes it a worry to keep my 1Password database on services like Dropbox.

    I know your answer to this is it would take years to bruteforce a 30 character password… well technology evolves, here's an example of a machine that is capable of generating (according to the article) 348 billion NTLM password hashes per second, and capable of cracking a 8 character password in 5.5 hours.
    It would obviously be slower on a 1Password database as it would require more ressources. We're pretty safe at the moment but we don't know what the future will bring with 4K monitors becoming a standard the number of GPU and power per GPU will increase.

    Why wait when there is an option that lots of us already want ?

  • benfdcbenfdc Perspective Giving Member

    iPhone don't have NFC support yet but I'm pretty sure that it will be added soon.

    Apple seems to be passing on NFC and pushing bluetooth 4.0 instead.

  • They don't do the same things. I can't see things like bank cards that are already nfc equipped having a battery and bluetooth added. Bluetooth 4 will enable broadcasts that the phone can pick up but bluetooth 4 doesnt allow to detect when an object is touching the device nor does it allow to have devices without battery. I still believe iPhone 6 will have NFC but privilage bluetooth for large data transfers.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    @rhorden,

    I think we can also get around your number 5 "users having to have an internet connection" by using the Yubikey in an unusual way. That is, if we just used the Yubikey as a storage device instead of using the authentication protocol, we could avoid that particular concern.

    However, that design choice would raise a different threat to the Yubikey: If the communication from the Yubikey to the host is intercepted then it can be replayed. (Basically the yubikey would just be storing a secret on it and giving that secret to 1Password upon request. We wouldn't be used the core security properties of Yubikey itself.)

    I think that that design choice would be inevitable, however. I don't see how to use a yubikey for encryption (as opposed to authentication) otherwise.

This discussion has been closed.