Does 1Password support 2 Factor Authentication with YUBIKEY ?

alexanderscherer
alexanderscherer
Community Member

I am currently using LastPass Premium with a Yubikey Device to have 2-Factor-Authentication for my vault.

Does the latest Mac Version of 1Password have Yubikey support as well ?

Not having support for 2FA would pretty much be a deal-breaker for me, since I can't use TouchID on my Mac :-(

...although I really want to switch to 1Password !

Thanks in advance !


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:yubikey

Comments

  • alexanderscherer
    alexanderscherer
    Community Member

    Bump! No advice or comments ?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Bump! No advice or comments ?

    @alexanderscherer: Careful! Posting repeatedly puts you right back at the top and makes it look like your thread is newer than everyone else's, and we try to work our way from oldest to newest to make sure no one gets missed! I just happened to have this open already when you posted a second time. :dizzy:

    Does the latest Mac Version of 1Password have Yubikey support as well ?

    No. 1Password and AgileBits don't know anything about you, so we cannot authenticate you. Your 1Password data is stored only on your device unless you choose to sync it elsewhere, and it isn't a service that you login to. There is no gatekeeper for your data who can authenticate you; rather, it is encrypted using your Master Password. I hope this helps! :)

  • alexanderscherer
    alexanderscherer
    Community Member
    edited October 2015

    Sorry Brenty, will bare this in mind for the future ;-)

    So would you say your software is as safe as 2FA or that second level of security doesn't make sense with 1Password ?

    Would it not be possible to strengthen the Master Password Login with a Yubikey 2FA ? Or is network access required for that to work ?

    Or does 2FA simply not work with locally encrypted data ?

    Or can you add support for a 2nd keyfile that needs to be there for decryption for the data ? So that one could store a keyfile on an external usb drive for example ?

    Thanks in advance !

    Alexander Scherer

  • AGAlumB
    AGAlumB
    1Password Alumni

    @alexanderscherer: No need to apologize! I just didn't want you to think we'd intentionally left you hanging. :)

    So would you say your software is as safe as 2FA or that second level of security doesn't make sense with 1Password ?

    It really, really depends. I'm sure that there are solid services out there that store your data securely and use 2FA. But security is hard. Just look at all of the data breaches! Coding is hard. Just read the list of security fixes any time you update an OS! I guess my point is that even with a solid security model, humans can make mistakes in the implementation. And if someone else is serving as the gatekeeper to your data, authenticating you, a mistake they make can mean your data is vulnerable.

    1Password avoids that whole mess by letting you control your data. AgileBits doesn't have it, so we can't be hacked in order to take it. But that also means that we (or any other party) cannot authenticate you, once, twice, or ever. For this reason, 1Password uses a 'simple' implementation of industry standard encryption. We're not doing anything crazy that could provide a loophole or backdoor due to oversight or poor planning. We just encrypt your stuff.

    Could someone do it right? Absolutely! But when you're blindly relying on someone else to do this, there's no guarantee. Granted, we're all essentially doing this in a many cases with out digital lives, but having 1Password as a solution that can work entirely independently (offline, etc.) is really important to us and many of our customers. It sounds like you might not have checked out the link I snuck into my last post. If not, definitely check it out, as I think it may be right up your alley:

    Authentication vs. Encryption

    Would it not be possible to strengthen the Master Password Login with a Yubikey 2FA ? Or is network access required for that to work ?

    If you're using it as a one-time password, then it would need to synchronize with a server to authenticate, so yes. On the other hand, using something like a YubiKey as a dumb keyboard emulator to enter your Master Password (or part of it) could allow for a stronger Master Password. I actually used to do this, but I don't recommended it for two reasons: 1 if you lose it (or it breaks), you're probably hosed (unless you have the code backed up somewhere safe), and 2 this is really not feasible on mobile devices (which is why I ditched it years ago).

    Or can you add support for a 2nd keyfile that needs to be there for decryption for the data ? So that one could store a keyfile on an external usb drive for example ?

    This is an idea we've toyed with. But again then you're in a situation where you're hosed if you lose the thing. I feel like it's better to have a Master Password that you at least could remember, even if we're none of us perfect. If you never know it (or a separate, equally important key) in the first place...well, then if you lose it that's it.

    We'll continue to evaluate this and other options though, as I hope we'll be able to come up with a way to increase security further in such a way as not to also be a liability. Thanks so much for bringing this up! :chuffed:

  • alexanderscherer
    alexanderscherer
    Community Member

    Hi Brenty,

    thank you very much for this in-depth reply. Highly appreciated !

    You have pointed out some valid points and I understand the concept way better now.

    I agree with you that 2FA with Yubikey on mobile devices is still kind of a problem.. or at least not very practical. That's why I had to drop 2FA on my iPhone..

    I'd vote for the option to have a 2nd keyfile for decryption, because I always store multiple backups of those important files at different locations for maximum security. Maybe you can think about it in the furure updates ;-)

    Best regards,

    Alexander Scherer

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm glad to be of help, Alexander! We'll certainly see if we can add additional security measures in the future. We just want to make sure we do it in such a way that it makes our lives easier and not more confusing. Thanks so much for taking the time to let us know that matters to you — and listening to me carry on about security. Cheers! :chuffed:

This discussion has been closed.