Feature Request: YubiKey Support

tomasftomasf Junior Member
edited December 1969 in Lounge
Wouldn't it be nice if 1Password supported YubiKeys? Like if it had an option to require me to supply a YubiKey code every time it autofills a form. Since it's a simple keypress, it wouldn't be a hassle, and it would provide additional security instead of just blindingly filling out forms.

If you're not sure what YubiKey is, check this out: http://www.yubico.com/
It's pretty awesome.

Thanks,
Tomas
«13

Comments

  • NikNik 1Password Alumni 1Password Alumni
    edited December 1969
    Hello Tomas, welcome to the forums and thanks for your feedback. I don't know if this is possible or how it would fit 1Password's present and future scope, but I have added your request to our database, where you can monitor its status and our developers can consider it for future implementation:

    http://support.agilewebsolutions.com/project.php?issueid=134
    (reference 10359)

    --
    Gita Lal
    1Password Help Desk
    http://1password.com
    http://support.agilewebsolutions.com
  • steffisteffi Junior Member
    edited December 1969
    So I guess Yubikey is something that ideally could be used to unlock the keychain used by 1password?

    Assuming that's not possible. Is there any other way to integrate Yubikey then?
  • LifeBoyLifeBoy Junior Member
    edited December 1969
    I just checked out Yubikey and it seems like it would be an awesome device to implement with 1password. :-)

    ~lifeboy
  • stevenc317stevenc317 Members
    edited December 1969
    I am not sure I like this system. Questions I have are:

    1) How is the one time usage password generated and validated?
    2) Is that password based upon a timestamp?
    3) If so how do you protect from someone else generating an spoofed password using your seed and the timestamp?
  • NikNik 1Password Alumni 1Password Alumni
    edited December 1969
    Steven's reservations aside, we do have this request documented, so some hardware support is definitely on our radar. (I think if you search the forums, you may find a thread or two referring to YubiKey and other similar hardware.)

    http://support.agilewebsolutions.com/project.php?issueid=134

    --
    Gita Lal
    1Password Help Desk
    http://1password.com
    http://support.agilewebsolutions.com
    http://twitter.com/1Password
  • DarkskyZDarkskyZ Junior Member
    edited December 1969
    Got my Yubikey days ago and yes it would be awesome to be able to use it with 1Password. One more vote for this feature request :)
  • DarkskyZDarkskyZ Junior Member
    edited December 1969
    Got for it please. Yuibikey is very cool, just like 1Password so they are match in heaven.

    Please you code wizards @ agilesolutions have a look this way :)
  • Jon.pdxJon.pdx Junior Member
    edited December 1969
    Rohos login adds support to the os for allowing login with a generic usb device, iPod/iPhone, or now the Yubikey. They have a feature on Windows that works via bluetooth.

    The Yubikey sounds interesting. I'm trying out Rohos Login, but I would rather have it built into the OS. With all the phishing and rootkit issues on Windows, these things start to become more important.
    -jon
  • jsierlesjsierles Junior Member
    edited December 1969
    It's really easy to integrate. Do it!
  • jxpx777jxpx777 Code Wrangler 1Password Alumni
    edited December 1969
    We're exploring the options for hardware support in 1Password. At Macworld this year, we previewed Eikon fingerprint scanner integration. This is our first hardware integration, and I think we'll have to see how it goes before we consider supporting other solutions. We appreciate all the requests and enthusiasm.
  • M-3M-3 Junior Member
    edited December 1969
    The only thing keeping me from buying an application like yours (and I have my eye on yours because I believe it's the best of its kind) is some really secure way of unlocking it. I got my Yubikey about a week ago and I think it's fantastic! It really would be the perfect mate for your application. I promise I'll buy 1Password the day you add Yubikey support! :-D
  • CarlCarl Just Me
    edited December 1969
    M-3 wrote:
    The only thing keeping me from buying an application like yours (and I have my eye on yours because I believe it's the best of its kind) is some really secure way of unlocking it. I got my Yubikey about a week ago and I think it's fantastic! It really would be the perfect mate for your application. I promise I'll buy 1Password the day you add Yubikey support! :-D


    Technically, you could move the Agile Keychain to a USB thumb drive and when it is unplugged the data isn't even on the Mac so there isn't anything to unlock.
  • Jon.pdxJon.pdx Junior Member
    edited December 1969
    my impression is that Yubikey uses an open standard to generate a one time password. I'm not sure if this makes sense or not, but 1password could probably do this as well.

    Personally, I just got my Yubikey and if a site like google starts to support it as a part of openId, it could go fairly far. especially in the financial industry.

    -jon
  • gadgetdoctorgadgetdoctor Junior Member
    edited December 1969
    I'll add to the voices asking for Yubikey support. I'm already using one Yubikey as a static password to unlock but it would be good if 1Password could support the dynamic key for unlocking. Perhaps there could be a backup system for use off line when the servers are not able to complete the verification.
  • RaymoRaymo Junior Member
    edited December 1969
    I learned about YubiKey on the "Security Now" podcasts with Leo Laporte and Steve Gibson. Gibson was extremely impressed by it. I trust his judgement.

    I just order of them several last week, but it sounds like 1Password would be a good mate.
  • NikNik 1Password Alumni 1Password Alumni
    edited December 1969
    Thanks for the feedback, Raymo, and welcome to the forums.
  • HoylenHoylen Junior Member
    edited January 2010
    I would like to add my vote for YubiKey support in 1Password.

    A YubiKey would address the weakest link in 1Password: the master password. The master password needs to be manually typed in every time, so it is usually memorable and relatively short, and therefore less strong. Since it also doesn't change it is also vulnerable to keyloggers or people watching you type it in.

    The YubiKey is a hardware One Time Password (OTP) device. Every time you use it, it generates a different OTP string, so keyloggers are not a threat because replaying the OTP string will not work. The OTP is also very long (128 bits), so it is also very strong.

    The YubiKey has some important advantages over other hardware devices. Firstly, it emulates a USB keyboard, so no special drivers are required -- just plug it in, press the button, and it "types" out the one-time string. Secondly, unlike other one-time-password fobs you don't have to read off a number and then manually type that in. Thirdly, unlike enterprise oriented solutions, you don't need a server environment to validate the strings (it can all be done locally on the user's off-line Mac, although Yubico also provides servers). Fourthly, its security is based on cryptographically strong AES-128, which doesn't have false positives or false negatives like biometric devices do. Finally, it is extremely small, robust, and inexpensive (especially in bulk, maybe AWS can resell them to 1Password customers).


    Steven, here are some short answers to your questions:

    Firstly, a brief overview of what the OTP string is: it is simply a fixed serial number in the clear, followed by the AES-128 encrypted ciphertext of these fields: private ID (6 bytes), usage counter, timestamp, session usage counter, random number, and a checksum. The Yubikey device is configured with a secret key to perform the AES-128 encryption. The thing validating the OTP string also has the secret key, which it uses to decrypt the OTP string. If the OTP string decrypts properly, then it is assumed that the YubiKey generated it (since it is the only other thing that has a copy of the secret key).

    1) Here's how it could work. The user would configure their YubiKey with a secret, and they would also configure it into 1Password. Instead of typing in the master password, a OTP string could be entered using the Yubikey. The 1Password program will first check the serial number to see if it is a known Yubikey. Then it will try to use its copy of the secret to decrypt the OTP string: if it decrypted successfully then it knows the creator also has the secret. The wonderful thing about YubiKey is that they publish all the algorithms, so implementing your own checking code on the 1Password side is possible and you can see there are no back-doors. They also provide sample code in C and Java.

    2) The password is not based on a traditional timestamp, but uses something that is functionally similar -- the combination of the usage counter, timestamp, and session usage counter. The YubiKey device does not have a clock, which is an advantage because there is no battery to fail. It uses a "usage counter" that increments every time you plug the YubiKey into a USB port. And that is supplemented by an 8Hz "timestamp" clock and
    "session usage counter" (both of which reset everytime it is plugged in). It is not a real time clock, but does the job of making each generated OTP string unique, as well as provides enough ordering information for the checker to detect when OTP strings are suspiciously out of sequence.

    3) It does not prevent "someone else generating an spoofed password [OTP string] using your seed [secret key] and the timestamp" because the secret key is central piece of information that makes this work. If someone has the secret key, then they could generate OTP strings. Without the secret key, there is no way for an attacker to create a valid string. The hardware is designed so that the secret key cannot be extracted from the YubiKey. However, the secret key does need to be protected on the computer side too. But I suspect that this should be no worse than trying to protect fingerprint scanner data.

    Ideally, if someone stole your computer they still would not be able to decrypt the keystore. To achieve this, the keystore decryption key must not reside on the computer itself. This could be done by embedding the keystore decryption key into the "private ID" field of the OTP string. Although the shared secret is on the computer (since it needs this to decrypt OTP strings for validation), without a real OTP string they would not have the keystore decryption key. This is no less secure than the current use of a master password.

    The only limitation here is that the "private ID" is only 6 bytes (48 bits). Since 40 bit DES can be cracked by brute force, 48 bits is only marginally more difficult. And you might want to use some of those 6 bytes for other purposes, reducing its length. It could be argued that this is still better than many short master passwords that people would pick, so having just the YubiKey would still offer better security for many users.

    Alternatively, maybe 1Password can be set up to require both a YubiKey OTP string plus a "mini passphrase". The keystore decryption key is derived from both the "private ID" from the OTP string plus the mini passphrase. The mini passphrase increases the key length of the keystore decryption key, so that it is no longer brute forceable. Also, this would give 1Password two factor authentication: something you have and something you know. Even if someone got hold of the YubiKey, they would not be able to use it without knowing the mini passphrase. Depending on how secure the user wants to be, the mini passphrase could be zero length (because they are happy with a 48 bit keystore decryption key) or as strong as the master password they would have used if they didn't have a YubiKey.


    One more thing, you still would want 1Password to have a master password (just in case you loose your YubiKey). However, since the user doesn't need to enter the master password every time, it can be much longer and stronger. They can make it hideously cryptic, write it down and keep it somewhere safe. I think the user interface can still be kept simple, with one big text field for entering either a master password, an OTP string, or a mini password plus an OTP string -- the 1Password program can easily work out which one has been entered.


    Documentation of the YubiKey fields can be found in the YubiKey Manual at http://www.yubico.com/products/documentation/

    The "Security Now" episode 143 (mentioned by Raymo) is available at http://www.grc.com/securitynow.htm#143


    P.S. The support ticket URLs listed above do not work.
  • JohnONolanJohnONolan Junior Member
    edited December 1969
    Hi guys, I'd like some info on this too as I've just started using a Yubikey. From what I understand it's extremely easy to integrate, and I think it would compliment 1password nicely.
  • AltercationAltercation Junior Member
    edited December 1969
    I'd like to add a vote on this feature request... +1 yubikey support in 1password.
  • jsfrederickjsfrederick Junior Member
    edited December 1969
    Gentlemen,

    Have you seen the Yubikey yet? (http://www.yubico.com/products/yubikey/). It's quite interesting. Can you look at providing support for it. I'd like to be able to open up 1PW by using the Yubikey instead of typing my master password. Let us know what you think.

    Thanks.
  • NikNik 1Password Alumni 1Password Alumni
    edited December 1969
    Thanks for the suggestion! We don't currently have plans to add Yubikey support, but we appreciate your request.
  • KevinSKevinS Junior Member
    edited December 1969
    Please could I add another plea for yubikey support - using this would mean I could have a very long and very difficult password and not rely on having to type it in by hand. This would make 1password even more secure! There is another Mac password manager that has managed to institute yubikey support. I love 1P so would really like to see this functionality added.

    https://lastpass.com/index.php

    Thanks for considering it.

    Kevin
  • macpugmacpug Agile Customer Care
    edited December 1969
    Thanks, KevinS. We'll certainly take the requests into consideration. Thanks for the feedback.
  • neil_laubenthalneil_laubenthal Junior Member
    edited December 1969
    Just wondering if you have any plans to add two factor authentication similar to what LastPass does. While I still like 1Password better since it's much more Mac like . . .as a faithful follower of the TNO (trust no one) principle espoused by Steve Gibson of Security Now podcast fame . . .the addition of options similar to using a Yubikey, the Sesame concept, and the Grid concept (LastPass terms) to allow multiple factor authentication would be a super addition.

    Any chance those can be added? Given that LastPass is either free or 12 bucks a year . . .it's cheaper than 1Password and provides some additional security features.
  • robrob Agile Customer Care

    Team Member
    edited December 1969
    Just wondering if you have any plans to add two factor authentication similar to what LastPass does. While I still like 1Password better since it's much more Mac like . . .as a faithful follower of the TNO (trust no one) principle espoused by Steve Gibson of Security Now podcast fame . . .the addition of options similar to using a Yubikey, the Sesame concept, and the Grid concept (LastPass terms) to allow multiple factor authentication would be a super addition.

    Any chance those can be added? Given that LastPass is either free or 12 bucks a year . . .it's cheaper than 1Password and provides some additional security features.


    That's definitely an interesting idea. I'm not sure if/when we could do something like this, but I'm afraid it won't be very soon. We are always open to change, though, and development plans can change very quickly.

    Thanks for the feedback!

    Edit: I forgot to mention, welcome to the forums, Neil! We're glad you are around, and please feel free to offer additional feedback, as well as post questions or problems here in the forums.
  • Alex KnightAlex Knight Member
    edited December 1969
    I just ordered my Yubikey today and wanted to add my feedback as well. Would love to see 1Password work with it.
  • johnbtzjohnbtz Junior Member
    edited December 1969
    Add my vote as well. I'm trying to introduce more macs in our environment at work and we require dual factor authentication. This would be a great selling point.
  • robrob Agile Customer Care

    Team Member
    edited December 1969
    johnbtz wrote:
    Add my vote as well. I'm trying to introduce more macs in our environment at work and we require dual factor authentication. This would be a great selling point.


    Welcome to the forums, johnbtz, and thanks for the vote!
  • Alex KnightAlex Knight Member
    edited December 1969
    stu wrote:
    Thanks Alex, good to know you'd find it useful. No promises on if and when this will be available, but as Gita has mentioned it's certainly on the radar.


    No worries. I know as a company (I can relate) you have to prioritize features based on available resources and requests.
  • kylefkylef Junior Member
    edited December 1969
    YubiKey support would be nice, my YubiKey got delivered earlier, going to set it up using a static password.
This discussion has been closed.