Support for Yubico "Security Key"?

XIII
XIII
Community Member
edited April 2018 in Lounge

Yesterday Yubico introduced their new Security Key, including this:

  • strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go

I would love to see support for this in the Windows and Mac App as a replacement for the password for family members who have trouble remembering a strong master password.

«1

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: This has been possible with Yubikey and similar devices for years. It's just not something we recommend since, unlike a password you forget, which you could potentially remember, you're completely out of luck if you lose it. Also, unlike a password that's only stored in your brain, someone could steal it. Using account recovery in a family or team environment can let you sort of have it both ways, without having something that can be lost or stolen, but also having a way to help your loved ones get in if they lock themselves out, if you're an admin. Yubikey does interesting stuff and we'll continue to evaluate to see if there's a good fit with 1Password in the future. Cheers! :)

  • XIII
    XIII
    Community Member

    I get it.

    Still: maybe a very secure password on a device that never leaves the house might be better than a weak master password (that's used online)?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yeah, that's an interesting trade-off. I wouldn't personally be able to live with being able to access 1Password only at home, but perhaps others would. :)

  • XIII
    XIII
    Community Member

    iPhone (with TouchID) on the go, desktop Windows PC at home (for the family members having a hard time remembering strong passwords).

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • mvandam
    mvandam
    Community Member

    Even though I understand the risks of separate hardware tokens, I also see them as an added value for elevated security. And it shouldn't be the only form of 2FA, but an additional form of 2FA.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mvandam: I think that's reasonable. Perhaps we'll be able to add additional options like that in the future. Thanks for weighing in! :)

  • mvandam
    mvandam
    Community Member

    You're welcome :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    :chuffed: :+1:

  • XIII
    XIII
    Community Member
    edited May 2018

    YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support” - Yubico

    https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-sdk-for-ios-and-lastpass-support/

    Does AgileBits have any plans for this kind of 2FA?


    Sync Type: 1Password.com

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: While I don't have any plans to share, it's something we've been evaluating. :)

  • michael_mitchell
    michael_mitchell
    Community Member

    +1 on wanting this to happen

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for chiming in! :)

  • Praxum
    Praxum
    Community Member

    also +1 on this feature

  • roustem
    edited May 2018

    I do not think this is a support for FIDO U2F but for a less secure, proprietary YubiKey protocol. I thought that Yubico switched to U2F completely but it seems that they are still keeping their old technology in place.

    In this case, I would have to agree with most of the points made in the YCombinator thread here: https://news.ycombinator.com/item?id=17125329

    We do not have unlimited resources and I would rather spend ours on adding support for U2F.

  • richardburt
    richardburt
    Community Member

    I too have a yubikey but to be honest with you I'm a bit underwhelmed with what it offers.

    My assumption was that I'd be able to go through my various accounts and delete phone numbers, 2FA settings etc and solely use the Yubikey but in practise that isn't what I can do.

    Every site I've register the key with still need phone numbers and 2FA before you can then add the key which just defeats the purpose of having the key. It's become an alternative way of logging in rather than THE way to login.

    It's a good idea but will only work as I think it should when humans stop begin forgetful. Until then it doesn't add anything to my digital life.

    In fact, the ONLY thing I've found that works as I imagine it should is the Yubi Authenticator app for Android where you have to tap the key to the phone (NFC) before it unlocks the... 2FA number list! An extra step for small gain.

    For the time being it's sitting in a USB port and allowing me to log into my Windows 10 computer automatically without having to type in password, PIN code etc. A saving of a massive 10 seconds!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hey, those 10 seconds add up though! But I agree: that's a bit confusing as a user too. I don't think humans will stop being forgetful, but fortunately there are a lot of smart people working on these problems. Thanks for sharing your experiences! :)

  • purplejoe
    purplejoe
    Community Member

    @richardburt and @brenty, I think part of the point of using a physical security key is being missed here. Yes, you have to often enable SMS or some other method, but that's not the security hole. It's using those methods that provides the most risk. These keys are used mainly to address phishing attempts where someone might be tricked into putting in a code, thereby giving an attacker immediate access to the account. For mobile, you're either stuck being extra mindful or using a NFC / BLE key. You still have the alternate code options (like SMS or Authenticator) but eliminate the phishing risk when using the physical key.

  • jpinnix
    jpinnix
    Community Member

    +1 For Yubikey Neo support. Longtime 1P user, but have some projects where I need this.

  • prime
    prime
    Community Member

    A vote here. I was on the fence because of the “what if” I lost it. But it’s my responsibility for this and I rather be locked out of my 1Password account then it falls into the wrong hands.

  • jpinnix
    jpinnix
    Community Member

    @prime Most of the time there is a backup method if the physical key is lost

  • rudy
    edited August 2018

    @prime,

    you voted three times, I believe that nullifies like 100 votes?

  • prime
    prime
    Community Member
    edited August 2018

    @rudy I’m from Chicago. In Chicago you vote early and you vote often. :lol:

  • Oi vey. :pirate:

    Ben

  • jpinnix
    jpinnix
    Community Member

    @prime LOL

  • That's hilarious. :)

    Rick

  • Davert
    Davert
    Community Member

    Not to distract but SOME sort of hardware key would be very welcome.

  • Thanks for the feedback, @Davert.

    Ben

  • midas
    midas
    Community Member

    I'd also throw in that multiple security keys alleviate this issue. At google I had one that was always at work, and another on my keychain. For personal use, I'd like to have one on my keychain, and one at home (in a safe or somesuch). This way if I was robbed, I could later login and reject the compromised key. That way I'd always have one on me, but it isn't my last resort.

  • XIII
    XIII
    Community Member
    edited September 2018

    In my Twitter feed I saw this today:

    Maybe I misunderstand, but isn't this just a "workaround" and not a full YubiKey implementation?

This discussion has been closed.