U2F support for Yubikey [under consideration for memberships; not applicable to standalone vaults]

13

Comments

  • pianoroy
    pianoroy
    Community Member

    Some recent news regarding U2F: apparently, adopting U2F has eliminated successful phishing of Google employee accounts: https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

    Relevant HN discussion, with a lot of comments on U2F support or lack thereof in various password managers (including 1Password): https://news.ycombinator.com/item?id=17592422

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @pianoroy! Thanks for the links. You may also have caught Shane Huntley from Google's Threat Analysis Group tweeting about this subject recently. :)

  • andrewSpotlight
    andrewSpotlight
    Community Member

    +1 vote for U2F.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know it's a feature you'd like us to add to 1Password. :)

  • Oleh
    Oleh
    Community Member

    Hi, using U2F such as YubiKey for 1Password is a priority feature for our small 100 person 1Password Team :blush:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Oleh: Have you tried Duo? I am not an expert on their offerings, but they seem to support U2F in addition to a variety of other second factor options.

  • Thomas
    Thomas
    Community Member

    Definitely +1 for YubiKey support for 1Password - and please both in the Mac App as well as in the iOS App using their new NFC SDK.

  • Oleh
    Oleh
    Community Member

    @brenty no, we didn't. They ask $6 / User / Month on top of 1Password subscription.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2018

    @Thomas: Thanks for sharing your preference. :)

    To be clear, the apps themselves wouldn't be able to support this; like any authentication, it would need to be a 1Password.com feature, since there is no authentication possible with local vaults.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Oleh: Thanks for following up. I know their pricing varies by the size of the company and some other things. I rather like their service and all of the integration they offer, but then again I'm not paying for it out of pocket myself.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Are you absolutely positive you couldn't use FIDO2 to unlock the local apps, at least on Mac/Windows? I mean, Linux has a PAM module to use FIDO1 for local login.

    @cobaltjacket: I'm not sure what you mean by "unlock", but it sounds like security theater since local vaults have no authentication component. That's why they're local: there's no server involved. 1Password's security is based on encryption in either case, but 1Password.com accounts do have an authentication component as well.

    And in terms of Duo, I personally think their offerings are not as good as Yubico's, which can be used for many other purposes (PIV, PGP/GPG, etc.) Yubikeys are also affordable. And if you need further convincing, take a look at what Google said this week in terms of how phishing attempts against their employees are non-existent since they implemented FIDO1 YubiKeys.

    Apples and oranges. Google's service has an authentication component. Local vaults do not. We do have our own service that supports two-factor authentication though. ;)

    This discussion has been going on for some time, and support for FIDO1/FIDO2 has increased dramatically - including first-party support by Microsoft and Intel. It's time.

    We've supported Duo authentication for some time, and U2F is one of the options available. :)

  • notauser
    notauser
    Community Member

    Its been a while - is there any official discussion around u2f support within 1password yet?

  • @notauser I’m not sure I follow. Brenty’s last update to this thread was only ~4 hours prior to your post. I wouldn’t call that “a while.” ;)

    1Password does support U2F via Duo, and we are looking into the possibility of a 1st party option, but I don’t have any more information than that to share. We typically don’t pre-announce features, prefering to wait to talk much if at all about them until they’re ready for release. As far as I’m aware we’re still in the brainstorming stages for anything beyond what we already get via Duo, but we do agree U2F is very interesting technology and would like to see how it might better fit into 1Password.

    Ben

  • MorgothSauron
    MorgothSauron
    Community Member
    edited July 2018

    Like many I learned about Google using Yubikey/U2F, which help "prevent" phishing.

    I did not check how many websites actually support U2F. I think it would be interesting to use U2F to unlock 1password vault.

    I use strong password everywhere and I enable OTP when I can, but "asking" for U2F would add, IMHO, a layer of security to access my vault.

    Any plan on your side to add U2F support ? Thanks


    1Password Version: 7.x
    Extension Version: 1.8.2
    OS Version: Windows 10
    Sync Type: Not Provided

  • AGAlumB
    AGAlumB
    1Password Alumni

    @MorgothSauron: I hope you don't mind, but I've merged your post with the existing thread on this topic.

    It's something we're considering as a two-factor authentication option for 1Password.com, but not feasible for local vaults since there is no authentication involved.

  • tg0
    tg0
    Community Member
    edited July 2018

    I, too, would love to see U2F as a way to authenticate, in addition to the existing 2FA via OTP.
    Yes, I know there's the "security key", and I appreciate you having to carefully weigh your design decisions, so I'd just like to add myself to the list of users here who would welcome it if it should arrive :)

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @tg0! Thanks for adding your voice to this thread. :) :+1:

  • tg0
    tg0
    Community Member
    edited July 2018

    Incidentally, I just came across this blogpost about phishing access tokens. That might be something to follow, to see if it stays within educational boundaries or if it'll be misused to change the attack landscape. Just putting it here fyi.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, folks who are targeted by spearphishing attacks are at the greatest risk. :dizzy:

  • prime
    prime
    Community Member

    +1
    So far you guys haven’t let me down!

  • Lars
    Lars
    1Password Alumni
    edited August 2018

    I hope we never let you down, @prime. Or run around. Or desert you. Darn it, I'm just Rickrolling you now, aren't I? ;)

  • LSTA
    LSTA
    Community Member

    I just tried Duo and I'm incredibly unsatisfied with it. It's a confusing, enterprise-oriented service that can only support one U2F key per user, when Google is adamant you should have two (and it makes sense from a customer support perspective).

    Also, Duo didn't let me use my bluetooth U2F key with their mobile app. Google's definitely the first-class leader in mobile U2F support. The only thing seemingly missing from a more enterprise implementation is the ability to turn off the "remember this device" checkbox and require all sign ins of a Google account to have a device for re-authentication.

    Re "security theatre" - It's possible to use YubiKeys as mini HSM devices to store encryption keys and perform encryption/decryption, but that's not the U2F spec. So it's possible to force unlocking to require a YubiKey or other secure cert storage. Then again, you could change how the encryption works requiring a plain file on a USB key as key material, for example.

    Why do I care so much about U2F? I'd trust the fingerprint/iOS Keychain with my very long "master" password if and only if I can force the use of a 2FA device on every login. I don't expect my fingerprints to be an attack target, but if you can use fingerprints or sudo to view saved passwords as is the case with Keychain, it's too exposed without requiring a second factor on every use.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @LSTA: Personally I find it pretty user-friendly, but then again I'm not administrating it myself. I'm sure Duo would be glad to hear your feedback on their product. Anyway, you make some good points about the limitations of Keychain, and I do appreciate you sharing your use case for U2F. I also agree that it's important to have a backup. :)

  • SangLee77
    SangLee77
    Community Member

    @brenty Any update on integrating Yubi key NEO via NFC to 1password? I think Yubi key NEO via NFC is not working on LastPass. I would love to have the NFC feature work on iOS, Android, and Windows (I am not sure whether there are any Macs that have built-in NFC hardware).

    Thanks for your help and time in advance!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @SangLee77: It's not something we have any news to share on at this time. I don't believe there are any Macs with NFC, but I admit I'm not completely certain either.

  • SangLee77
    SangLee77
    Community Member

    Thanks @brenty for your quick update. My previous post had an error. I believe Yubi Key Neo via NFC IS compatible with LastPass (both on iOS and Android). It would really be great to have the same feature.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know your preference.

  • Dennis_van_Lith
    Dennis_van_Lith
    Community Member

    It seems LastPass, Dashlane & KeePass just pushed it focus towards the YubiKey integration. You can find the support while going through the wizzard. https://www.yubico.com/quiz/

    Also IOS is coming with an integration in it's YubiKey support in it's Mobile SDK. Which I'm not sure when. And with this new support the YubiKey can be used as USB or NFC to use it as 2FA. making this a mere 95% support on mobile devices.
    https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-sdk-for-ios-and-lastpass-support/

    I can only imagine as 1Password is the leading password manager for professional and home use to go towards this road as well.

    So a big fat +1 from me.

  • Lars
    Lars
    1Password Alumni

    @Dennis_van_Lith - thanks for adding your voice to this discussion. :)

This discussion has been closed.