My reading of this is just using either a NEO or 4 series YubiKey along with the Yubico Authenticator App to create the changing 6 digit code - as you would see in Authy/Google Authenticator/OTP Auth etc. apps on your phone - these keys can store a number of secrets on the key itself that the Authenticator App then reads to generate the 2FA Code.
Yes, that was what I thought as well; it's not using U2F or Yubico's proprietary authentication?
The Yubico Authenticator Guide does seem to suggest that it also works with the YubiKey Standard. That's a key I never heard of, but it might be the v2 key I have...
Might experiment with this when I find that key...
(this might be a nice 2FA "backup" for if I lose my iPhone)
PSA: New subscribers to Wired ($5 for the first year, Labor Day sale) get a free YubiKey 4...
Ah interesting. And yeah, Yubico has a lot of different offerings. It can be a bit confusing. Can always give it a try.
Confirmed: if you set the "Authentication Mode" to "Yubikey Slots" you can also use an old (v2) YubiKey.
One caveat: I could only add the credential on my Windows 10 PC (not on a Mac). Reading the code then works on both that PC and my Mac.
Note: while I programmed slot 2 (out of 2) it did change the behavior of my YubiKey; normally a short press would reveal the standard Yubikey generated string, but now I have to long press the key (which would use slot 2 in the past).
Thanks for sharing that info @XIII. Now I'm sorry I missed the Labor Day sale. Looks like it is $10, which is probably still a steal, but I need to sleep on it.
This guide may be of interest:
We have been working to make sure that 2FA in 1Password provides real security benefits instead of being mere security theater. And we want to make sure that the benefits outweigh the risks it introduces.
I would strongly recommend that people with an interest in 2FA for a password manager read the 2FA section of Paul Moore's article from a few years ago: Password Managers: Facts, Fallacies & FUD
So 2FA in 1Password may not work the ways that are familiar to you, but that is because unlocking 1Password isn't like logging into your bank. We'd rather do this in a way that is meaningful (even if a bit unusual) instead of something that is just for show.
Yubico introduced the YubiKey 5 today. Nothing of interest for 1Password?
Well of course they did. I just bought the Yubikey 4 Neo a week or so ago.
I’m not sure “nothing of interest” is accurate, but I also don’t see how this would change anything w/r/t to 1Password at least in the short term.
"passwordless" login (asymmetric encryption via the hardware token) is the future for both the business side as well as consumer side. Whether that's an actual total replacement of passwords, or merely used as a second form of authentication with a pin, biometric, password, whatever ... this is where the market is moving.
I understand from a business perspective why Agilebits would be very hesitant, heck even combative of the idea ... but this is basically service providers finally catching up to years of NIST suggestions, consumer complaints, and countless data breaches.
This type of move is a consumer blessing. Why? Because users can authenticate with hardware tokens which don't require a monthly subscription plan. Service providers could, and are, providing these tokens for basically free to their users. Consumers wont have to remember numerous complex passwords, reuse passwords, or utilize paid or free password managers to generate and manage it for them ... they will just need a hardware token that does the heavy lifting.
And - if you wanted to take this a step farther, though im not sure it's entirely needed at this point - imagine a dedicated piece of hardware that serves both purposes. A hardware asymmetric encryption device that uses FIDO and U2F, as well as integrates either on device or via an app the password management aspect. Sound crazy? It already exists.
Hardware tokens are in. They offer a great advantage for consumers. Companies are moving fast to try and make passwords the second, optional factor while hardware tokens are the first. I said about a year ago that if Agile didn't move to incorporate FIDO and u2f support for consumer accounts in a meaningful way I would move to other solutions. We did that. I hope you consider your options and take these suggestions to heart, not my suggestions ... but the hundreds of users who have asked ...... GIVE US u2F SUPPORT
What such an offering would look like, I dont know. Maybe agile works to make their own chip and harware token? Maybe agile concedes to companies like Yubico that FIDO2 has the potential to entirely replace passwords while agiles product manages that second factor. I dont know.
also - this whole thing of ... __what if you lose your token __fearmongering stuff
what if you lose your master key? What if the service does what any responsible service does and permits you to add a second backup token that you should keep in your lockbox?
Just as everyone actually prints and stores a copy of their Emergency Kit in a lockbox as directed, right?
U2F is indeed really cool technology and it is something we’re keeping a close eye on to see how we might best support it via 1Password.
I personally would love to see FIDO support now that google has even released their own brand of security keys called the Titan Security Key and uses WebAuthn. I've just activated my kit personally
Thanks @cellsheet. It is definitely interesting technology. We’re watching its evolution closely and evaluating if there may be a way to have it provide meaningful benefit to 1Password.
I’ve merged a couple of threads on the same subject here, so apologies if anything appears disjointed.
I'd just like to throw my hat into the ring with a +1 for FIDO2 support. I appreciate having OTP 2FA support, but FIDO2 is quite a bit more secure and easier. While Yubico's YubiKeys support OTP, not all the FIDO supporting keys do. (FIDO2 (WebAuthn) is backwards compatible with older FIDO U2F keys, btw) You can get Feitian FIDO keys with NFC for phones and USB-A for PCs on amazon for about $17. When using them for Google, Google will only let you register to use the keys if you have two of them, in case you lose one, you can deregister it and continue using the spare.
I'd personally love to use a FIDO2 key to log into my 1Password vaults on my computers and mobile, but I can understand if you'd only want to use it for logging into the account on new devices. For me, carrying around a key I can plug into my computer or tap on my phone is way more convenient than typing in a 30+ character password every few minutes. (Being that's it's FIDO, it'd be a lot more secure too.)
It'd also be nice to see WatchTower support telling us which websites support FIDO UAF/U2F and FIDO2. There's surprisingly few right now. xD
@WakeArray: Thanks for not only the feedback letting us know what you're looking for, but also a fairly good overview of options out there. While not particularly user-friendly, having Watchtower notify of sites that support that could be cool. Perhaps these are features we can add in the future. Cheers!
I realise this thread is a bit old, apologies for that!
Firstly, just if anyone comes across this and needs some updated information, 1Password now **does **have compatibility with the Yubikey (I'm personally using the Yubikey 5 NFC series with no problems).
A few people here spoke about the negatives (as well as the positives) of using a physical key. In reality the "tool" can only work as well as the wilder of said tool.
I believe that @purplejoe was spot on point when he said [paraphrasing] that these (security) keys, and in addition to all the other security measures one _should _ take to work in this industry, this alone will not make a system secure. (Forgive me as I don't know the general demographic on this forum - IT experts, casual users, just interested). A common phrase heard in IT, I hear it mostly in coding as that's my job, but I"m sure it applies elsewhere, is that a very common error 'techhies' come across are called a "Layer 8 Issue/Problem" - I won't go into details, it'll bore others I'm sure but it's essentially stating that, errors - a majority of errors - actually originate (caused by) the user themselves; not the network admin, not the coder, not the system admin, not the helpdesk dude. My point being that ultimately (and IMO we're getting very closer and closer to this time) (especially) security issues or break ins ** aren't ** due to the technology itself. Not sure if anyone has heard this phrase but the scariest types of hackers out there are using a technique called Social Engineering. If you think about all the billions of dollars, research hours, brilliant minds which have done in incredible things with respect to cryptology, obfuscation, algorithms, etc. the technology has (easily, decades ago) surprised the ability for one person (or group) to break these cypher. Logically, the next "weak" point is the human. How many people's passwords are abc123 , 123456, password, qwerty -- this isn't a fault or 'bug' in the security software - it's human.
With the trending progression of increased processing power, memory, cloud computing, pricing drops (for purchasing equipment as well as hiring computing time. Think: (Google's) AWS, (MIcrosoft's) Azure, IBM and Oracle Cloud. And which may be major players not most definitely not the only.
@roustem I haven't read your linked article yet but seems interesting! Actually I haven't heard much about Yubikey's proprietary encryption protocol at all but I am glad they're (replacing?) releasing their latest with FIDO U2F, which is generally the gold standard for security keys at the moment? (That was a very tentative question as I'm not 100% sure - feel free to correct of course!
Indeed, I think an important thing to take away is that security has many layers, and is an ongoing process -- from developers to end users.
Anyway, for anyone who might be interested, you can find more information about this feature on our support site: