Any plans to add support for yubikeys via NFC?

2»

Comments

  • BenBen AWS Team

    Team Member

    @davdroman

    What makes sense in one context doesn't necessarily make sense in another. 1Password is primarily built around protecting your data with encryption opposed to authentication. This is a form of the latter, and adds the most benefit to services that rely on strong authentication methods for protecting your account. That isn't to say that there may not be any merit to it, and indeed there may be yet, but at this point we haven't committed to it. Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add this, but we want to make sure there is a solid benefit to doing so. Beyond the question of what benefit this would actually add to 1Password, assuming the benefit exists, we still need to weigh it against other demands. We only have limited development resources, and so we need to be sure we're using them to create the most benefit for the most customers.

    Thanks.

    Ben

  • EndarethEndareth
    edited January 29

    Surely the primary security for Teams/Family accounts has got to be around the authentication, which is where increasing the ease of use of a NFC Yubikey would be a big plus for the average user. Especially with your push towards those subscription based services! It’s hard enough getting all our users running 1Password as it is, and enforcing 2FA as well just makes it a bit harder again. Anything that can make it easier to keep users secure has got to be worthy of serious consideration.

  • BenBen AWS Team

    Team Member

    @Endareth

    Surely the primary security for Teams/Family accounts has got to be around the authentication

    That's not the case, which is why I say what makes sense for one system may not make sense for another. 1Password relies primarily on encryption, rather than authentication for your data's security. Yubikeys would arguably help the latter, not the former.

    Ben

  • LastPass does this, 1Password should too. I hope we don’t see 1P falling behind the competition for too long on this 🙂

  • BenBen AWS Team

    Team Member

    @gandalf_saxe

    I mentioned above, but in case you missed it:

    Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add this, but we want to make sure there is a solid benefit to doing so.

    It is something we're evaluating, to see what the benefit might be to 1Password's security model, but we're not going to add it just because LastPass did. :)

    Ben

  • edited February 3

    @Ben

    That’s fair 🙂 let me just note that you have already deemed it beneficial enough for your security model that it’s implemented for desktop operating systems. All I’m asking is for platform parity so I don’t get stuck in a situation only with my phone and Yubikey and no way to access my passwords.

  • BenBen AWS Team

    Team Member
    edited February 3

    @gandalf_saxe

    That’s fair 🙂 let me just note that you have already deemed it beneficial enough for your security model that it’s implemented for desktop operating systems. All I’m asking is for platform parity so I don’t get stuck in a situation only with my phone and Yubikey and no way to access my passwords.

    Ah, so that is actually a different thing. We support using Yubikey to generate TOTP codes for 1Password accounts. This uses Yubikey's Authenticator app, which I believe is not available on iOS (*). To the best of my knowledge Yubikey doesn't support generating TOTP codes on iOS (even via NFC). Their devices just don't do that, at least not yet.

    This thread is about U2F over NFC, which is a different authentication technology from TOTP. It may be that U2F would be a suitable substitute / alternative for 1Password accounts, but we don't know that yet. TOTP is the much more prevalent technology.

    Ben

    (*) From the guide:

    Yubico Authenticator requires Mac, Windows, Android, or Linux. To sign in to your 1Password account on an iOS device, use a different authenticator app.

  • @Ben

    Ah ok, fair enough. Sounds like it's up to Yubikey to make an iOS authenticator app. That was my main request :)

    However I'd still love to see 1Password support Yubikey on iOS via NFC :chuffed:
    As I see it, it's allows us to add another true multi-factor into the mix, in the unlikely case that one's 1Password account is compromised / somehow accessed.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback. :)

    Ben

  • +2 (wife agrees lol) on Yubikey NFC support for iOS

  • BenBen AWS Team

    Team Member

    :+1:

    Ben

  • @Ben

    but we're not going to add it just because LastPass did.

    Just as a note, LastPass actually haven't added support for this. Dashlane are the only ones afaik.

    While I'm usually for these types of decisions, I'm afraid I have to disagree on this one. U2F is basically the standard nowadays for 2-Factor Security and I can list of plenty of websites/companies that have adopted U2F. Given the nature of 1Password and the type of information it stores, I'd honestly say U2F should be your next priority (While still maintaining OTP for those without keys that support U2F.)
    Sites that have adopted U2F (Just to name a few):

    • Google
    • Twitter
    • Facebook
    • Dashlane
    • Youtube

    I absolutely love 1Password, but I have to say this is pretty much a make or break feature for me. If U2F wasn't to be implemented in the coming months I'd probably have to switch since the only reason I even use U2F in the first place is because all of my OTP's are stored inside 1Password, but obviously I can't store the OTP for 1Password inside my own 1Password vault.

    So just given the nature of how everything is setup, U2F makes perfect sense to be implemented.

  • brentybrenty

    Team Member

    @DeDefiance: Thanks for the clarification. Someone above seemed to think it did, so maybe there was some confusion about that. Hard to keep track of it all. :)

    Regarding the topic at hand, I'm not sure we're on the same page here regarding U2F. It sounds like maybe you want to somehow have 1Password use that to interact with websites. Maybe I'm misunderstanding, but I'm not sure how that would work. 1Password can store TOTP secrets to generated (and in some cases fill) one-time passwords, but U2F is sort of a different beast.

    However, if you mean you want to use U2F to authenticate with 1Password itself, that's something we're evaluating, but...

    1. That would only work with 1Password accounts, since there is no authentication component at all otherwise.
    2. That would not apply when using 1Password locally since there is no authentication happening there, but rather encryption.

    Certainly it would be possible to have 1Password contact the server to re-authenticate any time you try to access it, but then you would not be able to access your data without an internet connection. For a lot of people, that's a dealbreaker, but as I said, there may be a use for this in a more limited capacity as well. Cheers! :)

  • @brenty
    By U2F, I'm talking about hardware key authentication such as YubiKeys (native YubiKey, not TOTP).

    For example;
    New PC, Install 1Password, Login, Insert Yubikey, Press Button, Done.

    You could possibly also add it for accessing passwords/vaults as well. Perhaps every x hour that is configurable in the settings.

    You could obviously have it customisable in settings so that users who like you said want to use 1Password offline aren't forced to use it.

    Like I said, inside 1Password, I have all my TOTP for sites like Google, Twitter, etc... But then when it comes to 1Password, I can't really use TOTP with 1Password itself since obviously that won't work.
    I'm currently using TOTP on my YubiKey but it's incredibly impractical and would make more sense to implement it natively like stated above.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback. :)

    Ben

2»

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file