Any plans to add support for yubikeys via NFC?

2

Comments

  • BenBen AWS Team

    Team Member

    @davdroman

    What makes sense in one context doesn't necessarily make sense in another. 1Password is primarily built around protecting your data with encryption opposed to authentication. This is a form of the latter, and adds the most benefit to services that rely on strong authentication methods for protecting your account. That isn't to say that there may not be any merit to it, and indeed there may be yet, but at this point we haven't committed to it. Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add this, but we want to make sure there is a solid benefit to doing so. Beyond the question of what benefit this would actually add to 1Password, assuming the benefit exists, we still need to weigh it against other demands. We only have limited development resources, and so we need to be sure we're using them to create the most benefit for the most customers.

    Thanks.

    Ben

  • EndarethEndareth
    edited January 29

    Surely the primary security for Teams/Family accounts has got to be around the authentication, which is where increasing the ease of use of a NFC Yubikey would be a big plus for the average user. Especially with your push towards those subscription based services! It’s hard enough getting all our users running 1Password as it is, and enforcing 2FA as well just makes it a bit harder again. Anything that can make it easier to keep users secure has got to be worthy of serious consideration.

  • BenBen AWS Team

    Team Member

    @Endareth

    Surely the primary security for Teams/Family accounts has got to be around the authentication

    That's not the case, which is why I say what makes sense for one system may not make sense for another. 1Password relies primarily on encryption, rather than authentication for your data's security. Yubikeys would arguably help the latter, not the former.

    Ben

  • LastPass does this, 1Password should too. I hope we don’t see 1P falling behind the competition for too long on this 🙂

  • BenBen AWS Team

    Team Member

    @gandalf_saxe

    I mentioned above, but in case you missed it:

    Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add this, but we want to make sure there is a solid benefit to doing so.

    It is something we're evaluating, to see what the benefit might be to 1Password's security model, but we're not going to add it just because LastPass did. :)

    Ben

  • edited February 3

    @Ben

    That’s fair 🙂 let me just note that you have already deemed it beneficial enough for your security model that it’s implemented for desktop operating systems. All I’m asking is for platform parity so I don’t get stuck in a situation only with my phone and Yubikey and no way to access my passwords.

  • BenBen AWS Team

    Team Member
    edited February 3

    @gandalf_saxe

    That’s fair 🙂 let me just note that you have already deemed it beneficial enough for your security model that it’s implemented for desktop operating systems. All I’m asking is for platform parity so I don’t get stuck in a situation only with my phone and Yubikey and no way to access my passwords.

    Ah, so that is actually a different thing. We support using Yubikey to generate TOTP codes for 1Password accounts. This uses Yubikey's Authenticator app, which I believe is not available on iOS (*). To the best of my knowledge Yubikey doesn't support generating TOTP codes on iOS (even via NFC). Their devices just don't do that, at least not yet.

    This thread is about U2F over NFC, which is a different authentication technology from TOTP. It may be that U2F would be a suitable substitute / alternative for 1Password accounts, but we don't know that yet. TOTP is the much more prevalent technology.

    Ben

    (*) From the guide:

    Yubico Authenticator requires Mac, Windows, Android, or Linux. To sign in to your 1Password account on an iOS device, use a different authenticator app.

  • @Ben

    Ah ok, fair enough. Sounds like it's up to Yubikey to make an iOS authenticator app. That was my main request :)

    However I'd still love to see 1Password support Yubikey on iOS via NFC :chuffed:
    As I see it, it's allows us to add another true multi-factor into the mix, in the unlikely case that one's 1Password account is compromised / somehow accessed.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback. :)

    Ben

  • +2 (wife agrees lol) on Yubikey NFC support for iOS

  • BenBen AWS Team

    Team Member

    :+1:

    Ben

  • @Ben

    but we're not going to add it just because LastPass did.

    Just as a note, LastPass actually haven't added support for this. Dashlane are the only ones afaik.

    While I'm usually for these types of decisions, I'm afraid I have to disagree on this one. U2F is basically the standard nowadays for 2-Factor Security and I can list of plenty of websites/companies that have adopted U2F. Given the nature of 1Password and the type of information it stores, I'd honestly say U2F should be your next priority (While still maintaining OTP for those without keys that support U2F.)
    Sites that have adopted U2F (Just to name a few):

    • Google
    • Twitter
    • Facebook
    • Dashlane
    • Youtube

    I absolutely love 1Password, but I have to say this is pretty much a make or break feature for me. If U2F wasn't to be implemented in the coming months I'd probably have to switch since the only reason I even use U2F in the first place is because all of my OTP's are stored inside 1Password, but obviously I can't store the OTP for 1Password inside my own 1Password vault.

    So just given the nature of how everything is setup, U2F makes perfect sense to be implemented.

  • brentybrenty

    Team Member

    @DeDefiance: Thanks for the clarification. Someone above seemed to think it did, so maybe there was some confusion about that. Hard to keep track of it all. :)

    Regarding the topic at hand, I'm not sure we're on the same page here regarding U2F. It sounds like maybe you want to somehow have 1Password use that to interact with websites. Maybe I'm misunderstanding, but I'm not sure how that would work. 1Password can store TOTP secrets to generated (and in some cases fill) one-time passwords, but U2F is sort of a different beast.

    However, if you mean you want to use U2F to authenticate with 1Password itself, that's something we're evaluating, but...

    1. That would only work with 1Password accounts, since there is no authentication component at all otherwise.
    2. That would not apply when using 1Password locally since there is no authentication happening there, but rather encryption.

    Certainly it would be possible to have 1Password contact the server to re-authenticate any time you try to access it, but then you would not be able to access your data without an internet connection. For a lot of people, that's a dealbreaker, but as I said, there may be a use for this in a more limited capacity as well. Cheers! :)

  • @brenty
    By U2F, I'm talking about hardware key authentication such as YubiKeys (native YubiKey, not TOTP).

    For example;
    New PC, Install 1Password, Login, Insert Yubikey, Press Button, Done.

    You could possibly also add it for accessing passwords/vaults as well. Perhaps every x hour that is configurable in the settings.

    You could obviously have it customisable in settings so that users who like you said want to use 1Password offline aren't forced to use it.

    Like I said, inside 1Password, I have all my TOTP for sites like Google, Twitter, etc... But then when it comes to 1Password, I can't really use TOTP with 1Password itself since obviously that won't work.
    I'm currently using TOTP on my YubiKey but it's incredibly impractical and would make more sense to implement it natively like stated above.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback. :)

    Ben

  • I think I also want +1 for this, but maybe I don't understand the terminology. :)

    What would be great is if the 1Password iOS app could use a YubiKey NFC for authentication to the app itself. Using the current 1Password - YubiKey integration, a TOTP can be generated by the Yubico Authenticator app on a desktop computer with the key inserted and that number can be manually typed into the iPassword iOS app. However, since the YubiKey supports NFC, the 1Password app could read, not the TOTP, but the Yubico OTP (or potentially whatever is stored in "Configuration Slot 1"). That is what LastPass is doing as they support the Yubico OTP directly vs using a TOTP in the Authenticator app.

    The use case would be something like this:
    For Setup: On my 1Password website account profile, I can add one or more YubiKeys in the "Manage Two-Factor Authentication" area. I believe the 1Password website would potentially need to support U2F for this, but perhaps not, because when pressed, the YubiKey spits out a big long OTP as a USB keyboard - this could go right into the 1Password site.
    When installing 1Password on a new iOS device: I login with Secret Key and Master Password, then instead of getting prompted to enter 6 digits from an authenticator app, I simply touch my YubiKey NFC to the back of the iOS device, it reads it, and I am authenticated to the phone.

    The benefit here, is that the 2nd factor could be required to present every X number of days after setup, and this could be done without an extra computer or app to run Yubico Authenticator.

    Thanks for listening!

  • ag_anaag_ana

    Team Member

    Thank you for taking the time to share your feedback @jefflkrueger! And welcome to the forum :)

  • Hello dear 1Password team,

    Can we get a confirmation you are working on a two step authentication, using the YubiKey as the second step ?

    I understand, you need to "make well informed well reasoned decisions", but one year later, I hope you have found time to think about this request.

    If it's not possible, just make a clear statement, and we will stop waiting.

    Thanks for your answer and for your great products.

    Regards,
    Florent

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @Flaurang!

    Can we get a confirmation you are working on a two step authentication, using the YubiKey as the second step ?

    Sorry, no. We don't normally pre-announce new features or release dates as many factors (some beyond our control) affect them. Please stay tuned. 😀

  • Hi Lars,

    Thanks for your quick answer.

    I don't ask for a new feature or release date, but just to know if this is a feature that you don't want or can't implement in 1 password for iphone ;)

    Regards,
    Florent

  • LarsLars Junior Member

    Team Member

    @Flaurang - you asked:

    Can we get a confirmation you are working on a two-step authentication, using the YubiKey as a second step?

    Perhaps I misunderstood: if you were referring simply to using a YubiKey to sign into your 1Password account, that feature is already available on every platform but iOS, where Yubico does not make a version of their authenticator app.

    If you were referring to NFC or U2F support, that would indeed be a new feature, and as I mentioned, we don't pre-announce them. :) What I can say is that if we knew a certain feature was something that was a non-starter for us, either because we thought it wasn't right for 1Password or because it was somehow not possible, we would state that publicly whenever asked. We've done this numerous times with other features such as WebDAV support (ownCloud, etc), and we would have done it long ago in this thread if we were certain this was something we won't be doing. Hope that helps. :)

  • You are right, i am refering to NFC support, i am happy with your answer, and will wait for the next versions, to see if they support yubikey via NFC on ios.

    Thanks again

  • LarsLars Junior Member

    Team Member

    :) :+1:

  • Same here! +1 for NFC support on iOS. I read all the previous posts.
    And I am still very disappointed seeing 1Password still not supporting it.

  • ag_anaag_ana

    Team Member

    Thank you for the feedback @robertrobertrobert! Any new feature requires careful planning and testing, we don't want to ship anything without being sure it works perfectly. I believe Lars explained this perfectly:

    What I can say is that if we knew a certain feature was something that was a non-starter for us, either because we thought it wasn't right for 1Password or because it was somehow not possible, we would state that publicly whenever asked. We've done this numerous times with other features such as WebDAV support (ownCloud, etc), and we would have done it long ago in this thread if we were certain this was something we won't be doing.

  • +1 for NFC support on iOS. This is a killer feature that is missing from 1P. We need it!

  • LarsLars Junior Member

    Team Member

    @snibles - thanks for the feedback. :)

  • +1 for NFC support on iOS. Please and thank you.

  • BenBen AWS Team

    Team Member

    Thanks @jonnybruges. Welcome to the forum. :)

    Ben

  • +1 for U2F and NFC. I'm migrating from LastPass and this feature was pretty awesome from a usability standpoint. I'm going to have some unhappy users that will need to use Yubico Authenticator to get into 1Password.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file