Any plans to add support for yubikeys via NFC?

13»

Comments

  • Skurfer
    Skurfer
    Community Member

    LastPass got something good before 1Password? Now I’ve seen everything. +1

  • Now I’ve seen everything.

    ;)

    Ben

  • hbottjer
    hbottjer
    Community Member

    Ah, I think I am understanding a bit more having read through this thread. I also had hoped to use my Yubikey NFC to unlock my 1Password app on my iOS phone. But reading a couple of responses stating that 1Password is more about protecting data through encryption rather than authenticating (even though it is storing authentication data), when I enter my Master Password to get in I am actually entering the encryption phrase used to encrypt the data. So it's not really a Master Password, more my encryption key or passphrase. If that is the case, that I can understand.

    But why then can I use FaceID to unlock the app? It seems to me if I could use FaceID I could use the Yubikey as well.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @hbottjer: That's a fantastic question, and I am not sure I've seen anyone come out and ask it before. Probably most people are content to just have the convenience of it. Face ID and Touch ID have great security (or we wouldn't use them ourselves either), and they let us use strong passwords without having to enter them all the time -- sort of the best of both worlds.

    The way it works is, crucially, that your face/fingerprint is not used to decrypt your actual data. In order for that to work, 1Password (and any app using these biometric features) would need to get your biometric data. And that's terrifying on so many levels. We don't want that. Instead, biometric information is stored in hardware, the Secure Enclave chip, where even the OS cannot read it. 1Password itself stores its own secret derived from your Master Password in the device Keychain, which can be used to unlock 1Password only when your face/fingerprint is recognized, because the secrets cannot be decrypted without a biometric match, and likewise the data cannot be decrypted without the secrets. Something generated mathematically from someone else's face/fingerprint will be different from what's in the Secure Enclave.

    You can find more information about these as they relate to 1Password on our support site:

    About Face ID security in 1Password for iOS

    About Touch ID security in 1Password for Mac

    Getting back to your earlier comments, while there may certainly be a use for devices like YubiKey, and it's something we'll continue to evaluate with regard to 1Password, it is a bit different than, say, a website which is protected solely by authentication, not encryption, where something like this could play a much more crucial role. :)

  • hbottjer
    hbottjer
    Community Member

    Got it. Thanks! I'm okay using biometrics on the phone to gain access, to be honest using NFC with the iPhone is more a matter of the "cool" factor.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • Aidamina
    Aidamina
    Community Member

    Would switch from LastPass to 1Password if NFC YubiKeys would be supported.

  • We have made some progress with U2F:

    Introducing support for U2F security keys

    That said I don't have anything to announce at this time about NFC.

    Ben

  • prime
    prime
    Community Member

    @Ben Very awesome! I do have a question, will this eventually work for the desktops and mobile apps? I read:

    So while it works great as your second factor in those browsers, for now you’ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers).

    https://blog.1password.com/introducing-support-for-u2f-security-keys/

  • AGAlumB
    AGAlumB
    1Password Alumni

    I do have a question, will this eventually work for the desktops and mobile apps?

    @prime: It's a possibility. We'll keep at it. ;) :+1:

    One benefit of U2F may be less reliance on the whole time thing. :lol:

  • twizzhead
    twizzhead
    Community Member

    +1 NFC Yubico on iOS. I understand in the past there have been some limitations in iOS 12 that made this solution not very easy to implement. However, given that Apple seems to be moving to open up NFC more with iOS 13, I would hope 1Password would consider adding this feature.
    https://9to5mac.com/2019/06/12/scan-nfc-chips/

  • AGAlumB
    AGAlumB
    1Password Alumni

    Nothing new to say at this time. We've already said it's something we're evaluating. :)

  • prime
    prime
    Community Member

    @brenty, I saw this yesterday :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    ;) :+1:

  • prime
    prime
    Community Member

    @brenty I can’t wait! So I won’t need a TOTP anymore with this?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: It's good to keep TOTP around as a backup authentication option, in case you lose the dongle (or just don't have it on you). But yeah, you probably won't need to use TOTP if you've got a YubiKey that works with all of your devices. :)

  • Lars
    Lars
    1Password Alumni

    @prime - be aware that AFAIK the 5Ci Yubikey does NOT have a NFC chip in it. I could be wrong about that, but that's the most-recent information I have.

  • Dennis_van_Lith
    Dennis_van_Lith
    Community Member

    I’m just curious why 1Password did not yet choose to support the nfc version yet for the iPhone? Support is out for quite a while already. I know there as a YubiKey coming out which you physically have to mount on your lightning connector of the iPhone. But As an UX researcher I believe this usability is just a step too much, for a simple MFA authentication. A simple tap from a device that’s on your keychain will make things so much easier.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Dennis_van_Lith: The SDK does not support NFC for U2F anyway, but we'll see how things develop in the future and continue to evaluate our options. Cheers! :)

  • prime
    prime
    Community Member
    edited August 2019

    @brenty

    @Dennis_van_Lith: The SDK does not support NFC for U2F anyway, but we'll see how things develop in the future and continue to evaluate our options. Cheers! :)

    Is there any U2F for NFC for 1Password? I haven’t read too much on this yet (a lot going on), so I might have questions about this.

    This new 5Ci is cool, but it won’t work work my laptop. Now do I get 2 keys, one for the iPhone and one that works with the laptop?

    Edit: my laptop does have USB-C.

    But what if it didn’t, get 2 keys?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: Not currently, but hopefully that will be possible in the future -- though if we do we're going to proceed cautiously to avoid the types of vulnerabilities that have affected other NFC implementations.

    As far as the specific device to get, I think that's a tough question for almost anybody. :lol: Personally, I'm used to having adapters for this stuff now anyway though, so I would probably just choose based on the main device and then use adapters as needed for any others.

  • CJ2
    CJ2
    Community Member

    @brenty, it looks like yubico will be adding nfc support for u2f to the yubikey SDK shortly, so it should be possible in the near term.

    https://www.yubico.com/2019/09/yubico-ios-authentication-expands-to-include-nfc/

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks! We'll have to see how it goes. :)

  • dragonshardz
    dragonshardz
    Community Member

    I can't seem to find a solid answer on the KB and this is the topmost topic that comes up for a Google search regarding Yubikey NFC support within 1PW mobile apps - does the Android 1PW app support 2FA with an NFC-enabled Yubikey?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dragonshardz: Good question! I don't recall it being asked before, but currently NFC is not supported. A Yubikey also requires a WebAuthn-compliant browser to sign into 1Password, so TOTP can be used as a fallback otherwise (e.g. in 1Password for Android). I'll let the team know you're specifically interested in that though. :)

This discussion has been closed.