Password managers can use webauthn API?

HHACU
HHACU
Community Member
edited February 2019 in Lounge

Hi everyone,

Microsoft has announced a while ago Web Authentication for edge and other browsers already supports webauthn authentication.

and googe announced for android devices. https://www.wired.com/story/android-passwordless-login-fido2/

but these solution dedicated ecosystem owner. It is makes more sense if we can use chosen password managers.

Best regards.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • HHACU
    HHACU
    Community Member

    I guess that was little bit odd question :|

    I just fiddle around with yubikey demo. https://demo.yubico.com/playground On microsoft edge windows hello pretend as a key and you can login with pin. On android fingerprints pretend as a key. but there are listed separate keys.

    I just wondering password managers can access the web auth api and can storage register challenges/keys.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's still too early to tell if/how it might be a good fit for 1Password, but it's definitely something we're following as it develops. :)

  • dbm1175
    dbm1175
    Community Member

    All the major browsers now support WebAuthN. I'd definitely like to see 1Password support for their site.

  • Thanks @dbm1175. It is probably still a little early for us — Safari doesn't even have support for it yet except in Safari Technology Preview. But we'll definitely keep an eye on it and see if there is any way in which it might be a good fit for 1Password.

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I think that there are two possible questions that are being asked, but it is important to separate them.

    1Password as a U2F device

    One question is whether 1Password can act as a U2F device. That is, can it play the role of a (typically) hardware-based thingy like a Yubikey or a device secure enclave?

    The answer to this is "not with current technology". One of the requirements of U2F devices is that the long term secrets that they store can never be extracted from them. They must be deeply tied to the hardware. If, as with 1Password, you can move your secrets from one device to another, through synching, then that violates one of the fundamental requirements of a U2F client.

    This means that if we were able to turn 1Password into a U2F client, those secrets would not synchronize. They would have to be tied to the device you created them on. This still might be a useful thing to people, as we could help with the authentication flow, but we would be limited by the extent to which we can help you manage such secrets.

    WebAuthn for signing into 1Password

    I believe that others are asking about whether we can offer (in addition to or as a replacement of TOTP) for setting up a new device for your 1Password account.

    First let me remind everyone that to unlock 1Password on your own device where you already have your 1Password data does not require any authentication to 1Password.com. That is purely local decryption, and so there is no authentication component. Having something that (looks like) 2FA for local unlocking is pure security theater.

    However, when setting up 1Password on a new device or when connecting via the web browser, there is a necessary authentication component. And so these are places where it is reasonable to consider a second factor for such authentication. And it is for the former case (setting up a new device) that we do offer TOTP. So the question here is can we use U2F in this case as well. Yes. It is something that we are capable of doing and makes a reasonable about of sense.

    So why haven't we done it (yet)?

    There are a few reasons that we haven't offered U2F requirements for setting up a new device.

    • A very large number of our users use 1Password on iPhones. And there is, as yet, no nice way to get this to work there. Yes, we are aware of Titan keys working through LE Bluetooth for iOS, but when these were first introduced we had some concerns about whether a sufficiently secure protocol could work reliably over low energy Bluetooth. (As it turns out, we were correct to be skeptical).
    • We also don't want the experience to be radically different from one kind of mobile device to another. So for mobile, we've been waiting for the technology to mature in that respect as well.
    • Concern that it would encourage weaker Master Passwords. As I said above, U2F will do nothing for you if an attacker gets a copy of your encrypted 1Password data from your computer or device. It is the strength of your Master Password is your primary defense. Anything that would lead people to using weaker Master Passwords would weaken their security. Yet for every other service that people use U2F for, they can get by with weaker passwords as a result. So we'd need to find a way to ensure that people don't treat us of it in our case as similar to all of the other cases they use it.
    • Other misunderstandings of the security provided by U2F. We've encountered people who believe that using a strong second factor would make it safe for them to unlock 1Password on a compromised computer. So we have to consider whether the actual security gain of a strong second factor in our case (not the perceived gain) is worth risk of leading people to engage in very unsafe behavior
    • Confusion over resets: We struggle to communicate that we cannot reset Master Passwords or Secret Keys. It is very important that people understand that, but it is different than almost every other service people use. But we can reset second factor requirements. This muddles the message and also puts us into the position of having to make decisions about which reset requests to honor.

    Those reasons don't mean that we won't ever offer U2F for signing in from a new device, but I hope that they explain why we didn't jump on the possibility immediately and why we are being cautious.

  • james_browning_canva
    james_browning_canva
    Community Member
    edited October 2019

    Regarding sign into 1Password with WebAuthN, on iOS unlocking with Touch ID is already supported. Is it possible to support the same sort've flow in 1Password X using WebAuthN?

    Convenience wise this would be huge given I typically take about 4-5 attempts to unlock 1Password due to typos.

    I even think it has clear security benefits too:

    • For one after hitting Ctrl-Alt-X I generally just start typing, I would unlikely notice if Ctrl-Alt-X was intercepted by a web page and a phishing input was shown until it was too late
    • Secondly because of the repeated attempts due to typos I have both a very high auto-lock time and don't use auto-lock on screen lock to avoid having to retype it so many times a day, however I don't have any issues using Touch ID multiple times on phone because it's just so significantly more convenient.
  • james_browning_canva
    james_browning_canva
    Community Member
    edited October 2019

    Will WebAuthN be supported in 1Password X in order to unlock? 1Password on iOS already supports Touch ID so it would be nice for 1Password X to support the same.

    This would be a considerable improvement over entering a password just for convenience as I typically have 4-5 attempts just to unlock. Because of this I've set the auto unlock time quite high to a few hours and disabled auto-lock when device is locked purely because of how inconvenient unlocking is.

    I think it'd even have a second benefit against phishing as even when I do need to login, after hitting Ctrl+Alt+X I generally just start typing once the dialog appears, however if a webpage were to phish on Ctrl+Alt+X keybindings and display a phishing dialog I probably wouldn't notice for a few second. WebAuthN can't be phished in such a way.

  • ag_ana
    ag_ana
    1Password Alumni

    @james_browning_canva:

    If you install 1Password X Beta for Chrome, we are currently beta-testing desktop app integration on Mac there, so you could unlock the extension with Touch ID ;)

This discussion has been closed.