How do I configure 2FA to ONLY utilize U2F?

Azes
Azes
Community Member

I want to configure 2 factor authentication to only work with my U2F security keys.

I specifically don't want the code from an authenticator app to be an option for 2 factor authentication for my 1Password account.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:u2f

Comments

  • Hi @Azes

    That isn't currently possible because not all of our clients support U2F yet. If you didn't have TOTP you’d be locked out of every one of our native apps. As we continue to iterate on the feature it may be possible in the future.

    Ben

  • Azes
    Azes
    Community Member

    Ben,

    Using a code from an authenticator app is fine for users that don't have U2F configured.

    But for those that do, being able to bypass U2F with a code from an authenticator app kind of defeats the purpose and extra security that U2F affords.

  • Thanks for taking the time to share your perspective @Azes.

    Ben

  • 1pwuser31547
    1pwuser31547
    Community Member

    Hi Ben.
    So to clarify, if I have 2FA enabled (TOTP) and I remove it and try to add a Yubikey, the system won't allow this? I must enable a soft token first before being able to register a hard token U2F?

    I agree with Azes that being able to bypass U2F with a TOTP 2FA does defeat SOME of the extra security afforded by U2F, specifically the risk, albeit very small, of a database breach at 1PW where the TOTP seed is stored (I assume encrypted at same level as one's own stored data).
    However, using the U2F instead of the TOTP (even if still enabled as it apparently is on 1PW) still does significantly reduce the phishing threat which is a much bigger threat than a database breach.

    But yes ultimately, it would be better from a security standpoint if TOTP could be deactivated and one could use the U2F as the sole 2FA option. Since one can register as many tokens as one wants, the risk of being locked out should be no different than having the app generated TOTP.
    Additionally, I think it would make people who may be nervous about storing passwords on-line less so (even with all the security protocols in place) and perhaps attract more customers for 1 PW. Everyone wins!

    I hope 1PW will allow this U2F-only option soon.
    Thanks

  • Hi @1pwuser31547

    So to clarify, if I have 2FA enabled (TOTP) and I remove it and try to add a Yubikey, the system won't allow this? I must enable a soft token first before being able to register a hard token U2F?

    Sort of. I don't see why you couldn't also use the Yubikey to generate TOTP codes. So while TOTP is currently required for U2F with 1Password I believe it is possible to use the Yubikey to do that (while also using it to do U2F). I haven't had an opportunity to test this personally, but I don't see why it wouldn't work. If you want a Yubikey-only option it may be worth a try. I'd still recommend printing the QR code for the TOTP secret in case you lose or damage that Yubikey and need to set up a new one.

    I would suspect that other U2F keys might offer the same capability.

    I agree with Azes that being able to bypass U2F with a TOTP 2FA does defeat SOME of the extra security afforded by U2F, specifically the risk, albeit very small, of a database breach at 1PW where the TOTP seed is stored (I assume encrypted at same level as one's own stored data).

    2FA doesn't protect against an attacker that is able to steal your encrypted data. If someone were able to steal that data from us then your Secret Key (as well as your Master Password) would protect you:

    About your Secret Key

    But if they steal it from you they're also going to be able to steal the Secret Key. In that case a strong Master Password is essential, and is what will protect your data.

    2FA is a second step in obtaining the encrypted data from the server only. It isn't involved in the encryption of your data, and doesn't protect data that has already been downloaded to your device (e.g. if your device is stolen).

    But yes ultimately, it would be better from a security standpoint if TOTP could be deactivated and one could use the U2F as the sole 2FA option. Since one can register as many tokens as one wants, the risk of being locked out should be no different than having the app generated TOTP.

    While in theory that is true there are two issues with that:

    1. None of the 1Password client apps support U2F at this point, so without TOTP enabling U2F would prevent you from signing in from any of 1Password for Mac, 1Password for Windows, 1Password for Android, or 1Password for iOS.
    2. I would not suspect that the majority of people have multiple U2F keys available to them. It is much more likely that they have a U2F key and a smartphone.

    That isn't to say that as the technology becomes more prevalent (including within our own apps) we won't reconsider. This is a "right now" answer, not a "going forward" answer. :)

    Additionally, I think it would make people who may be nervous about storing passwords on-line less so (even with all the security protocols in place) and perhaps attract more customers for 1 PW. Everyone wins!

    While I have no doubt that you are correct, we want to be very cautious about the claims we make about the security of people's data. It is important to us that it is clear to people what protections something like U2F actually offers. There are many folks who believe that 2FA is some sort of silver bullet, and that with it you're completely protected and it doesn't matter if you use a weak or reused password. That just simply isn't true, and we don't want to further foster, or onboard customers under, those types of false beliefs. There are some benefits to 2FA, but it is not the be-all-end-all that some have come to think it is. The scope of attacks it actually protects against is much narrower than commonly held belief.

    Ben

  • Azes
    Azes
    Community Member

    Ben, I see from the latest newsletter that for business accounts you guys are giving administrators the ability to allow or deny the use of authenticator apps (i.e. Google Authenticator) as a form of two factor authentication - https://blog.1password.com/introducing-advanced-protection/

    Why is this option not available for personal accounts? I'm not happy with this at all. Its been 3 months and you guys are still FORCING ME to allow an authenticator app as a form of two factor authentication for MY account. I only want to allow U2F security keys for MY account!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Why is this option not available for personal accounts?

    Because they don't have the added features and permissions we've built for 1Password Business. You're free to upgrade if those things are important to you.

    Its been 3 months and you guys are still FORCING ME to allow an authenticator app as a form of two factor authentication for MY account.

    That's not the case. Simply don't save your TOTP secret anywhere and don't use it. No one is forcing you to do that.

    However, keep in mind that, as Ben mentioned above, U2F is not ubiquitous, so make sure that you're able to use it everywhere you need to so you don't lock yourself out of your account.

  • prime
    prime
    Community Member

    @brenty am I able to use U2F for families with no issues?

    Soon I want to try this :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2019

    @prime: You'd still need to use TOTP to sign into the apps, but it should work in Chrome, Firefox, Brave, and Microsoft Edge. Safari 13 is supposed to support it, but it doesn't seem to yet, so I think it may be dependent on some things in Catalina. Haven't been able to find any information on that though. 1Password for iOS supports Yubico's new 5Ci though.

  • 1pwuser31547
    1pwuser31547
    Community Member

    How exactly is the TOTP seed (alphanumeric and QR code stored in the servers?
    What is the usual practice industry wide?
    Are they permanently stored elsewhere after a period of time?
    Is it stored encrypted and then is decrypted after user log in?

    I’ve read some forums saying that it can not be stored encrypted/hashed because it needs to be decrypted to generator the codes.

    How is the seed stored in the Authenticator app in iOS? Is the seed stored in iOS Keychain?

    Can it be extracted by a malware attack?

    I wonder if it’s worth storing the codes on another older phone disconnected from the internet.

    Thanks!

  • 1pwuser31547
    1pwuser31547
    Community Member

    Let me clarify: I’m talking about the 2FA seed for 1PW account log in

  • 1pwuser31547
    1pwuser31547
    Community Member

    OK. I see Mr Goldberg’s excellent explanation on Feb 4 about this topic.
    Sorry, I should have researched more before submitting.

  • No worries; thanks for the update. :+1:

    Ben

This discussion has been closed.