Does it make my 1PW account safer using a YubiKey?

Mephisto_Pheles
Mephisto_Pheles
Community Member

Hey guys,
I am in the decision buying a Yubikey or not to protect my passwords on 1PW. But then something came into my mind
Right now I am using 2 factor authentication with my phone and Google Authentificator.
But when I am using a YubiKey its after all possible to avoid it by clicking on "Choose another option" and then use the Mobile Authentificator instead. So whats the difference ?? In which way does it make my account more safe??


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2019

    Does it make my 1PW account safer using a YubiKey?

    @Mephisto_Pheles: Two-factor authentication can be really important for things which are protected only by authentication. But since 1Password's security is based on encryption, it is less critical and protects only against a very specific type of attack: someone having all of your account credentials except your second factor.

    But when I am using a YubiKey its after all possible to avoid it by clicking on "Choose another option" and then use the Mobile Authentificator instead.

    No.

    So whats the difference ?? In which way does it make my account more safe??

    The benefit is the same whether you use a U2F dongle or TOTP, so it's more a matter of personal preference. You don't have to choose between them though; you can use both for your account. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Mephisto_Pheles, I'm going to slightly modify what my colleague @brenty has said, though I'll also repeat most of it as well (as it is mostly correct.)

    As he correctly noted we need to separate out two separate questions. The security gain of using 2FA for signing into 1Password and the relative security of U2F and TOTP.

    Security gain of 2FA for signing into 1Password

    This is probably the toughest part of the implied question. When you enter your Master Password (and Secret Key) you are doing two things at once. You are signing into 1Password and you are unlocking 1Password. This is a distinction that we hide from the user as it just makes things more confusing.

    • Signing in means proving to 1Password.com that you are who you are and that you can received your encrypted data from our servers.
    • Unlocking means deriving the cryptographic keys needed to decrypt your encrypted data (whether or not a copy of that encrypted data is stored locally).

    2FA, in whatever form only adds to the security of signing in. This is why we insist that even you you used a dozen different factors, you still need a strong Master Password. 2FA does not protect you if someone gets your encrypted data from your own machine. So whatever protection 2FA adds to signing into 1Password it does not allow you to get away with a weaker Master Password.

    This can be a useful protection. If someone phishes you (tricks you into "signing in" to a fake malicious 1Password look-alike page) and gains your Master Password and Secret key, they still will not be able sign in without also compromising the second factor. So even though they will have enough information to decrypt your encrypted data, should they get it, our server won't give it to them.

    So there is a value to using 2FA for signing into 1Password. It is a different sort of value than how 2FA works with other services. In particularly, using 2FA for signing into 1Password does not mean that you can get by with a weaker Master Password.

    TOTP v U2F for 1Password sign-in

    If you decide to use 2FA for signing in to 1Password, U2F is more secure. There are attacks on TOTP that will not work against U2F. For example, it is possible for a phishing site to obtain the one time (6 digit code) used by TOTP. With U2F there isn't. With U2F the web page also has to prove to your device that it is who it says it is. The further reduces the threat of phishing.

    Using U2F on the desktop and on some devices is much easier than using TOTP, though it can be much harder on other devices. So that has to play a role in your decision.

    U2F also costs more. You need to buy at least two devices (you will need to keep a backup device somewhere in case you lose the one you more regularly use.) For some people the additional cost will be worth it, and for others it won't be.

    So from a security perspective, U2F is better than TOTP. But there may be practical and financial reasons to prefer TOTP. But in either case, remember that 2FA only protects the sign in process. It does not protect unlocking data already stored on the same device. So whatever 2FA mechanism you choose, have a good, unique Master Password.

  • Mephisto_Pheles
    Mephisto_Pheles
    Community Member

    So a YubiKey, a U2F , only gives an unauthorized device more protection and protects my account from "attacks" from outside, because as I take it, on all the devices I already logged in, like my Home PC (Mac), Tablet and Phone, there is only my masterkey needed to get access. (??)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Mephisto_Pheles: Goldberg is right. I glossed over this a bit:

    So whats the difference ?? In which way does it make my account more safe??

    The benefit is the same other you use a U2F dongle or TOTP

    As I was thinking of it in terms of "to 2FA or not to 2FA", as I misunderstood the context of your question:

    Does it make my 1PW account safer using a YubiKey?

    Sorry! His answer is much clearer:

    So from a security perspective, U2F is better than TOTP. But there may be practical and financial reasons to prefer TOTP. But in either case, remember that 2FA only protects the sign in process. It does not protect unlocking data already stored on the same device. So whatever 2FA mechanism you choose, have a good, unique Master Password.

    I think that also addresses your more recent question:

    So a YubiKey, a U2F , only gives an unauthorized device more protection and protects my account from "attacks" from outside, because as I take it, on all the devices I already logged in, like my Home PC (Mac), Tablet and Phone, there is only my masterkey needed to get access. (??)

    But to answer directly, this goes back to my original comments:

    Two-factor authentication can be really important for things which are protected only by authentication [i.e. signing into your account]. But [...] 1Password's security is based on encryption

    Two-factor authentication of any kind -- whether U2F or TOTP -- is not involved at all with the data on your devices. That is protected using encryption. If someone steals your device, they do not need to sign into the server to get your encrypted data; they already have it. So at that point, what is protecting your data is the Master Password you used to encrypt it. But as long as you use a long, strong, unique Master Password, you're in good shape. Two-factor authentication means that someone would be unable to sign in on a new device without your second factor. :)

  • Mephisto_Pheles
    Mephisto_Pheles
    Community Member

    Alright thank uuuu, that helps me a lot ^^

    Last question, is it advisable to change the master password over time? Like my computer science teacher says, a pw should be like a toothbrush : only used by oneself and changed over a period of time xD

    I know why he said it to our class, like when servers got hacked and passwords been leaked or got found out by someone however, it takes months or even years till they been sold on the black market. And when I change my pw every half a year , I should be in the safe side, shouldn't I ?

    Like I've got a Apple-only Setup with a Mac and iOS devices and as far as I know , they've got a pretty closed OS system which shouldn't be as vulnerable as windows systems..

    Is it then better to just have one very strong and long master key forever? ^^'

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Mephisto_Pheles: You're welcome! Glad to be able to help. :chuffed:

    There are three (good) reasons to change a password:

    • Weak: easy to guess, either by a human or a machine
    • Reused: easier to find out, because it's being used elsewhere
    • Compromised: someone else has it, and therefore could use it

    There is, of course, a fourth (bad) reason to change a password:

    You're right that there can be mitigating circumstances why you might want to change a password otherwise...but they don't apply to 1Password because your Master Password is never transmitted to us or stored. So even if we were attacked, it couldn't be stolen from us in a breach.

    So, yes, if you have a long, strong, unique Master Password already which only you know (not weak, reused, or compromised), there is no need to change it. I'm hesitant to say "forever", but certainly if it's already sufficiently strong and you haven't told it to anyone else or entered it on an untrusted device, there's no need. Changing it would mean having to re-memorize and get used to typing it, and that would understandably encourage anyone to use a weaker password than they would otherwise. We're only human, after all. :)

  • 1pwuser31547
    1pwuser31547
    Community Member

    Brenty: “There is, of course, a fourth (bad) reason to change a password:
    Expiration: a misguided/antiquated policy requires you to change it”

    From the article : “No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.
    The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack”

    This is true for the 1PW MP for the reasons Brenty points out.
    However for other passwords they probably should be changed because you may not know if your account(s) is/are compromised (the attacker may not immediately use the compromised credentials).

    Also using a password manager like 1PW to change passwords is so effortless.
    The only effort is the limitation imposed by those accounts that say you can use only this or that symbol..

    (By the way, the password generator could be enhanced by having this customizable feature for symbols since certain websites impose these stupid limitations)

    This article, I think, refers to complex passwords that you have already (and need to) committed to memory.

  • 1pwuser31547
    1pwuser31547
    Community Member

    There’s no reason not to use U2F as your 2FA as being phished is your biggest threat to authenticating sign in.
    U2F is, so far, immune to most if not all current phishing threats.

    For example , check out one of the latest phishing tools created by a cyber security researcher in Poland.

    “Modlishka is a reverse proxy that sits on a server that hosts a phishing domain that resides between a victim’s cloud-based email account and the victim’s device. The attacker spoofs the target domain, such as a VPN or webmail portal which then sits on the server, and then as the victim sends information through to the fake domain the tool is able to track and log the content. However, it does not set up a fake version of the site, but in fact allows the real site to send information to the victim which is intercepted by Modlishka.”

    It's also known that the reverse proxy sends 2FA tokens that can provide access to the target website’s IT infrastructure.

    “But, according to Piotr Duszyński, the only surefire way to protect against a bypass of multi-factor authentication is to adopt Universal Two-factor Authentication”

  • AGAlumB
    AGAlumB
    1Password Alumni

    However for other passwords they probably should be changed because you may not know if your account(s) is/are compromised (the attacker may not immediately use the compromised credentials).

    @1pwuser31547: I don't disagree, but I'm not sure that is actionable since the user in that scenario has no way of knowing that is the case. Perhaps I should have phrased it this way instead:

    Compromised: you have reason to believe someone else has it, and therefore could use it

    Also using a password manager like 1PW to change passwords is so effortless. The only effort is the limitation imposed by those accounts that say you can use only this or that symbol..

    I wish it was the case that changing passwords was effortless, and that password requirements imposed by websites were the only obstacle. But even as someone who is testing websites ever day to help improve 1Password for our customers, I often have trouble even finding where to change a password on many websites. I can't imagine how much of a hassle it is for others who do this less frequently. :(

    (By the way, the password generator could be enhanced by having this customizable feature for symbols since certain websites impose these stupid limitations)

    It's something we can continue to evaluate, but it does come up less and less nowadays in actual use, partly because websites are getting better about this, but also because we've changed the symbol set 1Password uses to be compatible with more sites.

    There’s no reason not to use U2F as your 2FA as being phished is your biggest threat to authenticating sign in. U2F is, so far, immune to most if not all current phishing threats.

    You're right that U2F can help protect against a certain class of attacks, but an attacker could go around it and use a phishing scam to infect a user's device to get to their data that way instead. So I think we need to be realistic about the security benefit it can offer. On the other hand, there are very good reasons for users not to use U2F at all: cost, usability, and potential for getting locked out of their own data. So it's not something that's a good fit for many people at this time, though if costs come down that may solve the first and last problems (by having multiple dongles as backups), and hopefully it will be easier to usein the future as well.

    So while I agree that there are clear security benefits of U2F, for many users the costs -- both literally and figuratively -- are high enough to outweigh those, unfortunately.

  • 1pwuser31547
    1pwuser31547
    Community Member

    I meant to say:

    However for other passwords they probably should be PERIODICALLY changed as the attacker may not immediately use the gained credentials. Most of the time the public is unaware of a data breach until much later, as many recent examples demonstrate.

    The threat model relevant to most people is being phished into a malicious site and revealing credentials. U2F obviously protects against that.

    True, if malware has bypassed your antivirus software and made it to your device then nothing will protect you. Game over.

    However, there’s no threat that TOTP protects against that U2F doesn’t (that I’m aware of). The opposite is of course not true.

    Ideally they can be combined (like you guys do)- so if you lose the token, TOTP is available for account access.
    As you say, purchasing a few tokens will mitigate if not eliminate this risk. Being only 20$, that’s a small price to pay for protection against threats against which TOTP fails.
    Usability is definitely easier on a desktop with USB port and carrying around a piece of hardware is inconvenient- again a small price to pay, IMHO.

  • AGAlumB
    AGAlumB
    1Password Alumni

    However for other passwords they probably should be PERIODICALLY changed as the attacker may not immediately use the gained credentials. Most of the time the public is unaware of a data breach until much later, as many recent examples demonstrate.

    @1pwuser31547: The problem is that you have no way of knowing what time frame you have to act in that case. Are you going to change all of your passwords every day? Every hour? There's nothing to say that a website where you have an account isn't being breached as we speak, and if you're lucky you'll find out about it someday. I just don't see that it's feasible for anyone but those with accounts with only a handful of sites to change all their passwords even weekly. And in the vast majority of cases it isn't necessary or actionable. Using a strong, unique password for each each site, and changing them as needed, is actionable. The other way lies madness, and not getting anything else done.

    The threat model relevant to most people is being phished into a malicious site and revealing credentials. U2F obviously protects against that.

    Sure, if 1) you can afford it, 2) you use it, and 3) it isn't lost, stolen, or destroyed. In any of those cases it is useless. That's nothing against the standard, just the reality. Otherwise everyone might be using it now. In practice, very few people do.

    True, if malware has bypassed your antivirus software and made it to your device then nothing will protect you. Game over. However, there’s no threat that TOTP protects against that U2F doesn’t (that I’m aware of). The opposite is of course not true.

    :+1:

    Ideally they can be combined (like you guys do)- so if you lose the token, TOTP is available for account access.

    I wouldn't characterize it as a weakness, but while that's a good contingency plan, it does mean that there is potential for someone who normally uses U2F to fall prey to a reverse proxy attack like you mentioned above. One "solution", of course, is to not ever use TOTP (destroy the secret) and rely solely on U2F. But that increases the risk of you getting locked out instead. It's all about choices, depending on what makes the most sense for you as an individual with your specific security needs. That's really what matters, and why I don't think you or I can say that everyone should use U2F. Many simply can't.

    As you say, purchasing a few tokens will mitigate if not eliminate this risk. Being only 20$, that’s a small price to pay for protection against threats against which TOTP fails. Usability is definitely easier on a desktop with USB port and carrying around a piece of hardware is inconvenient- again a small price to pay, IMHO.

    They're not 20$ for people with iPhones though, and that's a lot more people than have computers nowadays. But again, hopefully usability and availability will improve over time -- though I don't personally feel like even the latest Yubikeys are accessible to normal people any more than they were over a decade ago when I bought the first model. There has been progress though, so perhaps in the future it will get to the point where it's something I could recommend to more people. :)

This discussion has been closed.