6 digit code from YubiKey is not accepted by 1Password 7 OSX app
Have configure 2FA and have added a YubiKey 5Ci. It works as expected when authenticating on the 1Password app on iOS.
However on OSX when authenticating to the 1Password 7 app it does not accept the 6 digit key provided by the yubico. Can however authenticate using the authenticator app on my iPhone.
Is this a know issue or is have I missed some configuration step.7.3.2
1Password Version: 7.3.2
Extension Version: Not Provided
OS Version: OS X 10.14.6
Sync Type: Not Provided
Comments
-
Date and time is synchronised vs time.euro.apple.com. Retested once again. The OTP code provided by touching the plugged in YubiKey is not accepted by the 1Password app on OSX. Only way to get authentication to succeed is to provide the code provided by the authenticator application registered (in my case Authy).
Another issue found when troubleshooting this issue is described below.
I realise that the primary use case of enabling 2FA is that any new device accessing the account would have to provide both master account password and the second factor authentication. However what is troubling me is that if one do require 2FA at next login on an already authorised device it is still able to reveal passwords on that device without having to succeed with the 2FA authentication. To me it appears as a design flaw in the 1Password app providing access to locally stored data in this use case.
0 -
Date and time is synchronised vs time.euro.apple.com. Retested once again. The OAUTH-TOTP code provided by touching the plugged in YubiKey is not accepted by the 1Password app on OSX.
It may be the case that there is a feature of the Yubikey I'm not familiar with, but my understanding is that the Yubico Authenticator app is needed to generate TOTP codes from the Yubikey on a Mac. Is that what you're doing, or could you please elaborate on how you've got this set up?
Only way to get authentication to succeed is to provide the code provided by the authenticator application registered (in my case Authy).
I take it that the two are generating different codes? They shouldn't be. Only one code is valid at any given time. So if Authy says the code at 1:00pm is 000001 and the Yubikey says the code at 1:00pm is 000002 then one of them is generating the code incorrectly or the TOTP secret is stored incorrectly.
I realise that the primary use case of enabling 2FA is that any new device accessing the account would have to provide both master account password and the second factor authentication. However what is troubling me is that if one do require 2FA at next login on an already authorised device it is still able to reveal passwords on that device without having to succeed with the 2FA authentication. To me it appears as a design flaw in the 1Password app providing access to locally stored data in this use case.
Correct; and that is very intentional. Otherwise offline access to 1Password data would not be possible. I've posted about this in more depth here:
https://discussions.agilebits.com/discussion/comment/524218/#Comment_524218
Ben
0 -
Between my first comment and your response I realised that I had written
The OAUTH-TOTP code provided by touching the plugged in YubiKey is not accepted by the 1Password app on OSX.
Of course I meant the OTP code. Which was edited in between our posts. Sorry about that confusion.
I am not using the YubiKey Authenticator on Mac. That do work but then one is simply using an 2FA authenticator and not and 2FA device. Instead of adding Authy as 2FA app one could use the YubiKey Authenticator.
but my understanding is that the Yubico Authenticator app is needed to generate TOTP codes from the Yubikey on a Mac
Since there is an option on my account to add an YubiKey device I got the impression that its supported. If OSX is not supported then what 1Password applications and operating systems do support a YubiKey device?
I have full understanding of the design decisions behind enabling offline access to 1Password data.
0 -
Since there is an option on my account to add an YubiKey device I got the impression that its supported. If OSX is not supported then what 1Password applications and operating systems do support a YubiKey device?
We support the U2F standard for YubiKey when using the 1Password.com web interface with a supported browser, and also when connected to an iOS device via the Lightning port (does not work over USB-C). That is what you're enabling when you add a YubiKey via 1Password.com. This is different from TOTP. You can read more about our U2F support here:
https://support.1password.com/yubikey/U2F doesn't work with 1Password for Mac, yet. 1Password for Mac requires TOTP.
As far as I'm aware accessing TOTP information on macOS from a YubiKey requires the Yubico Authenticator app:
https://support.1password.com/cs/yubikey-totp/I'm honestly not sure what is happening when you're using the YubiKey and activating it via the push button without the Yubico Authenticator app.
Does that make sense?
Ben
0
