Stuck asking for FIDO key on iOS - can't use TOTP code instead

rwintle
rwintle
Community Member

Hi,

Yesterday I got a FIDO security key and immediately set it up to authenticate me with 1Password on the web (I have a business account).

Today when I open 1Password on my iPad I get a "Plug in key" screen with a cancel button. I can't plug my key in to my iPad because it doesn't have Lightning port compatiiblity. But I can't see a way to use a TOTP (authenticator app) code instead. All I can do is cancel, and then it asks me again the next time.

What am I doing wrong here? How can I get rid of the Plug In Key screen on my iPad and use an authenticator app code instead?

Thanks


1Password Version: 7.4.2
Extension Version: Not Provided
OS Version: iOS 13.3.1
Sync Type: 1Password account

Comments

  • Hi @rwintle,

    That's odd. You shouldn't be able to set up U2F without first setting up TOTP. If you turn U2F off, does TOTP work?

    Ben

  • rwintle
    rwintle
    Community Member

    I did set up TOTP first on the web app. I think my iPhone gave me an option to use TOTP instead of U2F but the iPad didn’t. I’ll turn U2F off and step through bit again and let you know what happens.

  • rwintle
    rwintle
    Community Member

    OK. Here's my walkthrough:

    1. Log in on the web and disable U2F key
    2. iPad now asks for TOTP code instead of UTF key
    3. iPhone doesn't ask for anything other than master password
    4. Back on the web, add the U2F key again
    5. Neither iPhone nor iPad ask for any second factor now - I guess they've both done their 2 Factor auth and it's not needed again

    I want to try and replicate what happened before so I'm going to have a go at disabling 2-factor entirely and starting again

  • rwintle
    rwintle
    Community Member

    So - here we go:

    1. Turn off two factor entirely through the web interface
    2. Re-enable 2FA using TOTP through the web interface
    3. Re-add U2F key
    4. Open iPhone app - it asks for the master password/touch ID and then the Key. I press cancel and it prompts for the TOTP code. I enter TOTP code and I'm in.
    5. Open iPad app, it asks for master password/touch ID and then the Key. I press cancel and it asks for TOTP code. I swear this didn't happen before - pressing cancel just closed the 2FA prompt and I could only get a prompt for the key.

    Oh well, the iPad is OK now.

    As a step 6 I did:

    1. Open the MacOS app - this asked me for a TOTP code, not the U2F key. Does the Mac app not support U2F yet?

    Thanks

  • Does the Mac app not support U2F yet?

    Correct.

    I swear this didn't happen before

    I believe you. :)

    Oh well, the iPad is OK now.

    I'm glad to hear it worked out. We'll keep an eye out for similar reports in case there is a bug in the process somewhere. :+1:

    Ben

  • RenaldoW
    RenaldoW
    Community Member

    I had a similar experience 2 days ago on my iPhoneX. I have a family account and had set up U2F for me a few weeks ago. On the iPhone, I use FaceID. So far, both worked perfectly fine. 2 days ago, 1Password on the iPhone asked me to plug in the key. Canceling it somehow proceeded to the FaceID based authentication. This happened 2-3 times in a row. I’ve not experienced it since.

  • Thanks for letting us know @RenaldoW. Can you please confirm your data is syncing to all of your devices?

    Ben

  • RenaldoW
    RenaldoW
    Community Member

    Confirmed. Syncing is working just fine across all devices (including items in the shared family vault)

  • Great; thank you.

    Ben

  • Anki
    Anki
    Community Member

    I ran into this as well just now. It asked me to plug in my key but I can't because it's a USB key. When I hit cancel as described above it let me put in my TOTP instead. I would suggest changing this confusing UI so instead of it demanding a key and then allowing a TOTP on Cancel it would just offer either option.

  • Thanks for the suggestion, @Anki.

    Ben

  • fainpablo
    fainpablo
    Community Member

    I'm having a similar issue. I had a YubiKey 5Ci (USB C + Lightning) configured on my 1Password account. Today I replaced that key with a YubiKey 5 (USB + NFC), in addition to a YubiKey 5C (USB C only) I already had. My current 2FA setup is: TOTP + 2 security keys as you can see in the image.

    Then I signed out on the app and, when tried to sign back in, I was asked to "Plug in key". Of course I can cancel the popup and type the TOTP, but I was expecting to be asked to scan the NFC key.

  • @fainpablo,

    1Password doesn't do NFC. The only U2F we support on iOS is though the Lightning port, with the Yubikey 5Ci. The YubiKey 5C cannot be used with 1Password for iOS for U2F.

    From our Use your U2F security key as a second factor for your 1Password account guide:

    You can use your security key as a second factor for your 1Password account:

    • on 1Password.com
    • on your iPhone or iPad with a Lightning port (YubiKey 5Ci required)

    (emphasis mine)

    Ben

  • fainpablo
    fainpablo
    Community Member

    I would swear to have read that 1Password already had NFC support on iOS. Jeez. Alright, I guess this will be a feature request now that Apple has opened the NFC capabilities to the whole world :smile:

  • Indeed. :) Hopefully as NFC support and Yubico's libraries evolve we'll be able to bring NFC support to 1Password for iOS. Thanks!

    Ben

  • kebel87
    kebel87
    Community Member

    I’ve heard good things about yubikeys and physical 2FA in general but I’m not sure I fully understand how this works/would eventually work with 1Password.

    I see mainly two use case :

    1. Yubikey is required in addition (or as a replacement) of my master password, whenever FaceId doesn’t work or is not activated. This of course would be an addition to the requirement of yubikey to set vault on a new device.

    2. Yubikey is used within 1Password to replace OTP whenever I log into a website.

    Am I missing something? Thanks!

  • Hi @kebel87.

    I see mainly two use case

    Neither of those is applicable to 1Password + U2F / Yubikey. The function U2F serves in relation to 1Password membership accounts is for authorizing new devices. When you go to sign in on a new device you'll need the following information:

    • Sign-in address (URL)
    • Email address
    • Secret Key
    • Master Password

    and, if U2F is enabled you would additionally need:

    • Your security key (which could be a Yubikey) or
    • A TOTP code generated by an app like Authy, Google Authenticator, or even 1Password itself (though 1Password should never be the sole source of TOTP codes for your 1Password account)

    The reason I say or for that last bit is not all of our apps support U2F at this time. For apps that do not support it, you'll need TOTP. At present we have two apps that do support U2F:

    • The 1Password.com web app via a compatible web browser
    • 1Password for iOS (requires the Yubikey 5ci via Lightning)

    I hope that helps clarify the purpose of U2F and where it is available. Please let me know if you have further questions. :)

    Ben

  • kebel87
    kebel87
    Community Member

    Thanks @Ben your answer have been very informative and appreciated. :)

  • ag_tommy
    edited December 2019

    I am glad Ben was able to help you and on behalf of Ben your welcome. If you need any help now or in the future, please stop in. We're always here to help.

  • tsereg
    tsereg
    Community Member
    edited February 2020

    Hi. I couldn't solve my similar issue described above. I have a TOTP and some Yubikeys set up, none of them are 5Ci. Setting 1password up on a brand new iPad I get "Compatible Security Key Required" warning after tapping "Sign in", and there is no "Cancel" button to fall back to TOTP. Is there any way to enforce using TOTP instead of Yk in this case? Thanks!

  • @tsereg,

    I see the logic flaw, we'll get that fixed in the next update.

  • badlittlerobots
    badlittlerobots
    Community Member

    Is there any chance of getting support for the 5Ci’s usb-C side? I also ran into this bug when resetting up my iPad Pro that has USB-C (where you can’t click cancel to sign in with an Authenticator instead) but I could use it to log into the 1Password site with mobile safari on the iPad which is kinda goofy.

  • My understanding is that we need support from Yubikey for interfacing with a key over USB-C on iOS, but I'll follow up with the development team and see if there has been any change on that front. :+1:

    Ben

This discussion has been closed.