1Password WebAuthn doesn't require userVerification

kathampy
kathampy
Community Member
edited November 2019 in Lounge

When logging into my 1Passord account on the web with a FIDO2 key, it doesn't require userVerification so the security key doesn't ask for the PIN. I have a security key attached to my computer at all times and it would be better if the userVerification flag was set in WebAuthn so that the PIN is required.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @kathampy,

    This is a deliberate choice given the role that 2FA plays in 1Password unlocking. There are three things to keep in mind (one of which I will elaborate on)

    1. Your FIDO2 Key is only ever used as a second factor when it comes to 1Password.
    2. Yubico (and others) do not recommend userVerification for second factor use. It is designed for when the key is meant as the only or primary factor.
    3. 2FA in 1Password does less than it does in traditional authentication systems, as much of 1Password's security is not about authentication at all.

    The first two points already speak to why we've designed things as we have, but I would like to elaborate on the third. Your Master Password and Secret Key are mathematically required to be able to decrypt your data. These means that you will never be able to unlock 1Password with some other authentication factors alone.[^1] So a authentication factor can never function as a way to unlock 1Password.

    [^1}: Things like TouchID may seem like an exception, but they aren't. I'd just need to describe things at a level of detail that would distract from the essential point.

    The role of MFA in 1Password

    Perhaps it is best to try to describe how different parts of our system protect against different threats

    1. Your Secret Key (and to a lesser extent, your Master Password) keeps you safe if your encrypted 1Password data is stolen from our servers.
    2. Your Master Password is what defends you if your encrypted data is stolen from your device.
    3. SRP protects the authentication process and sessions from an attacker who has control of the network.
    4. 1Password's MFA protects you in case an attacker has your Secret Key and Master Password but does not have your encrypted data.

    This is why we limit MFA to setting up a new device. When you set up a new device, you must authenticate to our system to obtain your encrypted data. In that context MFA offers protection, but once your local device has a copy of your encrypted data an attacker who gets at your local device doesn't need to authenticate further. All they need to do is make a copy of your local data and attack that data with guesses of your Master Password. This is why even if 1Password presented you with a dozen extra authentication factors, you still need a good Master Password.

    We (unlike some of our competitors) don't wish to pretend that MFA gives you more protection than it actually does. Something that is decrypting data locally (like a well-designed password manager) has very different security properties than something that is trying to prove to some remote service that you are who you say you are (like the overwhelming majority of services people use); and MFA plays a smaller and different role in the former than in the latter.

    Why am I bringing this all up

    I want to take every opportunity to remind people that no matter how many additional authentication factors they have for 1Password, they still need a good Master Password. For typical services, strong second factors mean that people can get away with weaker passwords. But that is not the case for something like 1Password. And I bring this up to you specifically because you appear to be seeking a great deal from your second factor, and I want to make sure that your reliance on it doesn't lead you to use a weaker Master Password than you otherwise might.

  • kathampy
    kathampy
    Community Member

    Thanks for the clarification.

  • ag_ana
    ag_ana
    1Password Alumni

    @kathampy, on behalf of jpgoldberg, you are very welcome!

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.