YubiKey Support for X

I might be the only one here who likes this idea. I was wondering if Agile will be supporting YubiKey for 1Password X? It's great to have the 1Password integration with 1Password X to unlock my vaults. It would be nice to also unlock my vaults with YubiKey + PIN (I have a really long Master Password, on purpose). Anyways, just a thought. Also, it would lessen the dependency on 1Password needing to be installed on macOS.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • kaitlyn
    kaitlyn
    1Password Alumni

    Hey @dreinidaho! We do support U2F security keys, such as YubiKey, for two-factor authentication with your 1Password account. I don't see us using hardware keys to replace the Master Password, but that's an interesting concept. If you haven't already set up your YubiKey with your 1Password account, this article should help you out. Thanks for sharing your idea with us! :)

  • DBLClick
    DBLClick
    Community Member

    I love the idea of U2F for security keys, but I'm also against the idea being heavily dependent on the key. I think the google approach would be best, needing the key to provide a secure method of setup and login, but not every time we need to unlock 1PWx. this balance will ensure the integrity of the password, without the increase burden of using the key for every access.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DBLClick: Indeed, that's how 1Password works: since our security is based on encrypted not authentication, two-factor authentication is only used when authenticating with the server, i.e. when authorizing a device for the first time. After that, the data does not need to be retrieved from the server, as it is stored encrypted on the device, and therefore no authentication is involved at that stage. Cheers! :)

  • ScipioAfricanus
    ScipioAfricanus
    Community Member

    To me it would make much more sense to be able to use a FIDO key instead of a password for 1password x and the desktop apps. You're doing basically the same when you're allowing FaceID or TouchID instead of the master password. This would be much more convenient and would really improve 1password. Especially considering how buggy the browser extension for the desktop app still is.
    Using a security key as a second factor for the weblogin isn't a big improvement in my opinion, because it is rarely necessary to login.
    I think the goal really should be to allow passwordless login as often as possible. That would be a real selling point.

  • ScipioAfricanus
    ScipioAfricanus
    Community Member

    Just to be clear, I‘m talking about integrating FIDO2 Webauthn and not FIDO U2F. We want finally to get rid off passwords.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited December 2019

    Just to be clear, I‘m talking about integrating FIDO2 Webauthn and not FIDO U2F. We want finally to get rid off passwords.

    @ScipioAfricanus: I don't see that happening. While that's possible with things where authentication is the only security measure, 1Password is very different: its security is based on encryption. Our Chief Defender Against the Dark Arts elaborated on this a bit here:

    Different functions of the Secret Key, Master Password, SRP, and 2FA

    But one thing he intentionally glossed over since it was a bit of a diversion there, which you've brought up here, is this:

    To me it would make much more sense to be able to use a FIDO key instead of a password for 1password x and the desktop apps. You're doing basically the same when you're allowing FaceID or TouchID instead of the master password.

    That is not the case. Biometrics simply allow you to temporarily unlock 1Password more conveniently by saving a Master Password equivalent, which is then used to decrypt the data. Put another way, you're still providing information -- your Master Password -- which is mathematically required to decrypt the data, rather than "proving" who you are to 1Password to "access" the data. You're just doing it in a clever and convenient way. :)

  • ScipioAfricanus
    ScipioAfricanus
    Community Member

    @brenty thanks for your reply, I‘ve read the post you linked. I understand now that the master password is still required.

    Could you explain in an oversimplified manner why it is possible to unlock the apps with faceid or touchid but it wouldn‘t be possible to unlock 1password x with a securitykey? What‘s the main difference?
    I didn‘t get that from the post. It‘s not a criticism, I‘d just like to understand and learn.
    Thanks

  • Hey @ScipioAfricanus,

    Good question. On iOS we have a secure place to store your Master Password, the system's keychain: https://support.1password.com/face-id-security/#your-master-password-is-stored-securely

    That kind of secure storage just doesn't exist in a web browser, and protecting a local secret like this isn't something WebAuthn was designed for (unlike the iOS keychain).

This discussion has been closed.