YubiKey for 2FA with iPad Pro

I’ve recently tried to setup 2FA using a YubiKey 5 NFC for my account. This works fine on my Mac mini and iPhone 11 Pro, but on my 3rd gen iPad Pro the app was just crashing on launch.

After trying a reset of the iPad I eventually deleted the 1Password app and reinstalled, at which point I discovered that the source of the problem is that it’s saying that the iPad is not compatible with any of the supported 2FA keys.

I realise that the iPad doesn’t have NFC, but the YubiKey 5 NFC does seem to be compatible with the iPad Pro using a USB-C to A adapter (although it’s obviously not working for 1Password).

Is this something that will eventually be supported by 1Password in software, or is there still some limitation in iOS or the iPad or YubiKey that will prevent this combination working?

Thanks


1Password Version: 7.4.5
Extension Version: Not Provided
OS Version: IPadOS 13.3.1
Sync Type: Family Account

Comments

  • BenBen AWS Team

    Team Member

    Hi @markmat

    As far as I'm aware, on iOS, we're only able to support Yubikeys over Lightning (Yubikey 5Ci only) or NFC. It is possible that may change in the future, but I couldn't speculate on that.

    Sorry I don't have further information to share at this point.

    Ben

  • Thanks Ben,
    I also saw this update earlier in the week. I’ve not had a chance to test whether this has helped with the issue I was seeing.

  • BenBen AWS Team

    Team Member

    Please let us know how it turns out @markmat. :)

    Ben

  • It works for me, at least. It asks for 2FA from my mobile app and doesn't enforce Yubikey anymore.

  • BenBen AWS Team

    Team Member

    Thanks for letting us know @Naxterra. Which Yubikey and which iOS device are you using?

    Ben

  • I have iPad Pro 11 (latest gen) and Yubikey 5 NFC

  • BenBen AWS Team

    Team Member

    Gotcha. That is what I'd expect to happen, then. Thanks again @Naxterra. Just wanted to be sure it wasn't a Yubikey 5Ci, which should now work over USB-C with the iPad Pro 11. :+1:

    Ben

  • @Ben I’ve just tested this (USB-C iPad Pro with YubiKey 5 NFC), results below.

    Basically I think I’m seeing the same results as @Naxterra
    The app launches fine, and when prompted for the code I enter the code from the YubiKey app on my iPhone and it’s worked fine.

    So it’s all fixed for me now, and sounds like I can use either a YubiKey 5 NFC or 5Ci with my combination of devices 👍🏼

    For the record, results using the YubiKey 5 NFC with the Apple USB-C to A adapter were as follows:

    • The key lights up
    • Tapping the key does result in a string of characters being entered into 1Password, although that’s obviously not what it’s expecting and it doesn’t authenticate successfully
  • BenBen AWS Team

    Team Member
    edited March 6

    The Yubikey 5Ci can be used for U2F with a USB-C iPad Pro. A YubiKey 5 NFC can only be used for TOTP with such a device.

    Correction: As of writing, YubiKeys can only be used for TOTP (not U2F) on USB-C iOS devices. This is due to a hardware limitation of the keys themselves, and as such it is unlikely that it is a situation that will be able to be addressed in software.

    Ben

  • dberkdberk Junior Member

    Ben, I have a Yuikey 5Ci and have successful used it to log in to my 1password web account in safari on my iPad Pro using USB-C. However, when I try to log in using the 1password app on the iPad Pro, it only allows an Authenticator app OTP. So is the iPad 1password app capable of using this hardware key? The same hardware key works fine on my iPhone 1password app.

  • BenBen AWS Team

    Team Member

    @dberk

    The release notes for v7.4.6 say:

    Fixed an issue that would prevent you from logging in to your 1Password account when configured with a security key on an iPad with a USB-C port.

    It is possible that I misinterpreted this note. I'm going to clarify with our development team and will follow up here with further. Thanks!

    Ben

  • BenBen AWS Team

    Team Member
    edited March 6

    Doh. My apologies folks. It appears I did read too much into that statement. The YubiKey 5Ci's USB-C connector is not connected to an MFi chip, and as such, as far as we're aware, will never work on iOS via USB-C. I will correct my statement above.

    Ben

  • dberkdberk Junior Member

    Ben, thanks for the update. If it is an MFi chip issue, why does the 5Ci hardware key work with the 1password web account in safari on the iPad Pro but not in the 1password iPad app? Is it an app api issue?

  • BenBen AWS Team

    Team Member

    @dberk

    It does appear Safari is handling the device differently, and more generically, while we're using the official Yubico integration. It is in theory possible that we could switch over to the same thing Safari is doing, but it seems that has its own set of caveats. As such that probably isn't the way we're going to head, and it certainly isn't something on the radar at the moment.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file