YubiKey for 2FA with iPad Pro
I’ve recently tried to setup 2FA using a YubiKey 5 NFC for my account. This works fine on my Mac mini and iPhone 11 Pro, but on my 3rd gen iPad Pro the app was just crashing on launch.
After trying a reset of the iPad I eventually deleted the 1Password app and reinstalled, at which point I discovered that the source of the problem is that it’s saying that the iPad is not compatible with any of the supported 2FA keys.
I realise that the iPad doesn’t have NFC, but the YubiKey 5 NFC does seem to be compatible with the iPad Pro using a USB-C to A adapter (although it’s obviously not working for 1Password).
Is this something that will eventually be supported by 1Password in software, or is there still some limitation in iOS or the iPad or YubiKey that will prevent this combination working?
Thanks
1Password Version: 7.4.5
Extension Version: Not Provided
OS Version: IPadOS 13.3.1
Sync Type: Family Account
Comments
-
Thanks Ben,
I also saw this update earlier in the week. I’ve not had a chance to test whether this has helped with the issue I was seeing.0 -
This content has been removed.
-
This content has been removed.
-
@Ben I’ve just tested this (USB-C iPad Pro with YubiKey 5 NFC), results below.
Basically I think I’m seeing the same results as @Naxterra
The app launches fine, and when prompted for the code I enter the code from the YubiKey app on my iPhone and it’s worked fine.So it’s all fixed for me now, and sounds like I can use either a YubiKey 5 NFC or 5Ci with my combination of devices 👍🏼
For the record, results using the YubiKey 5 NFC with the Apple USB-C to A adapter were as follows:
- The key lights up
- Tapping the key does result in a string of characters being entered into 1Password, although that’s obviously not what it’s expecting and it doesn’t authenticate successfully
0 -
The Yubikey 5Ci can be used for U2F with a USB-C iPad Pro. A YubiKey 5 NFC can only be used for TOTP with such a device.
Correction: As of writing, YubiKeys can only be used for TOTP (not U2F) on USB-C iOS devices. This is due to a hardware limitation of the keys themselves, and as such it is unlikely that it is a situation that will be able to be addressed in software.
Ben
0 -
Ben, I have a Yuikey 5Ci and have successful used it to log in to my 1password web account in safari on my iPad Pro using USB-C. However, when I try to log in using the 1password app on the iPad Pro, it only allows an Authenticator app OTP. So is the iPad 1password app capable of using this hardware key? The same hardware key works fine on my iPhone 1password app.
0 -
The release notes for v7.4.6 say:
Fixed an issue that would prevent you from logging in to your 1Password account when configured with a security key on an iPad with a USB-C port.
It is possible that I misinterpreted this note. I'm going to clarify with our development team and will follow up here with further. Thanks!
Ben
0 -
Doh. My apologies folks. It appears I did read too much into that statement. The YubiKey 5Ci's USB-C connector is not connected to an MFi chip, and as such, as far as we're aware, will never work on iOS via USB-C. I will correct my statement above.
Ben
0 -
Ben, thanks for the update. If it is an MFi chip issue, why does the 5Ci hardware key work with the 1password web account in safari on the iPad Pro but not in the 1password iPad app? Is it an app api issue?
0 -
It does appear Safari is handling the device differently, and more generically, while we're using the official Yubico integration. It is in theory possible that we could switch over to the same thing Safari is doing, but it seems that has its own set of caveats. As such that probably isn't the way we're going to head, and it certainly isn't something on the radar at the moment.
Ben
0 -
I am quite confused now.
So if I heavily use an iPad Pro, do I have a path to also use a Yubikey of any type?
Or will I effectively not be able to then log into any site and app I protect via Yubikey on the iPhone or my laptop while using the iPad Pro?Any hope that the up coming “ YubiKey 5C NFC” improve the situation in case the current options do not work?
0 -
Unfortunately, not in the native iOS 1Password application. You might be able to get it to work on the iPad Pro to login via https://my.1password.com. i don't have an iPad Pro myself to say for certain if this combination works or not.
Any hope that the up coming “ YubiKey 5C NFC” improve the situation in case the current options do not work?
I think its pretty unlikely to change anything, the iPad Pro lacks a NFC reader entirely, and the USB-C side of the device would need to have a MFi (Made for iPhone/iPod/iPad) chip in order for it to work with their native app integration.
0 -
slightly off-topic but related .. are there any other keys supported that would work better?
like Librem Key / NitroKey / Thetis / Google Titan / TurtleAuth / Gemalto
0 -
I'm not aware of any. The USB-C connection of such a key would need to be MFi-enabled, and I haven't heard of any that are. At this time we're only able to test and support a limited set of keys, so I don't have first hand experience with any of the ones you mentioned. If anyone has one and wants to try it out there isn't any harm in trying it.
Ben
0 -
@Ben, @rudy there is no such thing a a USB-C MFI device and never will be. MFI only applies to devices that are compatible with lightning (which would include a Lightning to USB-C adapter) , the iPod Dock Connector, as well as software that implements AirPlay.
Requiring such would be in violation of the use of the standards, and would obviate the whole point of Apple implementing USB-C on the iPad.
The USB-C side of the YubiKey 5Ci , along with all of their other USB-C keys, is both fully and natively supported by Yubico and Apple on the iPad Pro as well other competitors of yours. That’s why it can be used in Safari, Chrome, as well as any other iPadOS applications you want. Other USB-C keys or in fact any USB key used with any adapter are also fully supported. Note that the use of Google products requires installation of the Google Smart Lock app.
You have no barriers to supporting it at all, as there are no limitations to the use of the USB-C port at all. And however you get access to the device on Android or any other platform will work fine - since you can’t install a driver of any kind for it on Android and one is not required elsewhere. It’s just your average everyday USB HID device.
0 -
On iOS we're using the Yubico SDK. The keys that we're able to support are defined by that SDK. I wouldn't be in a position to comment on the Android side of things but if you're having trouble there I'd recommend starting a thread in our Android category. One of my colleagues will be happy to help.
Ben
0 -
This is a bummer. I just tried to use my 5Ci on a latest gen iPad Pro over the USB-C connector, and it, in fact, does not work. I'm sad. :(
0 -
Sorry to hear this @johnmartinez :(
0 -
Does the Yubikey 5 NFC work with the 2020 iPad Pro and 1Pssword app? Anyone try that?
0 -
0
-
Does Yubikey 5ci work with iPad (5th gen) using the lightening port? I can't get it to work.
0 -
They are both the latest software versions as of yesterday. Has yubikey done testing with that hardware?
0 -
Do Yubikeys work with ANY version of IOS and 1Password? Has it been tested? The versions I'm using are iPadOS and 14.4.2, and 1Password 7.7.2. I was hoping that you might have information of testing that 1Password has done or if there are any known occurrences of Yubikeys working with iPads. From the reading I've done YubiKeys are supposed to work with iPads and 1Password. Is there any information to support this? I can continue testing and working with other versions and researching this on the Internet but I was hoping you guys might have some insight you could bring to the table. Please let me know if you ANY have information on compatibility. Thanks.
0 -
Do Yubikeys work with ANY version of IOS and 1Password?
Yes. see the listing on: https://support.1password.com/system-requirements/?ios
iPad Pro via USB-C is not supported.
if you're already signed into your account you won't be prompted for your yubikey. support for yubikeys is strictly limited to first sign-in on a new device.
0