Security Key + PIN instead of Master Password?
Guys,
I have a Mac Mini which, alas, doesn't have any biometric authentication method whatsoever.
I also am security-conscious, so my Master Password is rather badass, hence not so easy to type.
Recently, I wondered if it could be possible to plug in a security key in my Mac and, thanks to it, switch the authentication on 1password (the app, not the Website) on either no password at all or a shorter password/pin.
If that's not possible as of today, would you be willing to consider add it to the app? If not, would you be willing to share the reasons why (I don't miss an opportunity to learn something new...)
Thank you in advance,
P:s.: I noticed that in some instance my Mac prompts my Apple Watch do double-press a button to insert my system password. I don't think there's an API for 1P just now, but is it something that's on your radar, I'm sure. Care to elaborate on that, too? It could be even more secure and practical than a USB key.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Thanks for taking the time to write in. Regarding the Apple Watch situation, if we were to go down this path, it would require a Mac that has a Secure Enclave, which for the most part only Touch ID capable Macs have. As such unfortunately this likely wouldn't help in your case.
The difficulty with the other suggestion (key+pin), or anything similar, is related. First, to clarify: when you're unlocking 1Password to view data already stored on your computer there is no authentication involved. The only authentication is with the server, for the purpose of downloading/uploading any changes since the last time the app talked to the server. Otherwise, authentication isn't part of the process. This is why you're able to use 1Password offline - you don't have to authenticate with a server in order to access cached data. What is happening is decryption. So why couldn't we have your security key + PIN or some other similar mechanism decrypt your cached data? Largely the same reason Apple Watch wouldn't help you: we have nowhere secure (i.e. Secure Enclave) to store the necessary encryption keys on your machine.
As more new Macs are being produced that do include a Secure Enclave this may become a more practical option.
Ben
0 -
Thanks, Ben, for the quick, thorough answer.
So, this means that whenever my Apple Watch is required to give the input to my Mac, it does transmit or trigger a decryption in a somewhat insecure way?
0 -
So, this means that whenever my Apple Watch is required to give the input to my Mac, it does transmit or trigger a decryption in a somewhat insecure way?
No. Your Mac isn't doing decryption, it is doing authentication.
Thanks, Ben, for the quick, thorough answer.
You're very welcome. :+1:
Ben
0 -
Hence, they store the password needed for authentication purposes somewhere else than a Secure Enclave (I'm positive my 2018 Mac Mini doesn't have one, right?), a risk that 1P crew isn't willing to take.
Am i right?0 -
Actually...
About the Apple T2 Security Chip - Apple Support
Computers that have the Apple T2 Security Chip
These Mac computers have the Apple T2 Security Chip:iMac Pro
Mac Pro introduced in 2019
Mac mini introduced in 2018
MacBook Air introduced in 2018 or later
MacBook Pro introduced in 2018 or laterSo if your Mac Mini is a 2018 model it probably does have the T2 chip (and thus Secure Enclave) included.
Ben
0 -
Uuuh that’s good news.
So, is it technically feasible for you to implement an “Apple Watch” decryption method on T2-equipped Macs, and you could do that as more of those Macs are out in the field.
Is that right?
If so, I’m using all my votes for this feature to be implemented ASAP :)0 -
Thank you for letting us know about this :+1: :)
0 -
I'm interested in this topic. I have a 2019 MacBook Pro, an iPhone SE, and a recent (2019) iPad Air. I believe all of these devices have T2 / secure enclave chips.
I mainly use the 1Password desktop and mobile apps in stand-alone mode. (Doing data-syncs via iCloud.) I don't have a 1password cloud account.
I am frequently concerned when typing in a master password to authenticate to the 1Password app on devices that my keystrokes could be captured by surveillance cameras, which are proliferating in density, coverage, and especially in resolution/frame rate. It's to the point where I have to hunch over in strangely to try to shield the keyboard while I type.
I'd like to be able to use a YubiKey as a second factor for authenticating to the 1Password app itself, i.e. instead of just typing in the master password to unlock, I'd like to require both master password + YubiKey. (And yes, I'm aware that I would need to have at least 1 safely-stored backup YubiKey elsewhere in case my primary key was lost, stolen, or damaged.)
For desktop macs (i.e. anything with a USB-C port) a plain YubiKey might work. For more recent iOS devices, maybe the same setup could work using the new Bluetooth and/or NFC versions of the YubiKey.
Any chance this functionality may be added to the 1Password desktop and/or iOS apps in a future release?
1Password Version: 7.4.3
Extension Version: Not Provided
OS Version: OS X 10.14.6
iOS Version(s): 13.3.1
Sync Type: iCloud0 -
Aack. I had written a long detailed comment but somehow (?) deleted it (?) while trying to edit it. I'm not going to re-type the whole thing, but the jist of it is:
- An increasing share of users (self included) have Macs & iOS devices with T2 / secure enclave chips.
- The proliferation & increasing video quality of security cameras makes it ever-harder to type in a password securely on a keyboard or perhaps even a mobile screen.
- It would be very desirable to have the option to require a Yubikey as a 2FA device for unlocking the local (Mac OS X or iOS app) 1Password app.
- Yubikey now makes an NFC version, and possibly also a Bluetooth version, and these could further facilitate a YubiKey + masterpassword access method for iOS devices.
- I'm aware that requiring a physical device to unlock a local 1Password vault could present a lock-out hazard, of course users who opted to activate such a feature would be very well-advised to have at minimum a second identical YubiKey safely stored elsewhere, perhaps even a third at an additional location.
1Password Version: 7.4.3 (70403002)
Extension Version: Not Provided
OS Version: OS X 10.14.6
Sync Type: iCloud only0 -
Using local vaults, you already have "2 FA" implemented- device + password.
One thing to consider is that you can program static passwords into various security keys like Yubikey and OnlyKey which will type these passwords onto your computer. So you can create a very complex, high entropy, uncrackable password and use that as your mp. Of course you would need multiple, secure back ups of this password so you don't get locked out.
This is what I do.As Ben says there is no need for authentication of local data.
The strength of your MP is by far the most important factor in strengthening your account/local vaults.One feature I would like implemented in 1 PW with security keys is a HMAC SHA1 challenge response.
This would strengthen encryption, which of course would be most useful for memorized master passwords that by practical necessity are typically lower complexity/ entropy. This would be analogous to strengthening on-line accounts with the 2 secret key derived encryption.In my use case this wouldn't add any meaningful entropy to my MP as I have programmed a very complex MP into these keys.
However, since the response is generated (not typed) by the security key, it provides some additional protection against keyloggers (beyond the secure input feature on MACs.)
0 -
As Ben says there is no need for authentication of local data.
The strength of your MP is by far the most important factor in strengthening your account/local vaults.This is correct :+1:
0
