Unlock using 2FA key

Ryan992
Ryan992
Community Member

I am using 1PasswordX on Firefox and the Android app. On my computer I have to retype my full master password when it relocks but never have to complete my second factor again, on Android I have a short simple PIN code. I would prefer an option when unlocking a previously authenticated device to use my Yubikey which I have setup for 2FA to unlock the authentication app on Android and on Windows. I feel that would be both easier to use and at least more secure than the PIN code on android.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Ryan992

    Thanks for taking the time to write in with your thoughts. With 1Password, unlike most other services, your data is protected using encryption keys only you have (i.e. your Master Password and Secret Key). Because of this, we have to do things a bit differently than most services. 2FA, specifically, plays a very different role for 1Password than it does for other services. You can read more about that in previous discussions, e.g.:

    I hope that helps in understanding why things are set up the way they are. Thanks!

    Ben

  • Ryan992
    Ryan992
    Community Member

    No offense but that seems like a cop out. I mean there is literally 0 reason why you can't use the U2F challenge response to replace the PIN used to unlock the vault after it has already been decrypted on device using the master password. Semms like pure laziness. I'm glad I'm finding this out before my trial is up, looks like I'm going back to lastpass.

  • I hope you're able to find a solution that works well for you, @Ryan992. If you change your mind we'll be here to help with any other questions you may have.

    Ben

  • plttn
    plttn
    Community Member

    @Ryan992:

    It is indeed true that U2F is a challenge response system. However, Windows Hello/touchID/faceID/biometrics on Android all are using a key escrow system. There is no way to cryptographically escrow a key behind a challenge response on U2F, so it just turns into a "the security model trusts 1Password to only give up the escrowed key when it's supposed to", which is not the model Agilebits intends as the security model for 1Password.

    Additionally, LastPass does not support U2F, and what you're seeing is the proprietary YubiOTP implementation that is not a challenge response, but instead a OTP that is not a challenge response.

  • That is a really great explanation, @plttn. Thanks for spelling that out. :)

    Ben

This discussion has been closed.