I have read all the past threads I could find regarding unlocking 1Password using a hardware token. Based on those past discussions it seems unlikely that 1Password will implement the requested feature. I would like to revisit this feature request by offering what I hope is a sound security benefit of the feature request. First, I'll restate and extend the feature request.
We often hear that convenience and security are at odds with each other. However, I think there are situations in which improving convenience can actually enhance security. An ideal password manager would spend the vast majority of the time in a locked/encrypted state, so that there would only be very short windows of time where it would be possible to extract plain text credentials or other secret data. This implies a very short auto-lock interval. However, it is incredibly annoying to have to type a long master password just about every time I want to access a specific credential. So, what wins out, security or convenience? In my case I put up with the inconvenience, but I know that the staff I support will not put up with the inconvenience and they will set much longer intervals before auto-lock kicks in and they will do worse things than this. I want to protect staff from themselves, because I know they will get up and walk off without locking their PC (PC lock timer is longer than I would like to see for 1Password); I know they will leave passwords visible, using the reveal feature, on their screen; I know they will use 1Password to type passwords, in plain text, into applications like Notepad, OneNote, etc, just so that they don't have to keep unlocking 1Password; I know they'll take pictures of passwords and store them on their phone (which is synced with a personal cloud account), etc.
If 1Password can be made even more convenient, such that it's easier to just use native functionality vs all the lazy workarounds, then our security posture will be stronger. I think that using a security token, that just requires a touch to unlock, would be fantastic. The additional centralized policy controls would help to establish a consistent baseline for all users and then the rest of the solution involves training, coaching and managerial intervention when policies are not being followed.
Please understand that I agree there is sound technical logic in the current 1Password design that is based around a master password and secret key for unlocking/decrypting password vaults, so I'm not suggesting the use of a Yubikey for technically enhancing encryption strength; rather I'm suggesting that there is a very human psychological component that seems to be overlooked in the current design. I think this proposed feature request could mitigate more of the human frailty involved in password management.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided