Security Key vs Authenticator App

edited October 19 in Memberships

Hi,

this is no really a Mac question but I could not find a better category for it.

I have recently bought a Yubikey and set it up as security key for some of my online accounts including 1Password. 1Password still allows a 2FA authenticator app to work side by side with security key authorization.

Question 1: Does that not defeat the purpose of using a hardware token in the first place if you can still login using an autenticator app instead of the Yubikey?

Question 2: I was able to unlock my iOS 1Password app with my Yubikey using NFC but my iPadOS requested the authenticator code. So if I were to remove authenticator 2FA from my 1Password account how could I unlock my 1Password iPad app?

Thanks for you help.

Johnny

Comments

  • BenBen AWS Team

    Team Member

    Hi @JohnnyFJohnsson

    Most of our apps do not support U2F / Yubikey at this point, and as such in order to enable one a TOTP authenticator also needs to be set up. It is not possible to remove the TOTP authenticator without also removing the Yubikey.

    Ben

  • Hi @Ben ,

    thanks for your reply. How does that setup then affect the usefulness of having U2F at all? If a threat actor can just bypass the stronger U2F authentication and opt to use 2FA why should I use U2F? Different topic but Dropbox works similar: You can enable U2F but authenticator 2FA remains active and in my mind completely removing any benefit from having U2F in the first place. Other sites I use avoid this issue by providing backup codes that can be used in case U2F does not work or the hardware token is lost or else.

    Do you have any further view on this?

    Thanks again.
    Johnny

  • LarsLars Junior Member

    Team Member

    @JohnnyFJohnsson - it's not a bad set of questions, but Ben has already provided the main answer: not all our clients currently support hardware security key only, so users on those platforms would have no way of using 2FA at all if we tried to implement a hardware-key-only approach. Although I don't have a timeline to share with you, we plan to have this feature in all clients in the future, at which point, you'll be able to switch to hardware key-only.

    Having said that, I don't think it's pointless to enable hardware key support where it's available. After all, your authenticator app should be only on one device, and that device may not always be the one you have with you. You could even remove the app altogether if you're comfortable being without that backup method of 2FA. I wouldn't suggest it...but you could.

    As to backup codes, we don't use them for a few reasons. Perhaps the most-important one is that we're already working to make sure the message gets across to all 1password.com users that they need to keep backups of their Secret Keys. We don't want to add to or confuse that message in any way whatsoever, and giving people something else they need to save would be doing exactly that. Along the same lines, the entire concept of the Secret Key is confusing enough on its own; we don't want to make it easier for people to think they have it backed up when all they really have are TOTP backup codes.

    TOTP back up codes don't really add a lot of value. If someone loses the device their 2FA app is on, or it's stolen or damaged, we can usually help sort them out via email when necessary and reset 2FA for them. That process is certainly a pain for users, but it is much less of a pain than what we have to say when people write in to say they have lost their Secret Key.

    There are also alternatives to TOTP backup codes. If you want a back up mechanism for authenticator-based 2FA, just save the TOTP long term secret or the QR code someplace. In a hardware key-only situation, you wouldn't have the ability to save the QR code from the authenticator app, but we would still be able to reset 2FA after verifying you anyway (it's about the only thing we can reset).

    Finally, above all the above reasons, is the fact that 2FA for signing into 1Password confers different sorts of security properties than 2FA does for other services. So while TOTP is nicely familiar to most people, it plays a different role in 1Password security than in just about every other place you've used it.

  • Hi @Lars,

    thank you very much for your very thorough reply. I highly appreciate your support.

    I follow your logic and I agree in regards to 1Password the secret key already is the second factor. TOTP or U2F adds a third layer on top. I would still very much appreciate being able to remove TOTP from my 1Password account all together once the apps can get authenticated by it. I understand though that the iPad may remain problematic as Apple has not yet opened up U2F through the USB-C connector and the iPad does not support NFC.

    But I was very surprised to see my iPhone 1Password app ask for my Yubikey as 2FA and through the NFC chip the authentication was extremely easy.

    Thanks again.

    Johnny

  • BenBen AWS Team

    Team Member

    On behalf of Lars, you're very welcome.

    I would still very much appreciate being able to remove TOTP from my 1Password account all together once the apps can get authenticated by it.

    I'm sure that'll be on the table for consideration once the apps have that support. :)

    I understand though that the iPad may remain problematic as Apple has not yet opened up U2F through the USB-C connector and the iPad does not support NFC.

    Indeed this is a bit of a hurdle.

    But I was very surprised to see my iPhone 1Password app ask for my Yubikey as 2FA and through the NFC chip the authentication was extremely easy.

    :+1:

    Ben

  • I wish Yubikey could be used for primary MFA option, like in Bitwarden.

  • BenBen AWS Team

    Team Member

    We'd love to expand our support for it. :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file