I want to be sure I understand about Yubikey

Bronwen224466
Bronwen224466
Community Member

Hello. I am looking at Yubikey since so many people say it is more secure than getting second factors by text or authenticator app. My main goal would be to stop someone accessing my account via the website, if they somehow managed to have my master password. But unless one deactivates the ability to get a code by text or authenticator app (and this seems inherently risky), I don't see the benefit of Yubikey, since a malevolent person could circumvent the need for Yubikey by simply opting for one of the other methods instead. I know that doesn't mean they can access my passwords, but the question is, what's the point of the Yubikey? Am I missing something? I understand that Agile Bits resisted adding Yubikey support for sometime, and the reasons made sense, so what changed?
And I know that Yubikey, for at least some apps, requires specific browsers, for example Chrome. Will it work for 1 Password with Safari?

Thank you!


1Password Version: 7.6
Extension Version: 7.6
OS Version: 10.15.7
Sync Type: not sure
Referrer: forum-search:yubikey

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Bronwen224466!

    I just wanted to say that I have asked our security team to look at your questions, they can give you much better answers than I could :+1: :)

  • Lars
    Lars
    1Password Alumni
    edited November 2020

    Hi @Bronwen224466 - Lars from the Security Team here. You've raised a few good questions, so let's try to go through them all. To start, there are no specific restrictions by browser on your use of a Yubikey; if you've added a Yubikey to your 1password.com account's 2FA setup, you can use it with any browser, including Safari on a Mac.

    You've asked about what is probably the most-likely way for someone to try to attack your account: via our website. The only other way to get a copy of your encrypted data is by stealing it directly from one of your own devices, either by taking a device physically, or a remote compromise. Both of those methods of attack are a lot less immediately available in most circumstances than an attacker simply visiting the 1password.com website, which anyone can get to. But there is more than just two-factor authentication at work to defend your secrets at 1password.com, because we knew this would be an easily-available target for would-be thieves. Your main line of defense on the 1password.com site is not enabling 2FA (whether via authenticator app or Yubikey), but your Secret Key. This is the long string of alphanumeric characters that was randomly generated on your device when you first created your account. It is never transmitted to us in any form, so it cannot be stolen from our servers, and we can't be tricked into giving you what we don't have.

    So, any attacker visiting 1password.com from their own computer and trying to sign into your account would need to know both your long and strong Master Password and your Secret Key. That is the only scenario under which 1Password's 2FA might be the defense that saves you -- when an attacker has managed to acquire your Master Password and your Secret Key, but not a copy of your encrypted data. Yes, an attacker could switch 2FA methods back to the authenticator app instead - for now - but that doesn't mean they would have the secret necessary to successfully pass that authentication challenge. The reason we require an authenticator app even when you've added a hardware security key such as Yubikey is that not all of our 1Password apps support Yubikey directly yet. When we get to the point where all of our applications do support Yubikey-only 2FA, that will become an option you can select.

    So what are the benefits of adding a Yubikey, over using an Authenticator app? U2F, mostly: through the use of U2F, user login is limited to the site of origin, meaning that while YOU (the user) might be fooled or phished by a malicious pop-up meant to resemble a real site, your Yubikey won't be; it can only enter its response to the authentication challenge into the proper site, no fakes. The important thing to keep in mind is that 2FA in a 1password.com account functions very differently than what most people are used to in every other situation where they use 2FA, due to the presence of the Secret Key protecting your account.

  • Bronwen224466
    Bronwen224466
    Community Member

    Thank you for the helpful information!

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Lars, you are welcome @Bronwen224466! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • bear67512
    bear67512
    Community Member

    HI @Lars, sorry but can i ask is there a specific option to choosing U2F by using Yubikey? To my limited understanding, I am only aware that adding Yubikey allows to to create 2FA under Yubikey's Authenticator.

  • Lars
    Lars
    1Password Alumni

    @bear67512 - I'm not quite sure what you're asking? Once you've set up 2FA for your 1Password account, you can continue on to add a Yubikey (or more than one!), which you can then use anywhere you like for the 2FA challenge from your 1password.com account.

  • bear67512
    bear67512
    Community Member
    edited January 2021

    @Lars , sorry for the poorly worded question. I always assumed that U2F is a separate option than 2FA. My bad!

  • Lars
    Lars
    1Password Alumni

    @bear67512 - no worries! Technology is moving so fast these days, it's hard to keep up with it all. That's a big part of the reason why we're here in this forum community as well as available via email at support@1password.com -- to help with any questions about what we know best -- 1Password. :)

This discussion has been closed.