Yubikey and Business Accounts - force-require for every login?

I've read about the Yubikey and 2FA for home users and understand that requiring its use on every login is not an option at the moment (although your major competitor seems to be able to do this). My question is whether this is possible on Business Accounts.

We have different needs to home users, and in many cases, much higher security needs. The costs of bandwidth on a mobile phone are a non-issue, whereas security of the device IS. An unlocked PC or iPhone, with an (ahem) "acquired" 1P master password is an exploit available to anyone with physical access. Without the Yubikey also, this could not occur.

Love the product, but this can be a constraint in certain use cases. Protecting the ability only to "not install" on another device, does not solve the problem, I think, of a bad actor having access to a PC, phone or whatever, plus the master password.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • john_m
    john_m
    1Password Alumni

    Hi @Ziggy_Stahdust! An important factor here is that 1Password is not an authentication-based product, it's an encryption based product. YubiKey devices are a form of multi-factor authentication; however, with 1Password's security model, there is no authentication. When you enter your Master Password (and potentially Secret Key) to "sign in" to 1Password, you're not actually signing-in in the same sense as you would to a traditional service like Amazon or Twitter. Instead, the credentials you enter are used locally on your device to form an encryption keyset, which is either able to successfully decrypt 1Password data, or it is not. There is no authentication involved.

    When someone enables two-factor authentication for a 1Password account, this doesn't actually alter the underlying security model of 1Password's encryption in any way. Instead, an additional authentication step is created between a client's first-time sign-in from an unauthorised device, and a two-factor authentication check is placed on this new authentication step. This is designed to provide an additional barrier between our live service and an unauthorised device accessing a user's membership for the first time. Remember, at the point this challenge occurs, a valid Master Password and Secret Key (neither of which are transmitted) has already been provided. If the authentication check is successfully passed, the device is added as an Authorized Device for that user, and subsequent unlocks of that specific device only require their self-chosen Master Password.

    If a user ever feels that their self-chosen Master Password and one of their authorised devices has been compromised (and remember, Master Passwords should never be shared with anyone, should be random and unique), then their best defence is not two-factor authentication, but is instead to change their Master Password, and to de-authorise the device in question.

    If you would still like to be required to pass more frequent authentication checks when using 1Password, 1Password Teams and 1Password Business accounts support the use of Duo. Duo is a third-party authentication service, which you can configure to require re-authentication every day from each device you use with the account if you wish.

    Let me know if you have any other questions, or if there's anything else I can help you with!

  • Ziggy_Stahdust
    Ziggy_Stahdust
    Community Member

    Thanks John. I understand that. Great explanation.

    So while the device (or a new device) is protected, the user really needs to ensure that the (now authorized) device is never left open and/or accessible to an actor who may, at least potentially, also know the Master Password (unknown to the user, say possibly through a keyloogger) - that being no different than the user him/herself having access. In many organizations, one must lock one's PC or phone immediately upon "leaving" it to prevent such access. Mercifully, most devices do have a configurable "lock after x minutes" setting.

    Phones clearly are the most sensitive as with PCs we often can control the overall environment. Phones get left all kinds of places "just for a moment" and are often not set to lock instantly - more out of convenience than anything else. (Sigh.)

    I'll look at Duo and see if that meets the needs for my use case. That way both the device are authenticated AND the user is authenticated if I understand correctly.

  • john_m
    john_m
    1Password Alumni

    You're very welcome, @Ziggy_Stahdust! (and happy new year to you!)

    the user really needs to ensure that the (now authorized) device is never left open and/or accessible to an actor who may, at least potentially, also know the Master Password (unknown to the user, say possibly through a keyloogger)

    The conceit here would be that if the device has already been compromised to the point where an attacker has been able to install a keylogger, then there are already significant security issues with that user's device beyond whatever 1Password can protect them against. Without that specific conceit, a user's Master Password is never stored or transmitted in any way, so as long as the user dutifully protects their Master Password by never sharing it with anyone, the combination of their Master Password and unique Secret Key provides more than sufficient protection. If you require more detail on this specific point, let me know and I'll ask a member of our security team to chime in here. :+1:

This discussion has been closed.