Master Password reset request with Yubikey 2FA account

MONKi1P
MONKi1P
Community Member

Does the attached Yubikey requirement be side stepped like the 2FA on a Master Password reset by a fellow family member organizer?

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @MONKi1P!

    Can you please clarify what you mean by "sidestepped"?

  • MONKi1P
    MONKi1P
    Community Member

    Well I tested it and when I initiated a reset with another account there was no requirement to enter that accounts 2FA during the reset of that account. Just wondering if it is the same with a Yubikey.

  • MONKi1P
    MONKi1P
    Community Member

    I’ve ordered a Yubikey but it hasn’t arrived yet so I can’t test everything myself. One more thing, it seem like the normal 2FA authenticator remains even with a Yubikey? I get that for most people that’s a saftetet thing to get back into their account but if someone doesn’t want to use any 2FA generators and only a hardware key, how can that be done? I’d understand if I need to have two for backup purposes or at least the other family organizer will have one as well and if the key can be side stepped on a Master Password reset than the other organizer could be the backup.

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    Thank you for the clarification! Yes, recovering an account would reset both credentials and 2FA configuration.

    One more thing, it seem like the normal 2FA authenticator remains even with a Yubikey?

    Correct: this is because not every 1Password client supports Yubikeys, so if we did not have a secondary authentication method, those users would not be able to use 1Password at all on certain devices.

    I get that for most people that’s a saftetet thing to get back into their account but if someone doesn’t want to use any 2FA generators and only a hardware key, how can that be done?

    At the moment this is not possible, but perhaps this will be one day when every 1Password client will support hardware keys. So in this case, a backup Yubikey would still not help, and a 2FA code is required.

  • MONKi1P
    MONKi1P
    Community Member

    Hmmm so adding a Yubikey at the moment doesn’t add more security or am I missing something?

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    You always need a backup method when you use 2FA. Even when you enable 2FA for another account with an authenticator app, you are given backup codes. These are not unsecure, but they are necessary to avoid being locked out. For 1Password, at the moment an authenticator app is the backup method.

  • MONKi1P
    MONKi1P
    Community Member

    Right but beside the backup issue and the requirement, I had the understanding that Yubikey are considered more secure than 6 digit 2FA generators. Are you saying there is no difference?

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    My apologies, I should have clarified better: I am not saying that there is no difference :+1:

  • MONKi1P
    MONKi1P
    Community Member

    Can you help me understand the security benefits of using a Yubikey with 1Password?

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    Absolutely, I have passed your question directly to our security team. We will post back here as soon as possible :+1:

  • Lars
    Lars
    1Password Alumni

    @MONKi1P - hi. Lars from the Security Team here at 1Password. I'm...not quite sure what you mean? Your initial post referred to "sidestepping" and Master Password-reset by a Family Organizer? If you're referring to the Recovery process, anyone with Family Organizer permissions could begin the process for anyone in the family, but if it is done unintentionally or maliciously, the user (who will get an email notifying them that recovery has begun) can simply cancel the recovery by signing into their account with their existing credentials. Can you let me know a little more about what you're concerned about, or what you'd like to know? You can find out more about using a Yubikey for 2FA with your 1password.com account at this link.

  • MONKi1P
    MONKi1P
    Community Member

    Hey @Lars By side stepping I meant initiating the recovery process which does not require the user to have Master Password, Secret Key or the 2FA code. So essentially the user whose recovery has been initiated only needs to have access to their email account after the organizer has initiated the recovery process, correct?

    As for the Yubikey, what benefit is it to use one when the 6 digit 2FA is also enabled and works in parallel? I’m trying to understand how it provides extra security as that is usually one of the main argument for using one. @ag_ana has explained that this cannot be changed to only using a Yubikey based on 1Passwords current setup.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited February 2021

    @MONKi1P The short answer is that having an authenticator app in addition to a YubiKey doesn't weaken your security unless you are tricked into entering TOTP codes into a bogus website. If you are worried about the latter then you can always save the authenticator app’s secret somewhere safe and delete the app from your device.

    The main advantage of a U2F device like YubiKey over an authenticator app is that it protects you from a "man in the middle". If you always use the YubiKey and don't let the webpage downgrade you to entering a TOTP from the authenticator app then you'll get the full protection of the YubiKey.

    That said, 2FA on 1password.com is not doing the same job as on other websites. It is preventing someone who knows your Master Password and Secret Key from downloading your password database to their device. The Secure Remote Password protocol that takes place before 2FA ensures that there is no-one in the middle. So I’m not sure that YubiKey brings any additional benefit over TOTP and it may make you more vulnerable to a local attacker who has access to your Emergency Kit and YubiKey.

  • Lars
    Lars
    1Password Alumni

    @MONKi1P - Recovery can't be initiated by the user; it must be done by someone with Family Organizer permissions (or Administrator or Owner permissions, in Teams/Business accounts). And yes, if that process is begun, an email is then sent to the user which contains a link which will allow the user to continue the Recovery in their browser, which then generates a corresponding notification back to the Family Organizer, requiring them to confirm the Recovery.

    However, as I mentioned, to cancel this process (such as if the user remembers their Master Password in the meantime), they only need to sign into their account using their existing credentials instead of clicking the link in the recovery email. A Family Organizer cannot simply reset another member's Master Password, unless that Organizer also has the credentials to the user's email account they used to register as well. A Family Organizer (or Administrator/Owner) can suspend or delete other users - that's what it means to have that level of privileges. But they cannot simply reset the user's password or decrypt their data, without knowledge of their email credentials as well.

    Setting up a Yubikey is currently an option that can't be used as the sole means of 2FA for your account because not all of our native 1Password apps support it directly, and users of those platforms need 2FA access as well. Once all our client apps are able to use U2F keys, we will make that an option. In the meantime, you can still set it up and use it on your own account, and it will still provide you the benefits U2F affords, such as inability to be fooled by phishing websites (which you might be) or those who can break/intercept TLS, no shared secret traversing the internet at any time, and other features (such as ease of use).

    Finally, it's worth remembering that 2FA for a 1Password account operates quite differently from the protections people are accustomed to it offering with other services. Most sites for which you can use 2FA are authentication-based, and in such cases, using 2FA every time can indeed offer significant security advantages. In a 1Password account, however, 2FA plays a more-limited role. On your local device, you already have a cache of your encrypted 1Password data present, which is protected by your Master Password. On our servers, your Secret Key and to a lesser degree, your Master Password, protect your data from decryption. But 1Password's 2FA only really protects you if an attacker has your Secret Key and Master Password but does not have your encrypted data.

This discussion has been closed.