Should I get a Yubikey?

Zaka7
Zaka7
Community Member

Hi all,

I keep seeing these little devices mentioned and whilst I think they’re cool and can understand their use for some accounts (Specifically email and password manager). Are they something that a 1password user actually needs? Is there any benefit?

My current set up is that 1PW stores all of my OTP codes. I have devices authorised that I want so no real man in the middle risk?
I also have 2fa on my 1pw account through Authy, and authy has multi device turned off. So nothing can be amended there and again I have my authorised devices set.

I’m trying desperately to find a reason to buy a yubikey simply because I like the idea of having one, but once I seriously try to evaluate the benefits I’m struggling to find and therefore justify the cost.

Help and advice appreciated.

Thanks.

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Zaka_7!

    There isn't a huge security benefit with 1Password, since 1Password is based on encryption, not authentication. Your data is end-to-end encrypted with or without a Yubikey. You can read more about it here:

    Authentication and encryption in the 1Password security model

    There is certainly a benefit if you want to use them to protect the accounts you store inside 1Password though, in case you don't want to use 1Password or another authenticator app for OTPs. Maybe just keep in mind that you would have to carry your Yubikey with you at all times in case you need to login to those devices, since 1Password (or your phone with your authenticator app) will not be enough in that case.

  • Zaka7
    Zaka7
    Community Member

    Thanks @ag_ana

    That makes sense. What actually is the benefit of it for accounts within 1password like email however?

    I already have my devices authorised so there is zero chance is there not of anyone getting the OTP secret from 1password and therefore being able to get onto my accounts anyway? So what does the yubikey actually add?

    The other thing which admittedly is menial and me being a bit anal, but I have tags set up for what authentication is where. If I had a tag as 2fayubi for apps using the yubikey and removed the OTP secret, would 1PW not then show the warning that my login isn’t using 2fa when it would be? Reason I ask is I use the 2fa tag already (which I know also removes the warning?)

    Thanks

  • ag_ana
    ag_ana
    1Password Alumni

    @Zaka_7:

    I already have my devices authorised so there is zero chance is there not of anyone getting the OTP secret from 1password and therefore being able to get onto my accounts anyway? So what does the yubikey actually add?

    You would need to have the actual hardware key to login to those accounts. It's still 2FA, just instead of using OTP codes, you have a hardware component. Whether that's something that is worth it to you, I think it becomes a subjective decision.

    The other thing which admittedly is menial and me being a bit anal, but I have tags set up for what authentication is where. If I had a tag as 2fayubi for apps using the yubikey and removed the OTP secret, would 1PW not then show the warning that my login isn’t using 2fa when it would be? Reason I ask is I use the 2fa tag already (which I know also removes the warning?)

    You are right here, you would get the warning in Watchtower if you used a different tag (other than the "2fa" tag you already know about). But I know our developers are looking at ways to improve Watchtower in this aspect, so perhaps it will be better in the future :)

  • Zaka7
    Zaka7
    Community Member

    @ag_ana Thank you.

    I’ll keep an eye out for the tag update, but I think I’ll continue to use OTP codes as I do currently as I don’t see a huge upside given my set up as it currently is.

    For me I think the only thing a hardware key eliminates vs OTP is the potential man in the middle attack which with devices already authorised isn’t going to happen.

    The only remaining risk is if someone got into my 1Password account, but with or without a yubikey I’d have bigger problems in that instance regardless.

    Thank again 😀

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome @Zaka_7! We can certainly also keep this discussion open in case other members of the community want to share their thoughts, I know several people use a Yubikey and like them :)

  • [Deleted User]
    [Deleted User]
    Community Member
    edited March 2021

    @Zaka_7 I agree that a YubiKey is of limited benefit for 1Password users as Secure Remote Password protects from "man in the middle" attacks. I got a couple for use with social media and email accounts, so added them to my 1Password account because I could.
    Email accounts in particular benefit from a YubiKey because they typically don't use Secure Remote Password and most websites allow you to reset your password via email. So an attacker with access to your email account can reset your passwords without going anywhere near 1Password.

  • ag_ana
    ag_ana
    1Password Alumni
    edited March 2021

    @missingbits:

    So an attacker with access to your email account can reset your passwords without going anywhere near 1Password.

    Although, unless I am mistaken, if someone already has access to your email account, they would be able to remove the security key too at that point, or replace it with a different 2FA method.

    Edit: I think I know what you mean now. You are referring to other accounts, not just the email account :+1:

  • [Deleted User]
    [Deleted User]
    Community Member

    @aga_ana I was recommending setting up YubiKey based 2FA on the email account so that they wouldn't have access in the first place. If they already have access then you need to change the email account password, change any app passwords, reset 2FA and check that the attacker hasn't set-up email forwarding or other means of access.

  • Zaka7
    Zaka7
    Community Member

    @missingbits I’m slightly confused there? Any account that offers support with a yubikey will offer support for OTP, such as email so without compromising my 1password account no one could get into my emails anyway to hd able to do any of what you suggest? Or am I misunderstanding your point?

  • [Deleted User]
    [Deleted User]
    Community Member

    @Zaka_7 Most online accounts will not allow you to disable password reset via email. So I'm suggesting using a YubiKey as 2FA on your email account as a way of securing your other online accounts. Most email accounts do not support Secure Remote Password or equivalent. So your email account password and email account 2FA credentials are vulnerable to "man in the middle" and phishing attacks. Using a YubiKey protects you from such attacks.
    If you add a YubiKey to others accounts, e.g. social media, then I would suggest disabling SMS text and email based one-time passcodes as 2FA on those accounts. It doesn't hurt to also have a Time-based One Time Passcode (TOTP) authenticator app set-up as well. You will get the full protection of the YubiKey if you use it whenever its an option.

  • Zaka7
    Zaka7
    Community Member

    Thanks @missingbits i’ll look into it more then as pardon my ignorance I don’t see that as as improving my current set up as my email uses 2fa and devices are ‘pre authorised’ so no real chance of much going wrong.
    For the inconvenience of having to have 2 yubikey and carry them around (keep one safe in a different place) I’d want significant security improvements. And currently I don’t see I’d be getting that over my current set up.

  • [Deleted User]
    [Deleted User]
    Community Member

    @Zaka_7 I agree. Your set-up is already better than >95% of the population and for most people with pre-authorised devices there is little benefit to a YubiKey (or two). An attacker would need to get you to sign-in to a phishing page or invalidate your session, triggering an opportunity for a "man in the middle" attack. The latter would require tricking you into clearing your cookies or installing a malicious browser extension. None of these things are impossible, but you can protect yourself by simply paying attention.

  • Zaka7
    Zaka7
    Community Member

    @missingbits Agreed!

  • vitovito
    vitovito
    Community Member
    edited March 2021

    @Zaka_7 , what ybikey could be is second/third factor to encrypt your 1P database, like one more secret key file.
    So that you need it to decrypt database.
    I had a discussion with 1P people in another thread and they think storing keyfile outside database is not good idea, so i think, they will not implement it.

  • ag_ana
    ag_ana
    1Password Alumni

    @vitovito:

    The Yubikey is not used to decrypt 1Password data, that is only done with the Master Password and the Secret Key. The Yubikey is an additional layer of authentication, not encryption: data is encrypted the same way with or without a Yubikey.

This discussion has been closed.