Two-factor-authentication in 1Password using YubiKey

Mattis
Mattis
Community Member
edited July 2021 in Lounge

Good afternoon everyone,

I've done some research on YubiKey, the security key that can be used for authentication and is also supported by 1Password.

Currently, I don't have a YubiKey, but I'm thinking about getting one. I would like to achieve the highest possible security.

To enable two-factor authentication in 1Password - there must be at least one app set up that generates the one-time codes. Now I wonder if it makes any sense to use an ordinary authentication app like Authy because if someone gains access to the smartphone - they will also have the second factor. You use the YubiKey to enforce that it is required to log in. (in addition to the secret key, master password, region and email address).

What is the most secure way to implement this? Should I use the Yubico Authenticator to use it as an authentication app? If I understand the concept correctly - you have to connect the YubiKey to the device to unlock the authentication app.

Then you can write down the secret for the authentication app in a safe place.

I also have a question regarding the YubiKey. Maybe someone can answer me this question here: If you want to log in on multiple devices at the same time - you need multiple YubiKeys. My question now is - how can this be implemented when some services that support the usage of a security key only support one at a time? For example, if you can add only one security key on Dropbox as a second factor. With 1Password, several security keys as a second factor are supported at the same time - to my knowledge.

I would appreciate hearing your thoughts on this.

Thanks for reading

Mattis


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1Password.com

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    @Mattis 1Password requires you to set-up an authenticator app because 1Password doesn't support secruity keys on all platforms. The main security advantage of a hardware security key over an authenticator app is that it protects you from real-time man in the middle attacks. As long as you always use the security key you will get the full benefit of this protection.

    The risk is that an attacker could trick you into using the authenticator app instead. I think this risk is small because 1Password only requires 2FA once per device, but if it concerns you, you can print/save the QR code and/or 2FA manual entry secret and delete the 2FA token from your authenticator app. You can always re-add it in future using the QR code or manually.

    Security keys are intended to protect against a remote attacker. They don't provide great protection against a local attacker. If someone is able to steal your mobile phone then they could also steal your YubiKey. In that respect an authenticator app on your mobile protected by a password or biometrics is probably more secure.

    However, if you use your Yubico Authenticator to store your 2FA secrets in your YubiKey, you can add password protection. This is probably the most secure option as you 2FA secrets are protected both from a remote attacker (because they are stored offline) and a local attacker (because they are protected by a password).

    Websites and services which support U2F or FIDO2 do not normally require the security key to be continually present. At the point where you would otherwise enter your authenticator app's 6 digit apsscode, the browser asks you to insert your key, you insert the key, the browser asks you to press the button, you press the button and that is it until next time 2FA is required. You can then remove the key and use it in a different device.

    1Password support multiple YubiKeys as do most websites and services. However, sometimes the option to manage mutiple keys only appears after adding the first key. The main issue tends to be that different devices require different connectors. The YubiKey 5 NFC is useful here because it supports USB and NFC.

  • That's a great summary @rootzero. Thanks for sharing!

    Ben

  • Mattis
    Mattis
    Community Member

    Thank you @rootzero!

This discussion has been closed.