Request: first-class support of physical security keys / don't require Authenticator App for 2FA/MFA

flynntsang
flynntsang
Community Member
in 1Password in the Browser

There are many conversations on this forum re: 2FA/MFA and security keys. They seem to go sideways because there's always a response that goes into 1Password's backend security architecture, which means that if someone hacked into 1Password, they would not be able to decrypt customers' vaults. Many of us understand this architecture and it is the only reason I moved from LastPass to 1Password this week.

What is disappointing is that there is little empathy for the user who is also worried about frontend security, specifically the lack of first-class support for physical security keys like YubiKey, Titan, etc.

I understand from a recent discussion that an Authenticator App is required because 1Password has multiple apps and they don't all support phyisical security keys yet.

My request is for 1Password to announce when physical security keys can be enabled for 2FA/MFA without requiring an Authenticator App first.

Why this is desired:

  • There is a user persona who wants or needs zero-trust or selective trust. Maybe they'll trust their laptops or home computers, but they don't want to trust their mobile devices / smartphones. They want the ability to always use a physical security key for authentication validation, especially when traveling. This is me.
  • There is a completely different user persona who doesn't have a smartphone or is not competent with a smartphone. Think older adults who are under constant phishing attacks ("Low balance alert: Your [bank name] checking account is below $100. Login now.") Bringing an authenticator app on smartphone into the mix that they don't feel comfortable using means they won't use it or they won't use it well. This user persona is much more comfortable with physical keys than glassy smartphones. This is my father.

Aside for readers of this post who struggle to keep older adults safe online:

For those like me struggling to help the older adults in our lives who are perfectly competent living alone -- but less so online -- this is the best I've come up with.

It achieves two objectives: minimizes the chances my parents will be successfully phished, and make it easy for them. It is not easy for me, but once it's done it really is the easiest way for them to stay safe online.

  1. Purchase YubiKey Series 5. The cheaper blue security keys targeted for consumers won't be enough if you're using 1Password (and a lot of other sites). Configure the YubiKey with a PIN, just like the bank cards we're all used to.
  2. Install and configure Yubico Authenticator v6. This way Dad can stay on his laptop and press the YubiKey to get one-time passcodes when needed. That code should automatically be pasted into the site he's trying to log into. (Staying on the laptop works because the private information needed for the authenticator is stored on the YubiKey 5 series, not a smartphone.)
  3. Step I would like 1Password to eliminate through first-class support of physical security keys When setting up 1Password MFA, use the Yubico Authenticator App (rather than Google Authenticator or Authy etc.).
  4. Once an authenticator app is registered (step 3), then you can register a physical security key. This is what makes physical security key support in 1Password "second class" in my mind. (Also: I think 1Password supports U2F, not FIDO2 at the moment. The only reason I think that -- and I could be wrong -- is because 1Password did not ask for my PIN when I registered my security key.)
  5. Optional You can configure the OTP slots on the YubiKey 5 series to hold static passwords. I configure slot 1 with the long complicated 1Password password. To use slot 1, use a "short" press. I configured slot 2 with my 1Password "secret key." To use slot 2, use a "long press." You might not want to configure slot 2 on all your security keys.
  6. Create backups following advice from YubiKey.

So how does this work?

  1. Dad/Grandpa logs into his computer as normal and grabs his physical keychain, which holds his YubiKey 5. He inserts the YubiKey into his laptop's USB port. (There are backup YubiKeys in safe places.)
  2. He clicks the teeny-tiny 1Password extension icon on Chrome. This takes some training.
  3. When prompted for this 1Password pw, he uses the "short press" feature on the YubiKey 5 to automatically enter his long complicated password. (This is the OTP "static password" feature from step 5 above.) His password is also hand-written on two printed copies of the 1Password emergency kit which is also stored in several safe places.)
  4. 1Password takes care of all site passwords as he goes about his online business. (We set up new strong passwords together. It was a lot of work.)
  5. For sites that support FIDO2/U2F physical security keys he presses the key when prompted.
  6. For sites that support Authenticator Apps he has to open Yubico Authenticator on his computer. This takes some training, but it's fast and automated so there's less fumbling. (I also had to set this up for him.)
  7. For sites that only support email and SMS, he gets codes by gmail, which is very well protected with security keys.

Comments

  • flynntsang
    flynntsang
    Community Member

    Update :) I'd still like to see first-class support for physical security devices (i.e. not require an authenticator app before registering a physical security key).

    For sites that don't support physical keys at all, but do support Authenticator Apps (e.g., LinkedIn), I want to make a huge shout-out for 1Password's built-in Timed One Time Password field. This will make things so much easier for me and my dad.

    When you're setting up 2FA/MFA on sites that support Authenticator Apps, you just copy secret key into 1Password's "one time password" field (you can also use the built-in QR reader). 1Password then automatically creates the 6 digit TOTP codes when you need them.

    I can't tell you how much easier this will be to use. In my comment above, this replaces Step 6 -- it should be automated so Dad doesn't have to open up any authenticator app at all, either on his phone or laptop.

    Another update -- if using a YubiKey, I don't recommend reconfiguring slot 1 as I originally did. If you ever want to restore the proprietary Yubico OTP it's possible but not all sites will accept user-defined keys. Instead, in Step 3 above, I have Dad's slot 2 (long press) with the second have of his 1Password password. He types in an easy-to-remember portion then does the long press to. For example, if his 1Password is "helloworld#4lmnopqrstuv..." he types in "hellowrold" and does the long press. Slot 2 is configured to hold "#4lmnopqrstuv..."

    It's been a journey. I always say "complexity is the enemy of security." It's taken a while for me to find the most secure path of least resistance. I hope this helps others.

This discussion has been closed.