Yubikey + 1Password strategy/Best Practice
I'm trying to sort my best use for the Yubikey 5 (NFC/USB-C) I suppose I'm trying to balance usability and security, the line we all try to straddle. Watched several videos on Yubikey and their authenticator app. One thing that stood out was that if I use their authenticator for all my TOPT needs (with the 32 item limit), every time I setup a new item, I would need both keys present to update? is that correct? That seems like a non-starter from a convenience part.
So to make sure I am clear
- Using Yubikey with 1Password basically "authorizes that device" to use the 1PW account and it will not be needed again until I either deauthorize the device or add another 1PW install?
- Yubikey authenticator could be used for the TOPT that 1Password will require? (likely the only use for that app) I don't like to have apps that are rarely used, but this may provide the best balance?
- Best off letting 1PW generate the TOPT passwords and they will sync between my 1PW installs as they do today?
Sound about right?
Also will use Yubikey for Apple ID
Thanks for the feedback
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hi @igeneo,
You're correct, upon authenticating the 1Password app on a device using a security key, the security key would not be required for that device again unless it was unauthenticated or you began using a different version of 1Password - you are able to use Yubikey with 1Password.
Any TOTP's within the 1Password account will sync between your devices as your current items do.
0 -
I had hoped that YubiKey would work as you described for my desktop, but would occasionally be required to be called upon (once a month or so) to validate that everything is still working as required. Additionally, I had hoped that I could use the key on my laptop but require its use every time I log on to the laptop, so that 1Password would never be accessible if the laptop were stolen even if by some reason my 27 character password were known. Any way of allowing that scenario?
0 -
It isn't possible to require Two-Factor Authentication (2FA) at all times - 1Password is primarily based on encryption, not authentication; what this means is that after you've already authenticated (allowed) a device to download your data, at that point it's your account password that ultimately protects your local data.
2FA protects against the download of your data in the unlikely event someone got ahold of both your account password and Secret Key, but since there's a local cache of your data on a trusted device, 2FA doesn't come into play at that point - the data's already there.
Requiring 2FA in this scenario wouldn't actually add any meaningful security unless there were no local cache, which would mean you wouldn't be able to access your data in an offline scenario, either.
0 -
Thank you. Please confirm that the Security Key that accompanies the user name and password to access 1Password is also required to log on to 1PW through 1Password.Com, unless this is done from a browser that has the 1PW extension installed and unlocked. This feature does not seem to appear in any of the discussions on the 1PW website pages. And, if an owner of 1PW wanted to log on to 1PW.Com from a different computer and did not at that time have access to the Key, could this be accomplished with YubiKey and the password?
0 -
I think I misunderstood the Yubikey functionality a little. I arrived at my UK home, having since enabled Yubikey on my US devices. When I get here to my MacBook, it lets me sign in as normal with full access to my 1PW file in a "read only" mode. My expectation was that it would not allow access at all until I authenticated with the Yubikey? Apparently devices that were once authenticated with the master password still function in read only and once authenticated with the Yubukey, it allows read/write to the 1PW vault.
Just a data point for those that are new to this I suppose
0 -
When accessing a new device or browser via 1Password.com, the account password and Secret Key as well as two-factor authentication (2FA) or a security key (if you have it enabled), will be required to access the account from this new device/browser - you cannot use the security key as a replacement for the Secret Key if you do not have access to it at the time it is required.
Whenever you sign-in to any of the 1Password apps, a local cache of data is downloaded in the event you lose a valid internet connection so that you can create, edit, and view all items in your vault. If you have a 1Password account, signed-in to the 1Password app, and then enable 2FA, you can still view the cached data, but no new changes will sync.
1Password relies on encryption to protect data, while 2FA protects against the initial download of your data.
0
