To protect your privacy: email us with billing or account questions instead of posting here.

Configure 1Password to use more than 1 Yubikey authenticator.

PGKW
PGKW
Community Member
edited October 2023 in Memberships

I have two Yubikeys, and use the approach that the for all sites using 2FA (including 1Password), that either one of these keys can be used to generate a 6 digit OTP. However, when I go into 1Password and set that up, the first authenticator can be set up without issue, but there appears to be no option under "Your second factors" to add another Yubikey. It only has an option to "Replace" the existing authenticator app.

There is an option to "Set up another second factor" using a security key, but I'd like these to be identical.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • ajh0912
    ajh0912
    Community Member

    So you're using the TOTP (OATH) 'application' on your YubiKeys, even when the website supports FIDO2 / FIDO U2F?

    That 'application' on the YubiKey can allow it to store up to 32 TOTP 2FA seeds - mainly useful for websites that do not support Security Keys, but do support TOTP authenticator apps.

    Why not register your YubiKeys as Security Keys, and take advantage of the phishing resistance you get? You can register multiple security keys and also have 1x TOTP method.

    1Password aren't using discoverable credentials (formerly 'resident keys'), so they won't use one of the 25 slots for discoverable credentials - it'll use FIDO2 CTAP1 or CTAP2, you can have an infinite number of those credentials as they are not actually stored on the YubiKey (also better than your 32 TOTP slots).

    Unfortunately I don't believe it's possible to register more than one TOTP 2FA method at once for 1Password. I would like that option too, for additional flexibility.

    Now because of the way TOTP works, the answer for what the 6 digit code code should be at any point in time is based on the current time, and a seed. The seed is encoded in the QR code you scan. You could save the QR code (somewhere safe) and use it to load that TOTP into any future authenticator apps. Or better, just use Yubico Authenticator to scan that same QR code into each of your Yubikeys at once (if you definitely want to go that route, rather than using them as Security Keys).

    There is one main downside to scanning the same TOTP QR code in multiple places, you can't selectively invalidate one of them - because they're actually the same. It would invalidate all the places you used that QR code if you remove/replace that one TOTP method on the website.

  • Hi @PGKW 👋

    You're correct that it isn't currently possible to set up multiple authenticator apps for your 1Password account, but I'm happy to submit a feature request for this on your behalf. To clarify, it sounds like the end goal is to have two different possible TOTPs available at any given time, is that correct? If possible, could you tell me a bit more about your use case for this and why you'd find it useful?

    If you haven't already, I also recommend giving @ajh0912 's suggestion a try and adding your Yubikeys to your 1Password account as security keys.

    Let me know what you think and we'll go from there. 🙂

  • PGKW
    PGKW
    Community Member

    Yes, the idea is in terms of provide an exact replica of one key versus another. Think of you providing instructions to someone else in the event of your untimely demise. The last thing you'd want is one key to behave one way, and another key to behave another way. Just my two cents.

  • Thanks for this additional context, @PGKW! I've shared this internally for further consideration. In case it's helpful in the meantime, when adding multiple security keys to your 1Password account, any one of them can be used when setting up a new device, so it might still be worthwhile to take that approach.

    Let me know if you have any questions and thanks for sharing your feedback!

    ref: PB-36093346

  • rootzero
    rootzero
    Community Member

    @PGKW You can program as many Yubikeys as you like with the same TOTP secret. The only limitation is that they need to be in the same place at the same time or you need to keep a separate record of the TOTP secret. Just plug each of them in turn into the device running Yubico Authenticator and don't enter the 6 digit code into the web page until they've all been programmed.

  • PGKW
    PGKW
    Community Member

    But that is quite a limitation, which was my point of the issue that I was having. The instructions state that it has to be done immediately after the first one. Given the typical workflows of customers wanting to ensure redundancy of their keys, that isn't very realistic, especially for the new customer starting out with one Yubikey, then realizing they should have 2 or more.

  • ajh0912
    ajh0912
    Community Member

    @PGKW make sure to keep in mind, the restriction of being limited to 1x TOTP QR code is only relevant if you're taking that TOTP QR code and storing it on your YubiKeys - instead, if you use your YubiKeys as a Security Key (which 1Password natively supports), then you can enrol them independantly and name them.

    It also won't take up one of the 32 slots you have for TOTP codes on your YubiKeys.
    The TOTP feature of YubiKeys is really intended to be used for websites that don't support Security Keys, but do support TOTP.
    If you use your YubiKey as a Security Key for 1Password 2FA, you benefit from phishing resistance.
    Phishing resistance is the primary benefit of Security Keys compared to just scanning TOTP QR codes into an authenticator app on your phone.

This discussion has been closed.