Does 1Password support U2F+PIN for system authentication?
Using 8.10.16 on Arch linux, I have PAM system-auth set up to use a U2F security key + PIN. This works anywhere else system-auth is used. However, when I try to use it in 1Password, the app has no apparent awareness of my key + PIN. The 'use system auth' button just shakes at me if I press it and I'm not prompted to enter a PIN or any other kind of credentials.
Yes, I have the 'unlock using system authentication service' option checked in Settings -> Security. In fact, I'm using 1Password for an ssh-agent and that part is working fine. It's just the unlocking of 1Password itself where things are not working as claimed.
Does 1Password support U2F + PIN for authentication?
1Password Version: 8.10.16
Extension Version: NA
OS Version: Arch
Browser: NA
Comments
-
Hey @klieber, thanks for reaching out to us.
I understand you're looking to configure 1Password to use system auth with a U2F security key. While this isn't something that's currently supported - one of our developers was actually able to set this up recently by adding a rule to to
/etc/pam.d/polkit-1
:auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
Let me know if that helps at all!
Ali
0 -
Thank you - I will give that a try. Also, to help me understand: when you say using a U2F key is unsupported, how does that reconcile with "1Password supports unlocking via system authentication"? Is system-auth not system authentication?
What system authentication methods does 1Password support?
0 -
Hey @klieber
I apologize for any miscommunication- system authentication is supported. 1Password delegates authentication to PAM and should inherit support for any authentication method used by your device.
With that said, it appears that U2F keys may require some additional configuration to work with 1Password.
Looking forward to hearing how things go.
Ali
0 -
So either this isn't working, or I don't understand how to trigger the UI to let me use PIN-verified security keys. When 1Password is locked, the only system-related option I see to unlock it is the fingerprint icon on the password bar:
When I click on that, it just shakes angrily at me and eventually says "that didn't work. check your password and try again."
However, I have the key+PIN working correctly for both system-auth and polkit-1 in PAM:
Any help appreciated.
0 -
Hi @klieber,
Thanks for bringing this to our attention. This is an interesting issue and I would love to investigate into this issue further.
Could you send an email to
support+linux@1Password.com?
With your email please include:
- A link to this thread: https://1password.community/discussion/142611/does-1password-support-u2f-pin-for-system-authentication
- Your forum username:
klieber
- A diagnostics report: https://support.1password.com/diagnostics/?linux
We'll look forward to hearing from you.
0 -
@FrankyO1P - thanks for the reply. I had already submitted a support ticket ([#FXP-81245-773])
Appreciate the assistance.
0 -
OK, so thank you to 1Password support, who helped me solve the issue. I use i3wm, which isn't a full desktop environment. I hadn't configured a policykit agent in my i3wm config file, so there was nothing for 1Password to interact with from a polkit standpoint.
Once I installed lxpolkit and added:
'exec --no-startup-id /usr/bin/lxpolkit &'
to my i3 config file, now 1Password properly unlocks via system auth.
Note there are many different polkit agents - lxpolkit is merely one of them. Gnome has one, MATE has another, etc. So if you end up in a similar situation, pick whatever one aligns best with your own environment.
0