Works with yubikeys? iPhone Pin protection ?
I have 2 questions?
1: Can I use yubikeys as a login solution instead of the vendor solutions from Apple / Google / MS?
2: Can the fallback solution be deactivated via the iPhone pin to enable access to 1 password? Apple has also recognized that it is a bad idea to give potential attackers access to the keychain via the iPhone PIN.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi @millertime
1: Can I use yubikeys as a login solution instead of the vendor solutions from Apple / Google / MS?
Yes, you can use YubiKeys/security keys as a method to unlock 1Password accounts secured by a passkey. When you sign up on iOS or Android, you will first be asked to create a passkey which can be stored in iCloud Keychain or Google Password Manager. Afterwards you can add your security key afterwards by heading to signing in to your account on 1Password.com, selecting your name in the top right, selecting Authentication, then select "Add a passkey."
Can the fallback solution be deactivated via the iPhone pin to enable access to 1 password? Apple has also recognized that it is a bad idea to give potential attackers access to the keychain via the iPhone PIN.
If your passkey is stored in iCloud Keychain, it will follow Apple's AutoFill settings on your device which does have a fallback to device passcode if biometrics are unavailable. Apple, as you mention, is previewing Stolen Device Protection in the iOS 17.3 beta which will give you an additional layer of security preventing access to your saved passwords in iCloud Keychain if your device is stolen and obtained your passcode.
0 -
Thanks for the quick reply. Regarding my second question, is it at least possible to use a separate passcode,as it is possible with most banking apps, as fallback option? Otherwise 1Password would re-establish the same problem as Apple has just solved with the Stolen Device function.
Ps. I may also have made a mistake. Does the Stolen Device function mean that access to 1Password via the iPhone PIN is no longer possible?
0 -
Thanks for the reply. The fallback to the device passcode when biometrics fail is coming from iCloud Keychain, where you've stored your passkey, not 1Password. As Jac mentioned, after the initial setup process where you save your passkey in iCloud Keychain you can add another passkey to your YubiKey and then remove the passkey from iCloud Keychain if you wish. If you do this you'll need to keep your YubiKey with you just in case biometrics expire on your device and you're asked to unlock with the passkey.
Ps. I may also have made a mistake. Does the Stolen Device function mean that access to 1Password via the iPhone PIN is no longer possible?
The feature is currently only in the latest iOS beta and it looks like Apple will share more as time goes on. For more questions about "Stolen Device Protection" and how it will protect credentials stored in iCloud Keychain, I'd recommend reaching out to Apple Support since they'll be in the best position to answer those questions.
-Dave
1 -
@Dave_1P - Thanks for response and the work here on this discussion board. Using the login to 1Password with a passkey construct: What's the thought on how to handle routine logins back into 1Password when biometrics expire on an iPhone/Mac?
If the device is setup to have 1Password to solely manage passkey infrastructure (to prevent duplicative autofill popups), how do you go back to the apple keychain infrastructure just to log into 1Password. It seems cumbersome to switch back to apple keychain just for a single login. Thanks in advance.
0 -
Thanks for the question! If biometrics expire then you'll need to re-authenticate using your saved passkey. If that passkey is saved in iCloud Keychain then there are two options:
- Keep iCloud Keychain enabled for iOS AutoFill.
- Scan the passkey QR code displayed by the 1Password app on your device using another device with iCloud Keychain and use the passkey on that other device to authenticate.
The first option is more convenient since the second would require that you carry around another device with you.
That being said, I do understand that having two different managers turned on for iOS AutoFill is confusing. I'm not sure what options are available to improve this from our end, but I've passed your feedback along to the team internally. 🙂
-Dave
ref: PB-37747035
0