Force Security Key on Unlock
Hi there,
my company is about to enroll 1Password as it's primary password manager.
Even though I think this is exciting news since I can add my personal Vault to it as well I do have some security concerns.
My main concern stems from the fact that my companies IT department is an external company. They have the ability to remote into machines whenever and could technically install a keylogger (or a bad actor once they have been breached).
I found this question (https://1password.community/discussion/128371/is-there-any-way-to-force-2fa) about having my master password compromised using a keylogger and how there is nothing you can do about it. So I was wondering:
Why can't I switch my accounts Master Password to a security key (like Yubikey) instead? This way there would be no password to log/compromise and they would need my security key to actually decrypt the database.
I believe this would not require an internet connection either.
Please correct me if I'm wrong, any feedback is appreciated.
Thanks in advance!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Thinking about it some more a combination of Security Key + Password/PIN would be even better. This way, two factors of MFA would be given: something you know and something you have (that can't be compromised).
The scenario mentioned above also applies to the business side of things of course, one compromised machine/master password would expose all password stored in the company-wide-vault at once.2 -
Hello @Memphizzz,
Thanks for asking about unlocking 1Password with a hardware security key instead of an account password. At this time, 1Password isn't designed to function this way, but 1Password is developing the ability to unlock an account with a passkey, which would provide similar functionality and benefits. Passkeys are built with a similar technology to security keys, so perhaps your idea will be possible in the future. To protect the security of your account, using 1Password on a device that isn't trusted and secure is not recommended.
For now, passkey unlock is in beta. It's only available for new accounts, cannot be used with multi-user accounts, and should only be used for testing. If you're curious, see our Unlock 1Password with a passkey (beta) support article for details and to get started. Also remember that passkeys are stored by the operating system, so it possible that an IT administrator, or someone who controls malware on a device, may be able to make use of it to access 1Password.
I hope this information helps. Be sure to let me know if you have any further questions!
0 -
Hi @ScottS1P,
thanks for your detailed answer. Your input is much appreciated.
You wrote "Also remember that passkeys are stored by the operating system, so it possible that an IT administrator, or someone who controls malware on a device, may be able to make use of it to access 1Password.". But if my passkey was stored on a Yubikey it wouldn't be on the operating system and thus inaccessible to anyone with access to the local machine, right?In the case of the passkeys beta, the passkey is actually used to encrypt/decrypt the database on lock/unlock and not the master password? If so, I'm very much looking forward to it.
Regards,
MemphiZ0 -
You wrote "Also remember that passkeys are stored by the operating system, so it possible that an IT administrator, or someone who controls malware on a device, may be able to make use of it to access 1Password.". But if my passkey was stored on a Yubikey it wouldn't be on the operating system and thus inaccessible to anyone with access to the local machine, right?
We're getting fairly deep into hypotheticals here, but it does seem like "A passkey stored on a Yubikey" would provide some protection against a rogue admin who doesn't have physical access to the Yubikey. For now, I was thinking about how iOS stores passkeys in iCloud Keychain, which is accessible using the device passcode if Face ID or Touch ID fails enough times. Windows Hello and other systems likely work similarly, and I'm not sure if a passkey can be stored on a Yubikey, nor if a Yubikey could currently replace a passkey in every use case.
In the case of the passkeys beta, the passkey is actually used to encrypt/decrypt the database on lock/unlock and not the master password? If so, I'm very much looking forward to it.
Currently, when unlocking a 1Password account with a passkey, the passkey is only used for authentication. The passkey itself is not used to derive encryption keys. The encryption keys are randomly generated, and rely on a separate trusted device process to sync the encryption keys to other devices. As such, signing in with a new device requires both the passkey, and access to an unlocked 1Password client already signed into the same account.
0
