yubikey added and not needed to login...

Options
careyjames
careyjames
Community Member
in Business and Teams

Yubikey was added to the account and does not need to be plugged in to log in.

I added a yubikey 5Ci

1Password Version: 1Password for Linux 8.10.26 (81026039)
Extension Version: 1Password browser extension version 2.21.0
OS Version: Ubuntu 22.04.4 LTS
Browser: Chrome Version 122.0.6261.94 (Official Build)

Comments

  • careyjames
    careyjames
    Community Member
    Options

  • Dave_1P
    Dave_1P
    Options

    Hello @careyjames! 👋

    Thank you for reaching out! You'll only need to provide your second factor the first time that you sign in to your 1Password account on a new device or browser. Was that the case here? If so then were you signing into 1Password.com or into the 1Password app?

    If you open a Private/Incognito window and log in to your 1Password account on 1Password.com (in the browser, not the app), are you prompted for your second factor?

    I look forward to hearing from you.

    -Dave

  • careyjames
    careyjames
    Community Member
    edited March 5
    Options

    @Dave_1P

    Ok, yes, I understand that, and users on their devices should have that option to be remembered.
    But for the greatest security:
    It would be easy to warn of the danger of zero recovery and allow specific users to use a physically present security key before any data is displayed anywhere.
    I tested, and yes, in a web browser, upon logging in, it would ask once and then remember me until I deleted all cookies, etc.
    I am not saying get rid of the ability to ease consumer fatigue, just an added feature for some higher security users.

  • Dave_1P
    Dave_1P
    Options

    @careyjames

    Thank you for the feedback. Security keys are designed to provide one additional challenge to devices that have never been used to access a user's account before.

    1Password only requires a security key the first time that you authenticate your account on a new device or browser because, once you authenticate that first time, your secret key is saved to your device and that device becomes authorized. Future unlock attempts using that authorized device only require your account password.

    When you use 1Password your data is cached locally on your device. Even if you were to require a security key to unlock the extension or the app, someone who had stolen your account password and who has access to your device could exfiltrate that encrypted cached data and use the account password to decrypt it. The security key plays no role in the encryption of your data, just that initial authentication.

    You can read more about 1Password's security model here:

    If you do want to be required to pass an additional authentication step more frequently, you could look at setting up Duo integration for your 1Password account. Duo is a third-party authentication service; when set up with 1Password, each of your users will be required to re-authenticate each of their devices once every 1 to 30 days (configurable). You can learn more about Duo integration with 1Password in our guide here.

    I hope that helps.

    -Dave