Why is 1Password not asking for my FIDO2 PIN? + Feature Request

No user verification?

I've recently started using a YubiKey (5 Series), for which I've set a FIDO2 PIN. The purpose of the FIDO PIN is User Verification, isn't it? Neither signing in on MacOS nor on Android prompts me for the FIDO PIN. This suggests that 1Password uses Webauthn userVerification with discouraged instead of preferred. Is that so? If so, why diverging from the standard?

Benefit of user verification

The use case behind user verification is simple, isn't it? A touch, or button press alone does not verify the person using the physical security key is legitimate. If, let's say, someone purposefully steals my YubiKey (and somehow they managed to get my other credentials, email, master password and secret key), the physical security key itself doesn't provide any security anymore. I.e. the security value of said key would be solely in the hurdle of getting physical access to it. Therefore, the FIDO PIN is very much useful to prohibit invalid use of a physical security key, even if some one has illegitimate possession of it.

Feature request

Hereby I'd like to submit the following user stories to increase 1Password's product value.

User story 1

As a Personal Password Manager client
I want to be prompted for the FIDO PIN of my physical security key
at least on the first time authorizing a new or previously deauthorized device
so that the Webauthn User Verification decreases the risk of illegitimate sign ins,
while not impacting the user-experience on already authorized devices.

User story 2

As a Personal Password Manager client
I want to configure whether the FIDO PIN of a physical security key is prompted for
a) only once on initial authorization of a new or previously deauthorized device or
b) with every sign in
so that I have the benefit of user verification while
a) opting for a better user-experience on already authorized devices or
b) opting for a worse user-experience for the sake of more security.

Btw. I am aware that the always require user verification feature does not work on the Series 5 (ERROR: Always Require UV is not supported on this YubiKey.)(https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-config-options-command-args).


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • 70853n
    70853n
    Community Member

    No one cares? All services where I encounter the possibility to add a FIDO key ask for the FIDO PIN, except for 1Password.