Why is 1Password not asking for my FIDO2 PIN? + Feature Request

Options
70853n
70853n
Community Member
in 1Password in the Browser

No user verification?

I've recently started using a YubiKey (5 Series), for which I've set a FIDO2 PIN. The purpose of the FIDO PIN is User Verification, isn't it? Neither signing in on MacOS nor on Android prompts me for the FIDO PIN. This suggests that 1Password uses Webauthn userVerification with discouraged instead of preferred. Is that so? If so, why diverging from the standard?

Benefit of user verification

The use case behind user verification is simple, isn't it? A touch, or button press alone does not verify the person using the physical security key is legitimate. If, let's say, someone purposefully steals my YubiKey (and somehow they managed to get my other credentials, email, master password and secret key), the physical security key itself doesn't provide any security anymore. I.e. the security value of said key would be solely in the hurdle of getting physical access to it. Therefore, the FIDO PIN is very much useful to prohibit invalid use of a physical security key, even if some one has illegitimate possession of it.

Feature request

Hereby I'd like to submit the following user stories to increase 1Password's product value.

User story 1

As a Personal Password Manager client
I want to be prompted for the FIDO PIN of my physical security key
at least on the first time authorizing a new or previously deauthorized device
so that the Webauthn User Verification decreases the risk of illegitimate sign ins,
while not impacting the user-experience on already authorized devices.

User story 2

As a Personal Password Manager client
I want to configure whether the FIDO PIN of a physical security key is prompted for
a) only once on initial authorization of a new or previously deauthorized device or
b) with every sign in
so that I have the benefit of user verification while
a) opting for a better user-experience on already authorized devices or
b) opting for a worse user-experience for the sake of more security.

Btw. I am aware that the always require user verification feature does not work on the Series 5 (ERROR: Always Require UV is not supported on this YubiKey.)(https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-config-options-command-args).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • 70853n
    70853n
    Community Member
    Options

    No one cares? All services where I encounter the possibility to add a FIDO key ask for the FIDO PIN, except for 1Password.

  • LeonidOrlov
    LeonidOrlov
    Community Member
    Options

    Was surprised to find the same issue today, but I found out that PIN is required in Safari, but not on Google Chrome. Definitely needs to have a PIN asking in all browsers.

  • fernando91
    fernando91
    Community Member
    edited 6:35PM
    Options

    I absolutely agree with the OP.

    Considering the importance of 1password authentication, they should absolutely force the requirement of a FIDO2 PIN.

    // as a side note, I'm very surprised there's no way for the user to globally enable this requirement - it appears to be an issue with the FIDO2 spec itself. Whatever service does the authentication determines whether a PIN is needed.