Feature Request: YubiKey Support

2

Comments

  • ehunt123
    edited December 1969
    Warning No formatter is installed for the format ipb
  • JeremyLaurenson
    JeremyLaurenson
    Community Member
    Warning No formatter is installed for the format ipb
  • JeremyLaurenson
    JeremyLaurenson
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    edited September 2010
    Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    edited October 2010
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • Slobodan
    Slobodan
    Community Member
    Warning No formatter is installed for the format ipb
  • MartyS
    MartyS
    Community Member
    Warning No formatter is installed for the format ipb
  • jrmithdobbs
    edited August 2011
    Warning No formatter is installed for the format ipb
  • Bill Wilson
    edited August 2011
    Warning No formatter is installed for the format ipb
  • Fredvs79
    edited August 2011
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    edited August 2011
    Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2011
    Warning No formatter is installed for the format ipb
  • shaddowman
    shaddowman
    Community Member
    edited November 2011
    Warning No formatter is installed for the format ipb
  • John L
    John L
    Community Member
    Warning No formatter is installed for the format ipb
  • ContinuIT
    ContinuIT
    Community Member

    Hey Guys,

    I would really love a feature whereby whilst my USB "key" (don't really care what kind) is inserted in my Mac/PC/whatever that 1password could be configured to remain unlocked while it was there (or at least allow me to set an extended unlock period if the key was present). On removal, lock 1Password. This would be SOOOOOOO great and save me having to enter my absolutely massively overly complex 1password password multiple times a day.

    Love your product and recommend it on almost a daily basis - where's my free lunch :)

    Cheers,
    Glenn

  • Megan
    Megan
    1Password Alumni

    Hi Glenn (@ContinuIT)

    Thanks for the kind words and support! I've merged your request with an already existing discussion. It hasn't seen a lot of action lately, but our developers are certainly keeping this idea on their radar. ;)

  • khad
    khad
    1Password Alumni

    Please do keep in mind that as Jeff mentioned above (way back in August 2011) for MFA to work it would need to be required on all platforms. A USB key gets a lot trickier on mobile devices.

  • root
    root
    Community Member

    If like to add my voice to those requesting yubikey support. I love 1password and everyone at AB. I recommend 1P to everyone and everywhere, but recently our company decided on another solution (rhymes with fastpass :p) because it supported physical tokens and that was a requirement.

    I totally understand the issues around 1password and a physical token, especially with mobiles, but having support for it would make the product a better contender.

    Keep up the great work, you all rock!

  • khad
    khad
    1Password Alumni

    Thanks for your kind words and support, @root!

    Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. We're planning to write a more detailed explanation of our developing thoughts on it, but let's discuss the difference between authentication and decryption.

    When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

    1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

    There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. Your data is yours. Even if AgileBits were to get abducted by aliens tomorrow, you would still have access to your data since we never store it on our servers.

    However, one disadvantage of this design is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an authentication process, but unlocking your 1Password data is not an authentication process at all. Because there is no 1Password "server", there are no (additional) steps we can insist on as part of a (non-existent) login process.

    1Password is decrypting data stored locally on your system, it is not authenticating against some service. So in truth, we don't even have 1 factor authentication, as there is no authentication in the first place. So typical approaches to MFA won’t work.

    However that doesn't mean that it is impossible for us to do something that looks like MFA. There are roughly two approaches (each simpler than PKI). One of them is key splitting. That is the result of processing your Master Password doesn't actually get you a working key to decrypt further, instead that result would need to be XORed with another 128-bit key. So it is simply a case of storing that other "half" of the key on some other device. 1Password would need to be able to read that device, which may be tricky on iOS, but it isn't insoluble.

    The other approach would be to move the keyfile. 1Password (on the desktop) has a file called encryptionKey.js. That file contains an encrypted key, which is what gets decrypted by the key derived from your master password. That file (and some backups of it) are part of your 1Password.agilekeychian (which is actually a folder bundle, which looks like a single file on the Mac). It would be possible for us to allow that file (and its backups) to reside on some device or location. Both that file and the Master Password are required to get any further.

    We are more inclined to do key splitting rather than having a movable keyfile.

    The real technical difficulty is getting this to work on every platform. Again, because this is all about data decryption and not authentication, we can't just implement this on one platform (if it were to be anything other than just for show). So while this isn't insurmountable it means that even the "simple" approaches that I described would be tricky.

    But the real reasons that we haven't put in substantial effort in that direction is because for every case where someone reports that their computer or device has been stolen, we get probably a hundred more of "I forgot my Master Password" or "I damaged my data and didn't have usable backups". My fear is that key splitting or keyfile moving wouldn't just double the rate of people getting locked out, but would increase it much more. The threat of data lose becomes very substantial.

    Again, because we aren't running a system that people authenticate against, there is nothing we can do the help people recover their data if they damage a key or forget their Master Passwords.

    Now of course we could make it an advanced option with lots of warnings, but we know that people will always dial up security settings to 11 whether it is in their interest or not. Remember that 1Password is a mass market product. It's great that security geeks use and respect it, but we don't want to give our users rope to hang themselves with.

    I'm just spelling out why, to date, we have resisted calls for MFA. It's harder to get right for a decryption system than for an authentication system, and we think that it might do more harm than good.

    None of this is written in stone. The threat landscape, patterns of usage, and device capabilities change. So while there are no immediate plans add this, we are leaving the door open in the design of our new data format.

  • poof
    poof
    Community Member

    You are using the wrong terminology. Authentication is about verifying that you are who say you are. Authorisation is about being granted access to data you are allowed to access. While 1Password doesn't do authentication, it does do authorisation. It grants you access to your datastore via a password. Since the datastore is also encrypted it does another thing: decrypt it so you can read and write. For this discussion the decryption part is irrelevant.

    The problem with 1Password is that there is only 1 layer of security: a password. Those can be weak. People here want to use something like a YubiKey or whatever to add an additional layer of security. The password for the datastore alone isn't enough, it requires the correct response to some kind of challenge code. There are quite some reasons to do it this way (device gets stolen, somebody is using your account to do some work, pull up a website; setting a different password for 1Password than for your user account for the computer helps in the latter but it doesn't take away the concerns in the former scenario).

    The real question is: how can 1Password be made more secure by adding some an additional security layer without breaking usability too much? And the answer to that could simply be "we are not going to because it is not our intent to be a full fledged max security product, we only want to make it easier to manage your passwords for the forums you visit". You could also be a lot more vocal about people setting up strong passwords (you guys did that via your blog in the past but it is too techy for the masses). Until then, 1Password isn't a professional/high end security product and should not be treated as such (you may have to ask yourself the question if you should use it to store things like bank and creditcard accounts).

  • benfdc
    benfdc
    Community Member
    edited December 2013

    From @Khad in #41:

    We are working on some 1Password socks that will analyze your feet to authenticate you. They are mighty soft (and fuzzy).

    It's been over three years since that post, but all I see in the Agile Goods Store are t-shirts. With hardware support for bluetooth 4.0 now pretty much ubiquitous, the lack of a USB port on iOS devices is no longer a concern. What’s the hold-up here?

    Also, why are the men’s tees only available in S, XL, and XXL?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I would quibble with @poof over the appropriateness of "authorization" to describer what 1Password does, but the labels don't matter that much, it's the overall concept.

    To get what looks like 2FA with 1Password is a very different thing than how it is usually done. And this is exactly because there isn't an authentication process. It is sometimes (though not always) a mistake to think that an extra layer adds meaningful security. For example, double encryption does far far less than simply improving ones password by a single character. That is one 42 bit password is stronger than layering two 40 bit passwords. I'm not saying that adding an additional layer though key splitting wouldn't be adding meaningful security, but unless it is done right, it may be more security theater than actual security.

    @benfdc is correct that the ability to get data via sneakernet to iOS and Android devices is easier than ever. So this changes the situation from "not practical" to "not implausible". The fact of the matter is that we don't know in detail what difficulties we face until we try. And on that, the "hold up" is priorities.

    I started playing with a YubiKey some month back, just to get an idea of the protocol. But once it became clear that there wasn't any scenario in which key splitting could make it into the initial releases of 1Password 4, it fell back into the "well we might explore this further down the road."

    The biggest case for key splitting is that in 1Password, as in any well designed crypto system, the weakest point is people's Master Password. And so building up defenses there is what makes the most sense, and key splitting is one approach. But we need to make it reliable and easy enough so that it will work for the people who need it most. If it takes some expertise to set it up and manage it, then it will be used correctly only by those people who already know to use a strong Master Password.

    Anyway, as you see, I am arguing both sides here. And let me add, that from a cryptographic point of view, key splitting is very attractive. The cryptography is simple, elegant, and powerful. It's the key management that gets messy.

    Merry Boxing Day!

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • benfdc
    benfdc
    Community Member
    edited December 2013

    But we need to make it reliable and easy enough so that it will work for the people who need it most. If it takes some expertise to set it up and manage it, then it will be used correctly only by those people who already know to use a strong Master Password.

    That’s a very powerful point IMO.

    @Poof wrote:

    The real question is: how can 1Password be made more secure by adding some an additional security layer without breaking usability too much? And the answer to that could simply be "we are not going to because it is not our intent to be a full fledged max security product, we only want to make it easier to manage your passwords for the forums you visit".

    I don't agree with that framing of the issue. I see the real question as being whether adding YubiKey support would increase or decrease security across the user base. I find it very plausible that YubiKey support would decrease security for the majority of 1Password users by greatly increasing the risk of losing access to one’s data. A YubiKey is like a handgun in that respect. In well-trained hands, it affords enhanced protection. In less than well-trained hands, well, maybe you’d be safer without it.

    One approach to reconciling these competing concerns might be to make two-factor authentication available as an in-app purchase for a more-than-nominal sum. Lots of ramifications, but part of the point would be to dissuade casual users from activating the feature.

    I wonder how much real-world data is out there addressing this point. Have vendors like LastPass published any reports on how 2FA is working out for their user base? It would be very interesting to know what percentage of YubiKey users have gotten themselves into trouble.

  • poof
    poof
    Community Member

    Thanks jpgoldberg for your answer. We mustn't think that adding an additional layer of security will actually make things safer, it is something that you need to look into. As for the 2FA people here seem to want: Dutch banks use it for example. You have this challenge code you get before each payment. The payment only passes when you enter the correct challenge code. This system has been researched and proven to be the safest there is at the moment (you need to have the username, password, bank card and the challenge code generator). Funny thing is, 1Password uses this in version 3 for iOS (you use a pin code to enter the app but you need to enter the master password when opening the high security entries). The reason why people want it is probably because they know passwords suck in general.

    So to compare it with the handgun: if you are going to hand out handguns give people training so they can properly use them and put a safety pin in place so they don't accidentally go off.

    The major thing I wanted to point out if it is even necessary to have something like this. 1Password isn't an application for military secrets. Most people use it for storing all their login data for forums and such. How much security does one need for storing such information? Personally I think that having just a password is enough for that (especially if you use a different password than for your user account on the computer). Use the appropriate security measure for your data.

This discussion has been closed.