Using Security Key for 2-Step Verification

2»

Comments

  • khad
    khad
    1Password Alumni
    edited June 2015

    Good question, @RicardoW!

    Normally, when folks talk about "two factor" they are using the term as shorthand for two factor authentication.

    1Password protects your data using encryption not authentication. So in a very real sense, 1Password doesn't even do one factor authentication. There is no authentication at all. I encourage you to read our article about the distinction here:

    Authentication vs. Encryption

    In another sense, though, you are completely correct. No one can access your sensitive data stored in 1Password unless they have both (1) the encrypted data and (2) the Master Password that will decrypt the data.

    Think of it like a vault in real life. If you don't have the vault, you can't get the contents inside it. If you have the vault but don't know the combination to unlock it, you can't get the contents inside it. The analogy falls apart since it is possible to bypass the combination and break into the vault in real life by other means. With encryption, the only way to get the data is to use the Master Password.

    Now, there are automated tools to guess Master Passwords (and 1Password is designed to withstand even sophisticated attacks), but they do have to actually know the Master Password to decrypt the data. There is no other way to get the data into a useable form than through the mathematical computations that combine the Master Password with the encrypted data and produce the decrypted data.

    There is no gatekeeper that can be "tricked" (a crude way of explaining one of the threats to an authentication-based system).

    I hope that helps a bit, but I think the aforelinked Authentication vs. Encryption article explains it much better than I just did. :)

  • RicardoW
    RicardoW
    Community Member

    I understand the difference between authentication and encryption.

    In this case, what is being encrypted is a password - an authentication token for a third party site. It is really the third party site (eg my bank account) that I am interested in protecting and by using an auto generated password which is only accessible by having the two factors, I am decreasing the risk - my first authentication token (the password) is protect by two encryption factors.

    Combine that with a second authentication factor (I use Authy where possible) on a different device I have a fairly secure system.

  • khad
    khad
    1Password Alumni

    1Password itself does no authentication. But you are correct: 1Password stores — encrypted — the passwords you use to authenticate at various websites. On those websites (where they are using authentication-based systems), you can choose to enable a second authentication factor.

    It's just not common to refer to the encrypted data and the decryption key as "factors" since that's just how encryption works. :)

  • RichardPayne
    RichardPayne
    Community Member

    @RicardoW that is true, provided that your data never leaves you devices. If you use Cloud sync then it's best to not assume that their security is effective.

  • RicardoW
    RicardoW
    Community Member

    Correct. I don't use iCloud sync for that very reason.

    Essentially 1password avoids the authentication issue by offloading the problem to Apple or Dropbox.

    Securesafe have a pretty nice solution imo, but it's not free so I don't use it!

  • wkleem
    wkleem
    Community Member

    The iOS 9 Preview will have 2FA and 6 digit PIN codes. No new phones. It wiil work on existing models supported by iOS 8.

  • RichardPayne
    RichardPayne
    Community Member

    iOS is still on 4 digit PINs? WOW!

  • wkleem
    wkleem
    Community Member
    edited June 2015

    If Apple up to iOS 8 is still using 4 digit PINs, what about Dropbox Et. Al. Which have a simple PIN for security... on iOS?

  • AGAlumB
    AGAlumB
    1Password Alumni

    iOS is still on 4 digit PINs? WOW!

    @RichardPayne: Only for those who choose the weaker security. "Like an animal." But yes, it's an option (Settings > Touch ID & Passcode > Simple Passcode). Yuck.

    If Apple up to iOS 8 is still using 4 digit PINs, what about Dropbox Et. Al. Which have a simple PIN for security... on iOS?

    @wkleem: I'm not quite sure what you're asking here, so maybe you can elaborate. I've used a long passcode on my iOS devices since at least iOS 5 (I can't remember back any farther...) on the iPhone 4. That was a bit of a chore sometimes, but I'd rather not have my phone easily unlocked if it's lost or stolen. Touch ID is only, like, the best thing ever.

  • wkleem
    wkleem
    Community Member

    Hi

    I'm not quite sure what you're asking here, so maybe you can elaborate. I've used a long passcode on my iOS devices since at least iOS 5 (I can't remember back any farther...) on the iPhone 4. That was a bit of a chore sometimes, but I'd rather not have my phone easily unlocked if it's lost or stolen. Touch ID is only, like, the best thing ever.

    I was thinking about simple PINs on Dropbox, etc.

    How do I set a four-digit passcode on my phone or tablet?

    https://www.dropbox.com/help/227

    Is Dropbox or other app's abilility to set simple PINs dependent on Apple because Apple up to iOS 8 has been able to set only 4 digit PIN codes.

    I looked at restricting some iOS settings (Deleting Apps etc) and I'd need to enter a 4 digit PIN independent of the Simple/Complex PINs in TouchID and Passcode inside Settings.

    I haven't noticed any other apps with the ability to set 6 digit PIN codes without an Authenticator App.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: Indeed. Confusingly this is completely unrelated to iOS, as even with a long passcode (i.e. Simple Passcode off) on the device, Dropbox only allows you to set a 4-digit PIN, which is separate from the device passcode.

    Frankly, it seems a bit superfluous, since a stronger device passcode can keep someone from even getting to the Dropbox app to try to guess its PIN.

    Ultimately I think the combination of Simple Passcode off and Erase Data on (after 10 failed attempts) is a great way to keep someone out of all of your iOS apps. And even if someone gets your phone while unlocked, they'll need your Master Password to unlock 1Password as well. (Lock on Exit, and/or a short Auto-Lock timer!)

  • imajes
    imajes
    Community Member

    @Khad, @jpgoldberg: thanks for all the good comments in this thread, and apologies for once again dredging it up, however...

    One of the reasons I've been re-researching yubikeys is for the exact reason you alluded to - what happens if i kick the bucket? I have all of my accounts and other data stored here, i'd like to be able to allow my executors to gain access to my accounts, without compromising the security of them whilst i am alive (such as a printed copy of the password would).

    Since you are using Key Wrapping, I do wonder if it'd be possible (say, when creating a vault) to allow you to provide 1-n decryption keys, where you then store the encrypted key material with each possible pair (and i'd assume you'd top out n as pretty low, to prevent the combinatorial effect). That way, as long as you had a valid pair of your identity (which could, then, vary per device), you're able to get into your key, thus your 1pw database.

    NB: I'm not 100% sure if having the same material encrypted with different keys will actually decrease its security by helping a bad actor brute force --- it may, but i don't think by enough to make this a bad idea.

    I'd like to have a known key entrusted to a third party which I use for my vault, as well as another token i'd use for desktop use, etc. My mobile device could be my master password plus something tied to touchid, or similar.

    is something like this viable? I'd definitely pay extra for the 1pw-works-when-i'm-dead feature. :)

  • RichardPayne
    RichardPayne
    Community Member

    @imajes I'm confused as to how a Yubikey would help with accessing your vault when you die; unless you're suggesting the complete replacement of the master password with the Yubikey token which seems like a bad idea to me.
    Could you enlighten me?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @imajes: As it stands, there is no 3rd party which has your data or its keys, unless you arrange this yourself. That's just not how 1Password works. But it's definitely a problem looking for a solution. We're not getting any younger, after all! We'll continue to explore this and see what we can come up with. Thanks for bringing this up! :)

  • wraith
    wraith
    Community Member

    I wanted to revisit the 2FA discussion a little, I'm a big fan of the idea of implementing 2FA into my encryption/decryption but understand and agree with this discussion of the complexities.

    I just wanted to point out that the Yubikey NEO can be used as an OpenPGP device. I realise that there are still complexities of cross-platform etc but something like that could work as a way to reliably manipulate your master password and then spit the result of THAT into 1Password?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wraith: Indeed! I'm not sure that YubiKey in particular is a good fit for most 1Password users, but this is definitely something that I appreciate as a nerd. We'll be watching this space as well to see if there's something that could work well in conjunction with 1Password. Cheers! :)

  • imajes
    imajes
    Community Member

    @RichardPayne: the suggestion was to have multiple pairs of keys that would each be possible keys to decrypt the info. (Yes, it's going to slow down the initial login phase while it tests each pair, but since that is just decrypting the master encryption keys, that would be a small loss. why is this useful? You could use your master password (plus some other factor), and if you died, your data is still accessible because you could store an 'alternative' key with your will etc. Keys could be passwords, NEO static keys, etc.

  • imajes
    imajes
    Community Member

    and, @brenty, i think a much wider group of people are used to using SecurID or similar tokens to use corporate resources. I doubt something like this would be a leap for many people. Getting people to switch to it may be the uphill battle, but that's just a marketing problem. :chuffed:

  • AGAlumB
    AGAlumB
    1Password Alumni

    and, @brenty, i think a much wider group of people are used to using SecurID or similar tokens to use corporate resources.

    @imajes: In a corporate environment, I think you may be right. But 1Password is primarily geared toward individuals, and...let's face it, even most people who are accustomed to using a token for work are glad to be unshackled to one in their personal lives.

    I think that there's always a case to be made for increased security, and that seems to be at the heart of your request. However, you're also correct that getting people to adopt more secure practices can be a struggle. Ultimately better security doesn't help if no one is willing to use it, so we need to work to offer solutions that people will actually use. The good news is that over time we're all becoming more accustomed to jumping through hoops (and also growing to appreciate the need to do so), and as a result security measures that we may have balked at 10 years ago seem less unreasonable. ;)

  • wraith
    wraith
    Community Member

    @brenty Actually, I would have said that Yubikeys are exactly perfect for non-technical people. Sadly I don't think that extends to the OpenPGP side of their implementation with the NEO, but the best thing about the Yubikey is that it's so easy (and cheap). I can prove I have it by the simple press of a button, how much easier can it get? :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I can prove I have it by the simple press of a button, how much easier can it get? :)

    @wraith: Oh absolutely! That part's easy. The problem is setting it up and helping people understand why they need it. And if you think this last bit isn't important, consider what happens if someone thinks they'll be able to recover from losing it. It's ingenious, but not everyone readily grasps the concept, though that may change in time. We can each send one to our moms and compare notes. ;)

  • wraith
    wraith
    Community Member

    @brenty I keep toying with the idea of giving them to all my family for Christmas :) Last year I decided it wasn't ready yet, there's just not enough places to use them. This year with U2F it's looking better but I fear it's still not ubiquitous enough for them to bother yet.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed! With Google supporting U2F, it is considerably more useful...but then again Google is a bit on the geeky end of the spectrum. If Yahoo and Microsoft add support there might be a greater usefulness for the general public. ;)

This discussion has been closed.