1Password and U2F
I know there has been some discussion in the past about Yubikey's. I wanted to ask if the folks at Agilebits felt that the new U2F (2 Factor) standard could be a possibility for 1Password. As I understand it, the reason that Agilebits has shied away from Yubikey's in the past is it needs an internet connection to validate against a third party server. If I understand U2F correctly, its possible that 1Password could locally implement the standard. Does U2F open up a new possibility for 2 Factor authentication for 1Password?
Comments
-
The short, but confusing answer, is that 1Password doesn't involve an authentication process, and therefore doesn't even have one factor authentication. There is no authentication process to which we can add a(n additional) factor.
Because there is no authentication (instead everything is encryption), your Master Password and data don't face the same kinds of threats that you might see an an authentication based system. And so there is less need for something that looks like 2FA for 1Password.
There still is a case that can be made for some sort of two-factor unlocking. But it can't be implemented in the way that most two-factor authentication systems are. We've got ideas, but it means some changes to the data format, major UI development (because the second factor would be needed everywhere you use 1Password but can't be synched the same way that your data is syched), and a lot of extra caution about how if you lose or damage your second factor there is absolutely no way to unlock your data. So it is something that needs to be approached very cautiously.
0 -
@jpgoldberg, thanks for the honest and detailed response! Obviously you are intelligently considering the situation and I look forward to what the future has in store for 1Passwrod.
0 -
Hi @incorvia,
On behalf of @jpgoldberg, thank you!
Please let us know if there's anything else that we can assist you with :smile:
Cheers!
Rad
0
