Feature Request: OTP-Support using Yubikey [we're aware of this request]

Double-G
Double-G
Community Member
edited September 2015 in 1Password 4 for Windows

I'd like to request support for two-factor-authentication when opening the 1password password vault.
In addition to the Master-Password a yubikey OTP should be entered.

It should be easy to implement this in 1Password using an integrated otp-server (that works offline; no connection to the yubicloud).
For mobile devices this will be a hassle if they do not support NFC but if they do this should work well with the Yubikey NEO.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Thanks for the feedback, @Double-G!

    We've had a few requests for something like this and while I can't promise anything it is certainly something we're keeping an eye on for the future.

    If you have more feedback, keep it coming :)

  • maara
    maara
    Community Member

    This really makes me not to purchase the 1password.... :-(
    I am used to use my yubikey with the keepass, lastpass, gapps etc and it will be great if I can use it with the 1pass too. Other 2-step auth? No, thanks....

  • Hi @maara,

    We do understand. We would like to add it to 1Password in the future.

    We do explain why we don't have it in the first place here: https://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

  • mstade
    mstade
    Community Member
    edited October 2015

    I read that article, and the rationale of "it wouldn't add much security" seems like a euphemism for "we really don't see the business value of spending engineering time on it." There are no technical reasons to not include it, as far as I can tell, and so I can only surmise it's a business decision. Hiding that away behind the rationale of "it wouldn't add much security" is disingenuous, because it clearly would. It's true that the master password alone is meaningless without the vault, and the vault is probably difficult to decrypt without the master password. But the vault is not "something you have" in the physical sense, so to liken that to kind-of sort-of 2FA-but-not-really-but-almost is slight of hand. It's very probable that if you got ahold of someone's vault, the password isn't far away: post-it note on a screen; scribbles in a notebook; file named secrets.txt on the drive, next to the vault; file. While it can (and is, in the article) be argued that the master password should be strong and not written down and this and that, it's naive to believe users will even want to do this, because of the inconvenience. 2FA would certainly help in this regard, by adding an extra – actually physical – layer of security meaning all that burden isn't placed on the weak link in the 1password story: the master password.

    It's fine to decide against 2FA for business reasons, but be honest about it and please don't spread disingenuous FUD.

    (N.B.: FWIW I'm a paying customer, and would love to see Yubikey support.)

  • MikeT
    edited October 2015

    Hi @mstade,

    Yes, it is a business decision on our side and one thing we said in the article is that we do not like 2FA is because it increases the chances of users losing their data far more than someone breaking into their vault. We've already seen many reports that users cannot get into their 2FA-locked services because they lost the 2-factor key.

    We understand the value of these 2FA devices and we would like to consider them for the future but right now, we do not believe there is enough value to support them immediately. We actually had support for them in the past but it didn't work out well, maybe next time it will.

    By the way, some users are doing this by intentionally pulling out the encryption files from their 1Password data folder and storing it on a USB drive. So, it won't work without manually putting it back before opening the main program. This works for their needs but we don't recommend it and it has caused problems in the past.

  • fryrpc
    fryrpc
    Community Member

    As a LastPass user looking at alternatives, and a 1Password for Windows paid customer, I too would like the ability to use a 2nd Factor.

    To say it increases the risk of a user losing access to their vault - I agree - but some customer are happy to take that risk for the additional security it can provide, and as such we ensure that we have the 2nd factor redundancy (2 YubiKeys, 2 Phones with Authenticator, 2 USB sticks with KEY file, etc.). Yes we have been spoilt for choice as lastpass users with 2fa like Yubikey, Authenticator, Sesame USB, Grid, Duo Security, ... but at the end of the day we are storing the crown jewels in our vault and security is our priority.

    My intention is to move away from cloud based (at least cloud storage with the Password manager supplier i.e. lastpass, dashlane) and to use my personal cloud storage (Microsoft Onedrive) to hold my vault to allow sync between my PC's. As such I want to be able to have a 2nd factor so that if my vault is captured and my master password too then I will be protected by my 2nd factor. Even if only my vault was captured I would be a lot happier from a security point of view knowing that someone trying to gain access using master password would be thwarted by 2fa.

    I think we have to take the view that the vault will be compromised/copied as it is on the internet - that is the view Lastpass took so the security around gaining access to its contents are paramount.

    Even freebies like KeePass offer 2fa and use it as part of the mix when decrypting - Yubikey HMAC, Key file etc. So you can store the vault on Onedrive and the keyfile local (2fa) and use a combination of the master password and keyfile content to gain access to the vault. Not a great 2nd factor as the contents are static.

  • MrC
    MrC
    Volunteer Moderator

    You have some good points I think.

    Yet, I also think digs, veiled as pseudo-comparisons, such as "even freebies like KeePass offer..." are unrepresentative and unfair because they don't offer any counterbalance, such as "even 1Password offers a native Mac App".

    Every piece of software is going to have its strengths and weaknesses, and each user will select the package the best suits their needs.

    I'm sure the AgileBits folks will have some excellent feedback to provide.

This discussion has been closed.