U2F

Please add support two-factor authentification by u2f(Yubikey's) for web version.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Emulty: It's certainly something we can consider adding in the future, but keep in mind that the Account Key already serves as a second factor ('something you have') which is actually used to encrypt your data, rather than just a 'yes/no' token. Thanks for letting us know you'd like dongle support as well! :)

  • peterjosling
    peterjosling
    Community Member

    I'd love this too — I've just switched from syncing with Dropbox to a Family account, and it does worry me that every detail required for accessing my vaults online (email/account key/master password) can be phished/keylogged/extracted from the browser. I get that 2FA doesn't help with vault's encryption, but it would be great to have an extra factor required for downloading the vault data on new devices in the first place.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @peterjosling: It's something we're considering for 1Password Teams. Just keep in mind that multifactor won't protect you if the device you enter them into is already compromised: someone could just as easily capture the token along with your email address, Account Key, and Master Password in that case. Thanks for letting us know this is a feature you'd like us to add! :)

  • peterjosling
    peterjosling
    Community Member

    @brenty Sure — but U2F protects against other vectors, as it's tied to a specific domain (so phishing sites can't use it) and it doesn't act as a keyboard (so can't be read with a keylogger). And the key represents something physical, that can't be cloned — vs. a pair of strings which can be infinitely copied. Phishing is the bigger concern here — how long is it gonna be before cloned Teams login pages start popping up across the web? Obviously it's important to be extremely vigilant and check URLs when logging in, but if you start to do it regularly you're going to start getting numb to it and get sloppy. We're all human and mistakes happen.

    I love 1Password to bits — having proper second factor authentication for web access would be great though.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty Sure — but U2F protects against other vectors, as it's tied to a specific domain (so phishing sites can't use it) and it doesn't act as a keyboard (so can't be read with a keylogger). And the key represents something physical, that can't be cloned — vs. a pair of strings which can be infinitely copied. Phishing is the bigger concern here — how long is it gonna be before cloned Teams login pages start popping up across the web? Obviously it's important to be extremely vigilant and check URLs when logging in, but if you start to do it regularly you're going to start getting numb to it and get sloppy. We're all human and mistakes happen.

    @peterjosling: You're absolutely right! Phishing is a big problem, and that's why 1Password will only offer any given login if the URL matches. You actually make a good argument not only for MFA, but also using 1Password itself to login to 1Password Teams — especially if it's something you do regularly.

    However, both MFA and 1Password's own defenses against phishing won't help if the computer is owned by someone malicious, because they could simply install a fraudulent root CA to and present a phishing site with a trusted URL. So while there are things we can do to try to guard against these attacks, ultimately vigilance will always be our best ally.

    I love 1Password to bits — having proper second factor authentication for web access would be great though.

    Thanks! We'll see if we can grant this wish! :)

This discussion has been closed.