U2F support for Yubikey [under consideration for memberships; not applicable to standalone vaults]
Comments
-
Some recent news regarding U2F: apparently, adopting U2F has eliminated successful phishing of Google employee accounts: https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/
Relevant HN discussion, with a lot of comments on U2F support or lack thereof in various password managers (including 1Password): https://news.ycombinator.com/item?id=17592422
0 -
Welcome to the forum, @pianoroy! Thanks for the links. You may also have caught Shane Huntley from Google's Threat Analysis Group tweeting about this subject recently. :)
0 -
+1 vote for U2F.
0 -
Thanks for letting us know it's a feature you'd like us to add to 1Password. :)
0 -
Hi, using U2F such as YubiKey for 1Password is a priority feature for our small 100 person 1Password Team :blush:
0 -
@Oleh: Have you tried Duo? I am not an expert on their offerings, but they seem to support U2F in addition to a variety of other second factor options.
0 -
Definitely +1 for YubiKey support for 1Password - and please both in the Mac App as well as in the iOS App using their new NFC SDK.
0 -
This content has been removed.
-
Are you absolutely positive you couldn't use FIDO2 to unlock the local apps, at least on Mac/Windows? I mean, Linux has a PAM module to use FIDO1 for local login.
@cobaltjacket: I'm not sure what you mean by "unlock", but it sounds like security theater since local vaults have no authentication component. That's why they're local: there's no server involved. 1Password's security is based on encryption in either case, but 1Password.com accounts do have an authentication component as well.
And in terms of Duo, I personally think their offerings are not as good as Yubico's, which can be used for many other purposes (PIV, PGP/GPG, etc.) Yubikeys are also affordable. And if you need further convincing, take a look at what Google said this week in terms of how phishing attempts against their employees are non-existent since they implemented FIDO1 YubiKeys.
Apples and oranges. Google's service has an authentication component. Local vaults do not. We do have our own service that supports two-factor authentication though. ;)
This discussion has been going on for some time, and support for FIDO1/FIDO2 has increased dramatically - including first-party support by Microsoft and Intel. It's time.
We've supported Duo authentication for some time, and U2F is one of the options available. :)
0 -
Its been a while - is there any official discussion around u2f support within 1password yet?
0 -
@notauser I’m not sure I follow. Brenty’s last update to this thread was only ~4 hours prior to your post. I wouldn’t call that “a while.” ;)
1Password does support U2F via Duo, and we are looking into the possibility of a 1st party option, but I don’t have any more information than that to share. We typically don’t pre-announce features, prefering to wait to talk much if at all about them until they’re ready for release. As far as I’m aware we’re still in the brainstorming stages for anything beyond what we already get via Duo, but we do agree U2F is very interesting technology and would like to see how it might better fit into 1Password.
Ben
0 -
Like many I learned about Google using Yubikey/U2F, which help "prevent" phishing.
I did not check how many websites actually support U2F. I think it would be interesting to use U2F to unlock 1password vault.
I use strong password everywhere and I enable OTP when I can, but "asking" for U2F would add, IMHO, a layer of security to access my vault.
Any plan on your side to add U2F support ? Thanks
1Password Version: 7.x
Extension Version: 1.8.2
OS Version: Windows 10
Sync Type: Not Provided0 -
@MorgothSauron: I hope you don't mind, but I've merged your post with the existing thread on this topic.
It's something we're considering as a two-factor authentication option for 1Password.com, but not feasible for local vaults since there is no authentication involved.
0 -
I, too, would love to see U2F as a way to authenticate, in addition to the existing 2FA via OTP.
Yes, I know there's the "security key", and I appreciate you having to carefully weigh your design decisions, so I'd just like to add myself to the list of users here who would welcome it if it should arrive :)0 -
Incidentally, I just came across this blogpost about phishing access tokens. That might be something to follow, to see if it stays within educational boundaries or if it'll be misused to change the attack landscape. Just putting it here fyi.
0 -
Indeed, folks who are targeted by spearphishing attacks are at the greatest risk. :dizzy:
0 -
+1
So far you guys haven’t let me down!0 -
I just tried Duo and I'm incredibly unsatisfied with it. It's a confusing, enterprise-oriented service that can only support one U2F key per user, when Google is adamant you should have two (and it makes sense from a customer support perspective).
Also, Duo didn't let me use my bluetooth U2F key with their mobile app. Google's definitely the first-class leader in mobile U2F support. The only thing seemingly missing from a more enterprise implementation is the ability to turn off the "remember this device" checkbox and require all sign ins of a Google account to have a device for re-authentication.
Re "security theatre" - It's possible to use YubiKeys as mini HSM devices to store encryption keys and perform encryption/decryption, but that's not the U2F spec. So it's possible to force unlocking to require a YubiKey or other secure cert storage. Then again, you could change how the encryption works requiring a plain file on a USB key as key material, for example.
Why do I care so much about U2F? I'd trust the fingerprint/iOS Keychain with my very long "master" password if and only if I can force the use of a 2FA device on every login. I don't expect my fingerprints to be an attack target, but if you can use fingerprints or sudo to view saved passwords as is the case with Keychain, it's too exposed without requiring a second factor on every use.
0 -
@LSTA: Personally I find it pretty user-friendly, but then again I'm not administrating it myself. I'm sure Duo would be glad to hear your feedback on their product. Anyway, you make some good points about the limitations of Keychain, and I do appreciate you sharing your use case for U2F. I also agree that it's important to have a backup. :)
0 -
@brenty Any update on integrating Yubi key NEO via NFC to 1password? I think Yubi key NEO via NFC is not working on LastPass. I would love to have the NFC feature work on iOS, Android, and Windows (I am not sure whether there are any Macs that have built-in NFC hardware).
Thanks for your help and time in advance!
0 -
@SangLee77: It's not something we have any news to share on at this time. I don't believe there are any Macs with NFC, but I admit I'm not completely certain either.
0 -
Thanks for letting us know your preference.
0 -
It seems LastPass, Dashlane & KeePass just pushed it focus towards the YubiKey integration. You can find the support while going through the wizzard. https://www.yubico.com/quiz/
Also IOS is coming with an integration in it's YubiKey support in it's Mobile SDK. Which I'm not sure when. And with this new support the YubiKey can be used as USB or NFC to use it as 2FA. making this a mere 95% support on mobile devices.
https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-sdk-for-ios-and-lastpass-support/I can only imagine as 1Password is the leading password manager for professional and home use to go towards this road as well.
So a big fat +1 from me.
0 -
@Dennis_van_Lith - thanks for adding your voice to this discussion. :)
0
