U2F support for Yubikey [under consideration for memberships; not applicable to standalone vaults]

124»

Comments

  • laugher
    laugher
    Community Member
    edited August 2018

    I know development sprints can take time to complete, let alone the planning of what features are going into the next sprint/release but...

    I'm going to +1 my support for FIDO U2F for all versions of 1Password. Limiting this to enterprises and teams (with Duo) is very short sighted especially considering that FIDO U2F is targeted for the mass market.

    If you need to tack $0.50 cents per month to allow us to do this, please do so. I'm sure your development team's caffeine and pizza diet will be quickly reimbursed with just the 50c a month contribution from your many users.

    Always with respect and thanks.

  • Lars
    Lars
    1Password Alumni

    @laugher - thanks for adding your voice to this thread. It's something we've been considering, but we need to make sure it adds actual security value instead of just security theater -- on top of all the other considerations that go into determining whether to pursue adding yet another new thing to 1Password. Stay tuned!

  • laugher
    laugher
    Community Member

    Hey Lars. I know @jpgoldberg might disagree with me on this one but...

    In the existing model, you have 2FA. That is, Google Authenticator, Authy, OTP, etc. The problem with these is that they can still be phished, extracted, lifted from the very device 1Password is installed on as in the case when I have both the existing 2FA and 1Password on the same device as a lot of people probably do. We do after all mostly own one mobile device. At least I try to!

    If you support, say Yubico Neo or similar, that multi factor token is like a physical key I have that doesn’t go near the phone. The phone sends a challenge signature out and only when I bring a token close by and press the button does it respond to the challenge proving the token I have has the private key that is locked up inside my Yubico device.

    I’d say this is more secure. I am fully aware I am “authorizing” an action by deliberately moving a token near my phone and pressing the button to form the response causing my alertness also to go up to ask “Does this look ok?” Please help me understand if there is a scenario where this isn’t safer than Authy, for example.

  • Lars
    Lars
    1Password Alumni

    @laugher - I don't want to (and most of the time, couldn't even if I did want to) speak for Goldberg, but having heard him address this topic previously, I think he would answer your question by saying you're correct to note that a true second factor does indeed offer greater protection than what is more properly referred to as 2SV (2-Step Verification)...but only in a limited range of cases. Can you tell me what attack vectors you're worried about that a hardware second factor like a Yubikey would solve that are going unprotected currently?

    You might want to have a read through both our security white paper and (maybe more on-topic for what I think you're getting at) this post on SRP, if you haven't already. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2018

    Hi @laugher,

    It is a good observation that TOTP schemes can be phished. But it is worth noting that except in the case of using the 1Password web client, 1Password can't be phished. As @brenty pointed out, our use of SRP means that our authentication process provides mutual authentication and transmits no secrets. In this respect it is like U2F.

    I recently gave a presentation (paper and slides) at the Workshop on Authentication on some issues around 2FA (or on what is presented as 2FA). Only a small part of what is in the paper and talk is specific to 2FA in 1Password, I do think that it is a good place to start when talking about what sorts of security 2FA provides in various circumstances.

    The paper and talk do mention that introducing 2FA can have negative side-effects for security in some circumstances (circumstances that I believe apply to 1Password). And so those need to be carefully weighed against the (small) security gain we would get from using something like Yubikey or other U2F hardware dongle.

    Given that (except for logging in in a web browser), we're solidly preventing phishing. So are the real security gains of using U2F worth the risks? This remains an open question, and we are exploring ways in which we could make positive use of the sorts of things you are suggesting without doing harm.

  • laugher
    laugher
    Community Member

    Hi @jpgoldberg and @Lars - thank you for your thoughtful responses to what we all value; the safety of 1Password. I must admit I’ve been a bit behind in my reading with what AgileBits has been doing and how the new family of products are protecting 1Password. On the surface, while the new security mechanisms such as SRP sounds great, I’ll sit back a little and allow myself to absorb what I have just read.

    There was one question that still concerned me - can I reconfirm where the secret key is being stored please? Is it on the local device storage? In other words, the C drive of Windows, the home directory structure of MacOS and variants and similar directory structures on mobile devices?

    As I always implied, I respect the thoughtfulness and thoroughness you folks (particularly the architects like yourself @jpgoldberg ) put into this. Thank you.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Can I reconfirm where the secret key is being stored please? Is it on the local device storage?

    Yep. It is stored locally. The Secret Key is not designed to protect you if data is stolen from your machine. It is designed to protect you if data is stolen from our machines. Although we make use of secure storage provided by the operating system for this, you should assume that if someone obtains your 1Password data from your own machine then they get the Secret Key with it. Again, the role of the Secret Key is to protect you if we get breached.

    If data is stolen from your machines, then assume that the attacker gets the Secret Key along with the encrypted data, and so their attack will be on trying to crack your Master Password. They will do this as an off-line attack on their own equipment, and so no authentication factor will matter for them. They will not be going through our servers or through the 1Password application, but will be directly attacking their copy of your encrypted data.

  • Bassebus
    Bassebus
    Community Member
    edited October 2018

    ”If data is stolen from your machines, then assume that the attacker gets the Secret Key along with the encrypted data, and so their attack will be on trying to crack your Master Password. They will do this as an off-line attack on their own equipment, and so no authentication factor will matter for them. ”

    Okey this is probably not how it works but:

    Cant the ubi/Google key be added as a part of this process?

    E.g in order to even be able to enter the master pass, you first need to present the key....

    That would add another layer of security, since without my physical key they cant even try to brute force.

    I have no idea of this is even possible, or a good idea.

    Edit: like with Keepass, you kan provide a ”key file”. My idea is somewhat like that, but to replacement the key file with the physical key.

    Feedback?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Bassebus: You can use Yubikey like that with a 1Password.com account already:

    Use your YubiKey to sign in to your 1Password account

    The difference being there isn't a way to do that before you sign in using your Master Password and Secret Key, since there's no authentication happening before that: you're interacting with 1Password solely on your device locally. Otherwise you'd always need to be connected to the internet to even touch 1Password, if you had to authenticate with a one-time password first, which would need to be verified with the server.

  • JetForMe
    JetForMe
    Community Member

    I'd really like to have YubiKey support in 1Password, too. That is, if my YubiKey isn't installed in my laptop, the 1Password app should refuse to open (or require additional authentication steps).

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know that's something you'd like. However, to reiterate, in that scenario, that wouldn't offer a security benefit since the attacker already has access to your laptop. You'd still be relying on 1Password's encryption, not authentication, to secure the data...unless you mean that you want 1Password to keep no local data at all and then require authentication with the server each session and download it on demand, erasing it when it's done. You'd still not be much better off in that case, since anyone with access to the machine could save a copy of anything downloaded to attack offline later, but fortunately 1Password is designed to withstand such attacks anyway. If 1Password would simply "refuse to open", that would really only be security theater.

  • mertzjame
    mertzjame
    Community Member

    I would like to see support for U2F support in 1Password as I just got the new Google Titan device that only supports U2F.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @mertzjame! Thanks for weighing in. We've not got anything to announce with regard to U2F at present, but keep an eye on our blog as well as release notes for 1Password to see the latest additions/features. :)

  • Azes
    Azes
    Community Member
    edited November 2018

    I also would really like to see support for Fido U2F on all versions of 1Password to introduce an additional layer of security when a new device is trying to obtain access to a user's existing vault. In my limited understanding this would be an additional security layer to further prevent the scenario below from being successfully exploited (quoted from @jpgoldberg 's comment above):

    If data is stolen from your machines, then assume that the attacker gets the Secret Key along with the encrypted data, and so their attack will be on trying to crack your Master Password. They will do this as an off-line attack on their own equipment, and so no authentication factor will matter for them. They will not be going through our servers or through the 1Password application, but will be directly attacking their copy of your encrypted data.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @Azes! Thanks for weighing in on this. We're looking at ways we can add support for U2F in a meaningful way to 1Password, but the key here again is "meaningful," as opposed to "security theater." Authentication and encryption are two different things despite being sort of from the same field (security). If someone is able to access data on one of your devices (perhaps through social engineering, or taking the device itself), they won't bother going through any authentication mechanisms in place, they'll simply extract the SQLite data file, and run password-cracking attempts directly on it. This requires strong encryption, but renders authentication irrelevant. Here's a little more on our thinking about what's effective (and what's not so much).

  • tallackn
    tallackn
    Community Member

    Time to step-up guys. Microsoft just went all-in. That means full enterprise adoption.

    https://www.cnet.com/news/microsoft-now-lets-you-log-into-outlook-skype-xbox-live-with-no-password/

    Show us your FIDO2 roadmap? Reassure us that our continued support for you won't be wasted when you are left behind by native FIDO2 support across all browsers, OS's, and enterprise cloud application providers.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @tallackn: We're not a subsidiary of Microsoft, and we have a commitment to other platforms, not just Windows. And I'm not sure that Microsoft controls what other platform owners and software vendors do either. Our "roadmap" is also not public, as it's subject to change. (Incidentally, if it were set in stone, some news article would not be relevant anyway.) If and when we have something to announce in this area, we'll update this thread. If your situation is such that us not supporting Fido today is holding you back, and there's another tool out there that better fits your needs, there's nothing wrong with using it. We'll continue to evaluate this and many other things to determine what we work on based on what will make the biggest difference for the greatest number of 1Password users, but we're not here to sell you on hypotheticals, but rather the features and benefits 1Password offers today.

This discussion has been closed.