A Failed(?) Attempt at Very Basic Unofficial YubiKey Support

Community Member


Ultimately I -- like everyone else -- am anxiously awaiting some type of official 1Password YubiKey support. I won't belabor that point, but please do tally my vote for that feature, for both Mac and iPhone/iPad.

In the meantime, I'm interested in enabling interim support in some form. I envision two Vaults, one with a single password; and a second Vault with a combination of a password I know, and a YubiKey static password appended to that. The single password Vault would be used for most passwords; the second Vault with 2FA would be used for bank passwords, credit card numbers, etc. Only the former less-secure Vault would be allowed to WLAN Sync to my iPhone/iPad, which is partially because I don't want or need my bank information there, and partially because Apple has been slow to support NFC.

But while this seems reasonable to me in concept, I think some of the software implementation decisions in 1Password are preventing it:

  1. WLAN Sync will sync only the Primary Vault. This means that the less-secure Vault would have to be the Primary.
  2. The Primary Vault password unlocks all of the other Vaults. This means that the more-secure Vault would have to be the Primary.

And there is where I'm stuck, because obviously the Primary vault can't simultaneously be the less-secure and more-secure Vault.


A. Do I have 1 and 2 correct above?
B. I'd like to request that you adjust 1 or 2 in an upcoming release. The post I found on 2 made it sound like there were reasons for the Primary Vault to unlock all of them (although this isn't the design decision I would have made), but I couldn't find any reasons why 1 is true. It seems totally arbitrary to me that only the Primary Vault can WLAN Sync.
C. Is there another way I could accomplish what I'm trying to do?

Thanks for your help!


1Password Version: 1Password 6 Version 6.8.5 (685004) AgileBits Store
Extension Version: Not Provided
OS Version: OS X 10.13.2
Sync Type: WLAN


  • XIII
    Community Member

    and a YubiKey static password appended to that

    Do you really mean “static”?

    (I don’t see any added value above the Secret Key if it’s not dynamic)

  • pervel
    Community Member

    There is a more fundamental problem with your idea. If I understand you correctly, you are envisioning using 2FA for local vaults. However, 2FA is only an authentication mechanism and not an encryption mechanism. There is no authentication involved for local vaults - only encryption.

    AgileBits has an article that explains more about the difference between authentication and encryption:

  • AGAlumB
    1Password Alumni

    Indeed, and the way Secret Key is setup when using a 1Password.com account makes it easier to manage (and harder to lose) as well, since it's available after unlocking the app on an authorized device with your Master Password. It provides the added security of a 128-bit, randomly-generated encryption key without placing the burden of keeping a single token that could easily be lost, stolen, or destroyed on the user.

This discussion has been closed.