Any plans to add support for yubikeys via NFC?

m4rkw
m4rkw
Community Member

There's an iOS SDK now:

https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-sdk-for-ios-and-lastpass-support/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • Hi @m4rkw

    I’m not aware of any “plans” per se, but we do think this is interesting technology and have been looking at how we might be able to incorporate it into 1Password. :)

    Ben

  • fixorater
    fixorater
    Community Member

    This is definitely a feature I and many other folk would be interested in. Lots of enterprises are looking into deploying hardware MFA / passwordless signon using yubikey, google titan and similar devices, it'd be great to allow users to sign into 1password using the same device. Also-I believe LastPass already supports Yubikey NFC authentication on iOS.

  • Yep. Thanks for the feedback, @fixorater. :)

    Ben

  • AMO65
    AMO65
    Community Member

    I just received my yubikeys yesterday. For some reason I thought 1password supported this authentication method. Disappointed that it does not yet. Not typically an early adopter for anything, but since my company was already subject to a ransomeware attack this last year looking at ways to increase security for me and my family. Is 1password working toward this?

  • Hi @AMO65

    We do support Yubikey as a TOTP code generator. We do not support U2F. I really couldn’t say any more on that front beyond what I mentioned above, but if you want to use Yubikeys to generate TOTP codes for your 1Password accounts that is already possible:

    Use your YubiKey to sign in to your 1Password account

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    I too am very much wanting 1password to support the NFC for iOS and U2F. The sdk mentioned above makes this much easier. Is there an official channel by which feature requests such as this should be made?

  • Is there an official channel by which feature requests such as this should be made?

    Yep. Right here. :) Thanks for the feedback. We do think U2F is interesting technology and we're looking into how we might be able to incorporate it into 1Password.

    Ben

  • cologuppy
    cologuppy
    Community Member

    Let me add my request for this as well. Given the sensitive nature of what we all protect with 1password adding standards based MFA support makes it that much more secure. Additionally some other password storage vendors support it, so I'm hoping that the feature will be coming soon so that I don't have to consider migrating.

  • @cologuppy

    We do already have standards based MFA support. :)

    Turn on two-factor authentication for your 1Password account

    U2F is something we're looking at, but I don't have anything further than that to share at the moment.

    Ben

  • cologuppy
    cologuppy
    Community Member

    Yes - that is true, and it's something that I'm leveraging. But my usage pattern (as perhaps many others as well) is that most of my dealings with 1password are via my mobile devices. Since more and more critical applications are natively supporting yubikeys it creates a security hole because I can't participate with them and 1password together via my phone.

  • dpirko
    dpirko
    Community Member

    Also voicing my support for Yubikey support via NFC.

  • @cologuppy

    I'm not sure I follow. It sounds like you may be asking for something different than what we're discussing here. Could you please elaborate about what exactly it is that you're looking for 1Password to do?

    Ben

  • Thanks for the feedback @dpirko.

    Ben

  • Darkalfx
    Darkalfx
    Community Member
    edited December 2018

    Also voicing my support for Yubikey support via NFC. (Especially for Windows and iOS)

  • Thanks @Darkalfx. :)

    Ben

  • Brant W.
    Brant W.
    Community Member

    Just received my Yubikey 5 NFC for Christmas and was disappointed to find 1Password didn't support U2F. +1 on supporting it in the very near future.

    I did set 1Password up to use TOTP, but that requires me to set up another app to support it.

  • Thanks @Brant W.

    Ben

  • mikesixtysix
    mikesixtysix
    Community Member

    It's interesting technology and you're looking into how you might be able to incorporate it? As the original post stated, Lastpass already has it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    We take a conservative approach, prioritizing security and usability without sacrificing either as much as possible, and also prioritizing things that help the greatest number of our customers. If and when all of those factors line up, I suspect we'll have more to say on the subject. :)

  • notauser
    notauser
    Community Member

    I also want to share my strong discontent that u2f support isn't here. I do understand the complexities this creates with regards to your business model.

  • @notauser

    What benefit do you envision U2F adding for 1Password?

    Ben

  • notauser
    notauser
    Community Member

    @Ben

    While I type my response here to this question, please see my mention to you in my other thread in the iOS category : )

  • :+1:

    Ben

  • @Ben

    What benefit do you envision U2F adding for 1Password?

    If the 1Password website separated user authentication from database decryption so that there were two separate steps instead of one when logging in, a U2F key could be used as an optional second factor for authentication to the web site. A phishing attack would be foiled by U2F because the generated key would only be valid for the genuine 1Password site, but the attacker would only have a key valid for their fake domain name (or IP address). This would prevent the attacker from gaining access to the victim's password database, even if they were tricked into giving up both their master password and secret key.

    Separating user login from database decryption in the web browser would also allow users to perform administrative functions on the web site (e.g. updating payment information) without needing to also decrypt their database. If this were an option, I would never, ever enter my secret key anywhere in a web browser.

    This weakness is the reason I'm considering giving up on 1Password and going back to using KeePass-compatible apps, despite the lack of features that I otherwise really want.

  • Thanks for that perspective, @gedankenexperimenter. Separating the authentication from the encryption is certainly an interesting idea, but I fear it adds a fair bit of additional complexity for a large segment of our customer base. It also means yet another set of credentials to remember, getting us further from the "one password" goal. There is always a difficult balance between security and convenience. My initial take is that this may tip the scales too far away from convenience. But I'm certainly not dismissing the idea outright. I think it is worth further consideration. Thanks again.

    Ben

  • If it's done right, it should not add any additional inconvenience to the users. Already, if I have signed in to the 1Password web site with a given browser, that browser stores my secret key, and I don't need to re-enter it when logging in again. There's no reason this couldn't change if authentication was separated from decryption.

    Typical users would only see the prompt for the secret key exactly as often as they do now; it would just come on another page, after authentication has been completed. Most of the time, they wouldn't see it at all. There wouldn't even be a need to make them click a link in order to open their vaults, but if I log in and don't want to decrypt my vault, I would be able to click on a "skip vault decryption" link instead of entering my secret key. The extent to which this would add an additional password versus what already exists would be zero, but for people who want the best security they could reasonably get, having a U2F hardware key would not only provide protection against attacks that the current system does not, but would also make entering that second factor easier, faster, and would require the users to remember fewer things, not more.

    U2F hardware keys are so much better than OTP authenticator apps in both usability and security that it's very surprising to see 1Password so resistant to the idea.

  • U2F hardware keys are so much better than OTP authenticator apps in both usability and security that it's very surprising to see 1Password so resistant to the idea.

    I think cautiously optimistic is a better description of our position. We want to be sure it is a good fit for 1Password before implementing it. I don't believe we have any qualms with the technology itself.

    Ben

  • Endareth
    Endareth
    Community Member

    Just wanted to add a “me too” for NFC support. Just working on setting up Duo MFA in 1Password Teams for several of the businesses I support, and being able to use a Yubikey NFC for my personal MFA on as an adjunct to that would be ideal.

  • Thanks, @Endareth. :)

    Ben

  • davdroman
    davdroman
    Community Member

    +1 for NFC support on iOS. I was a bit disappointed seeing LastPass supporting it and not 1Password.

This discussion has been closed.