Any plans to add support for yubikeys via NFC?

2

Comments

  • @davdroman

    What makes sense in one context doesn't necessarily make sense in another. 1Password is primarily built around protecting your data with encryption opposed to authentication. This is a form of the latter, and adds the most benefit to services that rely on strong authentication methods for protecting your account. That isn't to say that there may not be any merit to it, and indeed there may be yet, but at this point we haven't committed to it. Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add this, but we want to make sure there is a solid benefit to doing so. Beyond the question of what benefit this would actually add to 1Password, assuming the benefit exists, we still need to weigh it against other demands. We only have limited development resources, and so we need to be sure we're using them to create the most benefit for the most customers.

    Thanks.

    Ben

  • Endareth
    Endareth
    Community Member
    edited January 2019

    Surely the primary security for Teams/Family accounts has got to be around the authentication, which is where increasing the ease of use of a NFC Yubikey would be a big plus for the average user. Especially with your push towards those subscription based services! It’s hard enough getting all our users running 1Password as it is, and enforcing 2FA as well just makes it a bit harder again. Anything that can make it easier to keep users secure has got to be worthy of serious consideration.

  • @Endareth

    Surely the primary security for Teams/Family accounts has got to be around the authentication

    That's not the case, which is why I say what makes sense for one system may not make sense for another. 1Password relies primarily on encryption, rather than authentication for your data's security. Yubikeys would arguably help the latter, not the former.

    Ben

  • gandalf_saxe
    gandalf_saxe
    Community Member

    LastPass does this, 1Password should too. I hope we don’t see 1P falling behind the competition for too long on this 🙂

  • @gandalf_saxe

    I mentioned above, but in case you missed it:

    Adding something to 1Password simply because a competitor has done so seems like a race to the bottom. We'd rather make well informed well reasoned decisions about the direction we're headed. We may add this, but we want to make sure there is a solid benefit to doing so.

    It is something we're evaluating, to see what the benefit might be to 1Password's security model, but we're not going to add it just because LastPass did. :)

    Ben

  • gandalf_saxe
    gandalf_saxe
    Community Member
    edited February 2019

    @Ben

    That’s fair 🙂 let me just note that you have already deemed it beneficial enough for your security model that it’s implemented for desktop operating systems. All I’m asking is for platform parity so I don’t get stuck in a situation only with my phone and Yubikey and no way to access my passwords.

  • Ben
    Ben
    edited February 2019

    @gandalf_saxe

    That’s fair 🙂 let me just note that you have already deemed it beneficial enough for your security model that it’s implemented for desktop operating systems. All I’m asking is for platform parity so I don’t get stuck in a situation only with my phone and Yubikey and no way to access my passwords.

    Ah, so that is actually a different thing. We support using Yubikey to generate TOTP codes for 1Password accounts. This uses Yubikey's Authenticator app, which I believe is not available on iOS (*). To the best of my knowledge Yubikey doesn't support generating TOTP codes on iOS (even via NFC). Their devices just don't do that, at least not yet.

    This thread is about U2F over NFC, which is a different authentication technology from TOTP. It may be that U2F would be a suitable substitute / alternative for 1Password accounts, but we don't know that yet. TOTP is the much more prevalent technology.

    Ben

    (*) From the guide:

    Yubico Authenticator requires Mac, Windows, Android, or Linux. To sign in to your 1Password account on an iOS device, use a different authenticator app.

  • gandalf_saxe
    gandalf_saxe
    Community Member

    @Ben

    Ah ok, fair enough. Sounds like it's up to Yubikey to make an iOS authenticator app. That was my main request :)

    However I'd still love to see 1Password support Yubikey on iOS via NFC :chuffed:
    As I see it, it's allows us to add another true multi-factor into the mix, in the unlikely case that one's 1Password account is compromised / somehow accessed.

  • Thanks for the feedback. :)

    Ben

  • kebel87
    kebel87
    Community Member

    +2 (wife agrees lol) on Yubikey NFC support for iOS

  • :+1:

    Ben

  • DeDefiance
    DeDefiance
    Community Member

    @Ben

    but we're not going to add it just because LastPass did.

    Just as a note, LastPass actually haven't added support for this. Dashlane are the only ones afaik.

    While I'm usually for these types of decisions, I'm afraid I have to disagree on this one. U2F is basically the standard nowadays for 2-Factor Security and I can list of plenty of websites/companies that have adopted U2F. Given the nature of 1Password and the type of information it stores, I'd honestly say U2F should be your next priority (While still maintaining OTP for those without keys that support U2F.)
    Sites that have adopted U2F (Just to name a few):

    • Google
    • Twitter
    • Facebook
    • Dashlane
    • Youtube

    I absolutely love 1Password, but I have to say this is pretty much a make or break feature for me. If U2F wasn't to be implemented in the coming months I'd probably have to switch since the only reason I even use U2F in the first place is because all of my OTP's are stored inside 1Password, but obviously I can't store the OTP for 1Password inside my own 1Password vault.

    So just given the nature of how everything is setup, U2F makes perfect sense to be implemented.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DeDefiance: Thanks for the clarification. Someone above seemed to think it did, so maybe there was some confusion about that. Hard to keep track of it all. :)

    Regarding the topic at hand, I'm not sure we're on the same page here regarding U2F. It sounds like maybe you want to somehow have 1Password use that to interact with websites. Maybe I'm misunderstanding, but I'm not sure how that would work. 1Password can store TOTP secrets to generated (and in some cases fill) one-time passwords, but U2F is sort of a different beast.

    However, if you mean you want to use U2F to authenticate with 1Password itself, that's something we're evaluating, but...

    1. That would only work with 1Password accounts, since there is no authentication component at all otherwise.
    2. That would not apply when using 1Password locally since there is no authentication happening there, but rather encryption.

    Certainly it would be possible to have 1Password contact the server to re-authenticate any time you try to access it, but then you would not be able to access your data without an internet connection. For a lot of people, that's a dealbreaker, but as I said, there may be a use for this in a more limited capacity as well. Cheers! :)

  • DeDefiance
    DeDefiance
    Community Member

    @brenty
    By U2F, I'm talking about hardware key authentication such as YubiKeys (native YubiKey, not TOTP).

    For example;
    New PC, Install 1Password, Login, Insert Yubikey, Press Button, Done.

    You could possibly also add it for accessing passwords/vaults as well. Perhaps every x hour that is configurable in the settings.

    You could obviously have it customisable in settings so that users who like you said want to use 1Password offline aren't forced to use it.

    Like I said, inside 1Password, I have all my TOTP for sites like Google, Twitter, etc... But then when it comes to 1Password, I can't really use TOTP with 1Password itself since obviously that won't work.
    I'm currently using TOTP on my YubiKey but it's incredibly impractical and would make more sense to implement it natively like stated above.

  • Thanks for the feedback. :)

    Ben

  • jefflkrueger
    jefflkrueger
    Community Member

    I think I also want +1 for this, but maybe I don't understand the terminology. :)

    What would be great is if the 1Password iOS app could use a YubiKey NFC for authentication to the app itself. Using the current 1Password - YubiKey integration, a TOTP can be generated by the Yubico Authenticator app on a desktop computer with the key inserted and that number can be manually typed into the iPassword iOS app. However, since the YubiKey supports NFC, the 1Password app could read, not the TOTP, but the Yubico OTP (or potentially whatever is stored in "Configuration Slot 1"). That is what LastPass is doing as they support the Yubico OTP directly vs using a TOTP in the Authenticator app.

    The use case would be something like this:
    For Setup: On my 1Password website account profile, I can add one or more YubiKeys in the "Manage Two-Factor Authentication" area. I believe the 1Password website would potentially need to support U2F for this, but perhaps not, because when pressed, the YubiKey spits out a big long OTP as a USB keyboard - this could go right into the 1Password site.
    When installing 1Password on a new iOS device: I login with Secret Key and Master Password, then instead of getting prompted to enter 6 digits from an authenticator app, I simply touch my YubiKey NFC to the back of the iOS device, it reads it, and I am authenticated to the phone.

    The benefit here, is that the 2nd factor could be required to present every X number of days after setup, and this could be done without an extra computer or app to run Yubico Authenticator.

    Thanks for listening!

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for taking the time to share your feedback @jefflkrueger! And welcome to the forum :)

  • Flaurang
    Flaurang
    Community Member

    Hello dear 1Password team,

    Can we get a confirmation you are working on a two step authentication, using the YubiKey as the second step ?

    I understand, you need to "make well informed well reasoned decisions", but one year later, I hope you have found time to think about this request.

    If it's not possible, just make a clear statement, and we will stop waiting.

    Thanks for your answer and for your great products.

    Regards,
    Florent

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @Flaurang!

    Can we get a confirmation you are working on a two step authentication, using the YubiKey as the second step ?

    Sorry, no. We don't normally pre-announce new features or release dates as many factors (some beyond our control) affect them. Please stay tuned. 😀

  • Flaurang
    Flaurang
    Community Member

    Hi Lars,

    Thanks for your quick answer.

    I don't ask for a new feature or release date, but just to know if this is a feature that you don't want or can't implement in 1 password for iphone ;)

    Regards,
    Florent

  • Lars
    Lars
    1Password Alumni

    @Flaurang - you asked:

    Can we get a confirmation you are working on a two-step authentication, using the YubiKey as a second step?

    Perhaps I misunderstood: if you were referring simply to using a YubiKey to sign into your 1Password account, that feature is already available on every platform but iOS, where Yubico does not make a version of their authenticator app.

    If you were referring to NFC or U2F support, that would indeed be a new feature, and as I mentioned, we don't pre-announce them. :) What I can say is that if we knew a certain feature was something that was a non-starter for us, either because we thought it wasn't right for 1Password or because it was somehow not possible, we would state that publicly whenever asked. We've done this numerous times with other features such as WebDAV support (ownCloud, etc), and we would have done it long ago in this thread if we were certain this was something we won't be doing. Hope that helps. :)

  • Flaurang
    Flaurang
    Community Member

    You are right, i am refering to NFC support, i am happy with your answer, and will wait for the next versions, to see if they support yubikey via NFC on ios.

    Thanks again

  • Lars
    Lars
    1Password Alumni

    :) :+1:

  • robertrobertrobert
    robertrobertrobert
    Community Member

    Same here! +1 for NFC support on iOS. I read all the previous posts.
    And I am still very disappointed seeing 1Password still not supporting it.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the feedback @robertrobertrobert! Any new feature requires careful planning and testing, we don't want to ship anything without being sure it works perfectly. I believe Lars explained this perfectly:

    What I can say is that if we knew a certain feature was something that was a non-starter for us, either because we thought it wasn't right for 1Password or because it was somehow not possible, we would state that publicly whenever asked. We've done this numerous times with other features such as WebDAV support (ownCloud, etc), and we would have done it long ago in this thread if we were certain this was something we won't be doing.

  • snibles
    snibles
    Community Member

    +1 for NFC support on iOS. This is a killer feature that is missing from 1P. We need it!

  • Lars
    Lars
    1Password Alumni

    @snibles - thanks for the feedback. :)

  • jonnybruges
    jonnybruges
    Community Member

    +1 for NFC support on iOS. Please and thank you.

  • Thanks @jonnybruges. Welcome to the forum. :)

    Ben

  • CalvinHP
    CalvinHP
    Community Member

    +1 for U2F and NFC. I'm migrating from LastPass and this feature was pretty awesome from a usability standpoint. I'm going to have some unhappy users that will need to use Yubico Authenticator to get into 1Password.

This discussion has been closed.