Feature Request: Unlock 1Password with a security key (yubikey)
This isn't Mac specific but there does not seem to be a "general discussion" forum or a feature request forum.
I would love to be able to unlock 1Password (web site, browser app, phone app) using my yubikey security keys, rather than typing my master password.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@drumboots: We have no plans to have any hardware device that could easily be lost, stolen, or destroyed replace the Master Password*. You can, however, use Yubikey as a second factor for a 1Password account, and we're also looking at possibly supporting other integrations as well. Cheers! :)
*Edit: clarification: technically you can do that anyway, but it isn't something we recommend or support.
0 -
I also think this would be an incredibly useful feature, but only as a secondary method of conveniently unlocking post-initial unlock, e.g. after the lock timeout or resumption from sleep; the master password would still be required after a cold boot/login.
I imagine this feature as being similar to how Github allows you to use a hardware key in lieu of your password to authenticate when attempting to perform sensitive actions, but only after you've already logged in using a password and 2FA mechanism.
0 -
A bit has changed since this thread (December 2018). You may find this post interesting:
Introducing support for U2F security keys
Ben
0 -
I would also like this feature. To be able to unlock 1Password with a Yubikey, much like using our fingerprint now on the touchbar.
0 -
I would assume you would be able to use your master password as a backup just like you can for Touch ID.
0 -
I see. If that's the sort of setup you'd like @bbeyer then you may be able to configure your YubiKey to type your Master Password for you:
Understanding Core Static Password Features : Yubico Support
I'm not sure that is something we'd be able to recommend doing... just pointing out the fact that the technology exists. :)
Ben
0 -
Yubikey is a 2nd factor, the name says it all. As former lastpass user, I prefer the way how its browser extension works: after (re)starting the browser I have to authenticate myself with the master password AND the 2nd factor (yubikey) to activate the extension, but the extension keeps working until I stop the browser.
An optional 1-day timeout would have been nice (to handle the case of not restarting the browser at all), though.
Yubikey should be used as 2FA at least for registering a new Android or IOS device, too.
Is there any chance to have such features?
0 -
I also would like to see a implementation like Microsoft did. A U2F replaces the password with a PIN. So PIN + Hardware Key = Login.
There are smart ways to get this done on 1PW too.
As bbeyer said TouchID and 1PW works fine, it asks you from time to time or on reboots for the master pw, why only TouchID? Why not also a Key like a yubikey?I hope we will see solutions to replace or half replace the master PW with a pin or something.
0 -
-
I hope at least when they release the YubiKey Bio with a fingerprint sensor, 1PW will adopt the same mechanism like TouchID.
https://www.yubico.com/blog/yubico-reveals-first-biometric-yubikey-at-microsoft-ignite/
Greetings
0 -
Have you had a chance to read my reply here?
https://discussions.agilebits.com/discussion/comment/525696/#Comment_525696
Ben
0 -
@Ben yes I read that. It is a possibility but not an optimal solution in my opinion.
Exposing the Master PW is easy, because you only need to press the Yubikey for example 1-2 seconds in a Textfile and the static pw will be exposed. A direct feature from 1PW would be better.
A Solution like Windows or Apple did, directly from 1Password would be so cool. So passwordless would be a YubiKey Bio or a normal YubiKey plus a Pin.
That would be my dream 1PW Setup.Please consider this feature request in the next meeting :)
0 -
We don't have any plans for that, but perhaps it is something we can consider for the future. :+1:
Ben
0 -
@Ben Thanks for considering it. I mean you already implemented it with TouchID. After a reboot a Master PW is still required and so on.
The same implementation from TouchID with a YubiKey Bio on all devices (Windows, Android, MacBook(when closed or without TouchID...) would be possible. Isn't that a great new feature? :)0 -
:+1: :)
Ben
0 -
Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?
I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?
0 -
Hi @Malbec,
It sounds like you've got the gist of it.
Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?
Correct.
I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?
Yubikey is not involved in the unlocking process; just the device authorization process.
Ben
0 -
Thanks everyone. So I have added 2 Yubikeys to my 1P account and have 2 questions:
I thought I can remove "authenticator app" and rely only on hardware Yubikeys authentication. However although I can remove any Yuibkey I have added, the only option that appears next to "authenticator app" is to "replace". Is there no way to remove/disable it and rely only on Yubikey?
With the above scenario, when I force my iPhone via 1Password online account to "require 2FA" on next log in, it always show me 3 choices: NFC, authenticator OTP and lightning USB. If I choose NFC and authorize via Yubikey NFC, although it says "success" nothing happens and I get the 3 choices once again. The only way to go past this screen is if I choose authenticator OTP codes.
Is this a bug? Any idea how to resolve it?
0 -
I thought I can remove "authenticator app" and rely only on hardware Yubikeys authentication. However although I can remove any Yuibkey I have added, the only option that appears next to "authenticator app" is to "replace". Is there no way to remove/disable it and rely only on Yubikey?
Not currently: you can ignore the TOTP option, but at the moment it cannot be removed, even when there is a Yubikey added to the account.
With the above scenario, when I force my iPhone via 1Password online account to "require 2FA" on next log in, it always show me 3 choices: NFC, authenticator OTP and lightning USB. If I choose NFC and authorize via Yubikey NFC, although it says "success" nothing happens and I get the 3 choices once again. The only way to go past this screen is if I choose authenticator OTP codes.
Is this by chance a Yubikey NFC Neo?
0 -
@ag_ana Thank you. It is YubiKey 5 NFC. I have also just downloaded 1Password 7 to my Macbook Pro as well (having first done it with Mac Pro and iOS) and updated it to the 1PW online account. It asked me for OTP code, there was no option for Yuibkey. I inserted Yubikey thinking it may work but 1PW was insisting on OTP. There was no option to ignore OTP.
So what's the use of Yubikey if things are not working as they should and OTP is always required despite having 2 Yubikeys registered on the account?
0 -
That's because not all of the 1Password clients support Yubikeys yet, which is why we still require a TOTP to be present. In clients that already support Yubikeys (such as the web app on 1Password.com), you can use them instead of TOTP. In clients such as 1Password for Mac, you are currently prompted for TOTP instead, which is why you need to have one configured in your account.
0 -
YubiKey 5 NFC should indeed work. I'd like to ask you to create a diagnostics report from your iOS device:
Sending Diagnostics Reports (iOS)
Attach the diagnostics to an email message addressed to
support+forum@agilebits.com
.With your email please include:
- A link to this thread:
https://discussions.agilebits.com/discussion/comment/561311/#Comment_561311
- Your forum username:
Malbec
- A screenshot of the NFC prompt and a screenshot of the "success" message: ▷ How to take a screenshot
That way I can "connect the dots" when I see your diagnostics in our inbox.
You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so I can track down the diagnostics and ensure that this issue is dealt with quickly. :)
Once I see the diagnostics I'll be able to better assist you. Thanks very much!
Ben
0 - A link to this thread:
-
Great :+1:
Ben
0 -
Have there been any updates on the TOTP requirement? I'd like to use a Yubikey (several ones to protect against loss/damage) to further secure my 1Password account, but I don't want to be using TOTP (that would require my phone, but the reason I'd be logging into a new device in the first place is because my old phone is unavailable/damaged/etc) and use only Yubikeys. Is it possible now?
0