Feature Request: Unlock 1Password with a security key (yubikey)

2»

Comments

  • ag_anaag_ana

    Team Member

    @Rjevski:

    I don't want to be using TOTP (that would require my phone, but the reason I'd be logging into a new device in the first place is because my old phone is unavailable/damaged/etc) and use only Yubikeys. Is it possible now?

    Not at the moment (at least not yet on every platform). If you add a Yubikey to your account, however, you don't need to be using TOTP at all. You can already use only Yubikeys if you wish, even if the TOTP option is there for certain platforms, but it's not necessary to use it if you don't want to.

  • Thanks for your reply. Do you mean that TOTP is not mandatory? If so, which platforms support Yubikeys? I've just logged into the web UI using latest Safari (which supports WebAuthn) and the only 2FA option offered is TOTP.

  • ag_anaag_ana

    Team Member

    @Rjevski:

    Do you mean that TOTP is not mandatory?

    You need to keep it as an option even if you add a Yubikey to your account (so you can still login on other platforms that still don't support Yubikeys), but you can always ignore it and use your Yubikey all the time if you prefer ;)

    If so, which platforms support Yubikeys?

    • 1Password.com (the website)
    • 1Password on your iPhone or iPad (requires YubiKey 5 NFC or YubiKey 5Ci)
    • 1Password on your Android device

    I've just logged into the web UI using latest Safari (which supports WebAuthn) and the only 2FA option offered is TOTP.

    Can you please try the instructions posted by Jasper here? This will help us understand if the issue is with the key or with the browser.

  • I'm checking out 1Password as a LastPass user, and I just wanted to say that the inability to login to 1Password using my Yubikey is the reason why I will not switch. In addition to the extra security, the reason I bought a YubiKey is so I wouldn't have to type my master password every time I opened a browser or app on my phone. Kinda disappointed you guys don't do this.

  • BenBen AWS Team

    Team Member

    Thanks for letting us known, @ellameno. :+1: We appreciate the feedback.

    Ben

  • I, too, am switching from Lastpass, and I agree with Ben's point. What's the point of having a hardware key such as YubiKey 5 NFC when you can't use it to log on?
    Another grievance: It is too easy to switch off 2 factor authentication in 1Password. You only have to be in the app to inactivate it. At the very least, 1Password should ask you for a 2nd factor (such as a OTP or a hardware key), otherwise it is too easy to hijack the 1Password account.

  • ag_anaag_ana

    Team Member

    @marty317:

    You only have to be in the app to inactivate it.

    That's a pretty big requirement already: if you manage to unlock the 1Password app, it means that you have the credentials to unlock it. Once you are in at that point, I think it's correct that we allow you to make changes to your configuration.

  • I do not quite agree - when I try to change the 2 factor settings on google.com Google prompts me for new 2 factor authentication. This guards against hijacking and accidental configuration changes.

  • DanielPDanielP

    Team Member

    @marty317:

    Daniel from the 1Password security team here. Ana asked me to take a look at your post to see if I could elaborate on our design decisions. I will start by getting something out of the way:

    when I try to change the 2 factor settings on google.com Google prompts me for new 2 factor authentication.

    It's difficult to compare an encryption-based product to a regular online account. Because 2FA has nothing to do with the encryption of your data (which is encrypted with your Secret Key and Master Password), our security model does not rely on 2FA confirmations (like when you login to your Google account, in your example).

    But to get back to your original suggestion: are you sure that what you are suggesting would have any security benefit at all? I can't see how this would improve your security posture, although it's possible that I have a different threat model in mind than the one you are thinking about.

    You wrote that, in order to disable 2FA, you "only" need to be in the app. As Ana said, this is a strong requirement already. To elaborate, you actually need to fulfill two separate requirements in order to find yourself in this scenario:

    • You have physical access to this device
    • You know the Master Password

    Both of these are challenging in their own way. But in turn, there are two different scenarios I can think of where these two requirements are fulfilled:

    1. You are the owner of this device, and you know your account credentials, since you are the legitimate owner of both the device and of the 1Password account;
    2. Your device was stolen from you, and your credentials were stolen from you as well (since the attacker would also have to know your Master Password to unlock the app to access its settings).

    If you are the legitimate owner of the device and of the 1Password account, then there is no problem. But if you are an attacker who managed to steal both your device and your credentials, how is asking for 2FA confirmation to disable 2FA going to help you? If I can unlock your app, I already have access to your data, so what benefit would it bring me (the attacker) if I managed to also disable 2FA, and why would I want to do that at that point? It sounds like security theater to me.

    The problem, if you find yourself in this scenario, is not 2FA: it's the compromise of your device and account credentials. None of these can be addressed with making 2FA more difficult to disable (you should instead wipe your device, and change your Master Password and Secret Key, respectively).

    ===
    Daniel
    1Password Security Team

  • Dear Daniel,
    I am impressed by the responsiveness of 1Password to user feedback!
    Your response appears to be logical.
    However, it turns out that I am paranoid, but only the paranoid survive (Andy Grove).
    I am in the process of migrating from Lastpass, and I am looking for the vulnerabilities in 1Password, both what regards keeping others out and the potential of locking myself out.

    The chief vulnerability seems to be that the web interface needed just 3 bits of information to come in: my email address (which unfortunately is public), the secret key, and my password. I would like this to be strengthened by another factor: a time-dependent one time password (TOTP) and/or a hardware key such as a YubiKey. I have activated both, and I verified that either a TOTP from an authenticator app or the YubiKey are needed when I want to log on with a fresh browser or using the 1Password app on a fresh Android phone.

    So I am basically happy, and I accept your logic. What is reassuring is that you have a mature security philosophy underlying your architecture and that you respond promptly to your users' request.

  • DanielPDanielP

    Team Member
    edited July 26

    @marty317:

    I am impressed by the responsiveness of 1Password to user feedback!

    Thank you, that's good to hear :)

    However, it turns out that I am paranoid, but only the paranoid survive (Andy Grove).

    I don't believe you can work in security without being paranoid ;)

    I am in the process of migrating from Lastpass, and I am looking for the vulnerabilities in 1Password, both what regards keeping others out and the potential of locking myself out.

    Perhaps a bit unrelated, but worth mentioning since you brought this up: if you are a security researcher, I encourage you to join our BugCrowd bug bounty program. If you manage to find actual vulnerabilities in 1Password that could lead to security issues, you would get paid, which never hurts :)

    The chief vulnerability seems to be that the web interface needed just 3 bits of information to come in: my email address (which unfortunately is public), the secret key, and my password.

    I should note that, in most other cases, all you need to access something are two pieces of information: your email address and your password. 1Password already introduced a third piece in the form of the Secret Key which, by adding 128 bits of entropy, exponentially increases the difficulty to brute force account credentials (which, if I understand your point correctly, is your chief concern here). Adding yet another layer at this point, would return very little returns (if any, and only in very limited scenarios).

    I would like this to be strengthened by another factor: a time-dependent one time password (TOTP) and/or a hardware key such as a YubiKey.

    It's worth clarifying why an additional factor here would not bring the security benefit you might be thinking it would bring. 2FA is an additional layer of authentication to an account: 1Password, being an encryption-based product, benefits from 2FA much less than a regular online account. Indeed, as I mentioned above, your data in 1Password is secured by your Master Password and Secret Key, so additional authentication layers would not strengthen your encryption, which is what ultimately protects your data.

    I have written about this some time ago here on the forum, in case you are curious to read some more details.

    So I am basically happy, and I accept your logic. What is reassuring is that you have a mature security philosophy underlying your architecture and that you respond promptly to your users' request.

    I can tell you from firsthand experience that the security team here at 1Password studies everything in a lot of depth, before suggesting something either in favor or against a certain feature or behavior. There is always a reason behind our choices. Nothing is left to chance here, we like to be thorough :)

    ===
    Daniel
    1Password Security Team

  • Just chiming in to say, I'm hoping to see U2A login on Mac / Windows apps as well (Now only mobile devices + web browsers seem to be supported).

    As for the requirement some people want of being able to use only security keys for 2FA and not having to have a TOTP generator enabled as a requirement, why is it an issue if you use 1Password as the 2FA generator? If people already have access to your 1Password, what does it matter? @Rjevski perhaps you can elaborate :)

  • RjevskiRjevski
    edited July 29

    I don't want TOTP because ultimately it relies on a secret that can (at least temporarily, if I discard it right after setting up U2F) fall into the wrong hands and be reused down the line when I least expect it; the whole selling point of U2F is true end-to-end security (there's no secret you can intercept that will give you persistent access, at worst you can only hijack the currently active session) and the only way to break it would be to physically steal the hardware key (which I can notice and take appropriate action immediately, hopefully before the stolen key is used).

    The threat model I'm trying to protect against is less about an opportunistic attack where they'd get into my 1Pwd account and grab all the credentials and more about a targeted attack where the attacker might keep access to my 1Pwd for a long time without doing anything (I don't notice and thus don't rotate my credentials), waiting for the right credential to be put in there. A hardware key is an easier way to make sure nobody has access; as long as the key is in my possession I can be near-guaranteed that nobody can login even if they happen to have captured the credentials once (from malware on my machine for example).

  • BenBen AWS Team

    Team Member
    edited July 29

    Thanks @Rjevski. I'm not sure that there is actually a notable difference in the level of security, based on 1Password's security model. Remember that MFA is only used in authorizing a device, which does trigger an email to you. If you physically have all of the devices you've authorized, and as gandalf_saxe alluded you're storing your TOTP secret on those devices... what would the attack vector be?

    (from malware on my machine for example).

    If that's the concern... MFA is not going to protect you. :) If you've got malware on your device it could simply record your screen whenever you've got 1Password open, or steal passwords from web pages as you fill them into a browser, no? Why attack the strongest part of the chain?

    Ben

  • RjevskiRjevski
    edited July 29

    Yes I agree, this is a very far-fetched scenario. The concern about malware is more about malware being there when I initially set up 2FA (so they copy the TOTP seed + master password) but doesn't do anything because there's nothing juicy to steal just yet and they would prefer to have long-term access. Eventually I clear the malware or reinstall the machine (which I typically do every few months) and think I'm safe, but they have the seed + master passwd saved and could log in on their side without me being able to do anything about it until it's too late (if the email arrives at night I would only see it and be able to take action in the morning, or they stole the email credentials earlier and messed with the account in such a way that the login notification email doesn't show up).

    My concern is more about a (potentially crazy) peace of mind thing, but shouldn't be hard to enable (you just have to really warn the user about not being able to login on U2F-incompatible devices and relax the validation to allow U2F enrollment without prior TOTP being setup) so why not?

  • BenBen AWS Team

    Team Member

    Yes I agree, this is a very far-fetched scenario. The concern about malware is more about malware being there when I initially set up 2FA (so they copy the TOTP seed + master password) but doesn't do anything because there's nothing juicy to steal just yet and they would prefer to have long-term access. Eventually I clear the malware or reinstall the machine (which I typically do every few months) and think I'm safe, but they have the seed + master passwd saved and could log in on their side without me being able to do anything about it until it's too late (if the email arrives at night I would only see it and be able to take action in the morning, or they stole the email credentials earlier and messed with the account in such a way that the login notification email doesn't show up).

    My counter-point is unless you're changing all of your passwords at the point you clear the malware (which is the correct response) they'd likely have any credentials you used while that malware was present logged, not just your 1Password credentials. U2F for 1Password doesn't prevent that.

    My concern is more about a (potentially crazy) peace of mind thing, but shouldn't be hard to enable (you just have to really warn the user about not being able to login on U2F-incompatible devices and relax the validation to allow U2F enrollment without prior TOTP being setup) so why not?

    Indeed. Thanks for the feedback. :+1:

    Ben

  • Hello, I'm looking into switching over from LastPass here as well, and having to use a TOTP instead of being able to just use my Yubikeys is really making me reconsider the switch. It feels like it should be a simple option available...
    Being forced to use TOTP just doesn't feel great when I have my Yubikeys right next to me. I say this stubbornly, I know, but I've already purchased the Yubikeys and enjoy using them.

  • ag_anaag_ana

    Team Member

    @cryinghard:

    You are not forced to use a TOTP if you use 1Password on a platform where Yubikey is supported ;) TOTP is currently there only for those platforms that don't support keys just yet.

  • Oh, hm. Is there a way to make it set so that Yubikey is the default instead of the TOTP? All my devices do support Yubikey, but I was prompted to use the TOTP when signing in with a new device.

  • ag_anaag_ana

    Team Member

    @cryinghard:

    I was prompted to use the TOTP when signing in with a new device.

    Was this in a 1Password app or in a browser?

  • Hallo to all,

    I use 1Password from more one year. I'm using the Yubikey for many services. Google, Facebook and many other on internet.

    I'm using 1P in many different devices, from the smartphone to the PC/Mac desktop, for me with MacBook Pro and iPad is the best experience to unlock 1P because I use the Touch ID.
    On a Mac or PC desktop you have to write the Master Password many many many times during the day. And this is frustrating because you have the best solution for the password management but there is no way to use Yubikey or other security devices to unlock 1P apps on PC/Mac desktop. I hope you implement this feature in the next versions because now, for my experience password manager is very important and useful but we have to make our job and not type a lot of times during the day the master Password. Naturally the MP is complex and long.....

    Best regards.

  • BenBen AWS Team

    Team Member

    Hi @AndreaB68

    On Mac, unlocking 1Password using a Yubikey is not something that is going to be feasible as things currently stand. If you have an Apple Watch and a Mac with a T1 or T2 chip then we do have some improvements coming where you'd be able to unlock 1Password for Mac using the Apple Watch. As you mentioned we also currently offer unlocking via Touch ID. On Windows we support unlocking using Windows Hello, which offers a variety of options, potentially including Yubikey:

    The difficulty with unlocking using a Yubikey on macOS is that we would somehow need to store the Master Password on the key and retrieve it from the key each time it is needed, which is not something we've found a good solution for. It is possible to adjust your lock settings so that entering the Master Password is required less frequently:

    How to set 1Password to lock automatically

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • we do have some improvements coming where you'd be able to unlock 1Password for Mac using the Apple Watch.>

    Is there a beta I can join for this?

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @arikfr! Not just for this; if you want to participate in the latest beta, just click 1Password > Preferences > Updates and check the box marked "include beta builds." Then perform a manual check by clicking "Check Now."

  • Thanks, @Lars. I assume I need to replace the Appstore version with one downloaded from your website for this to work, right?

  • ag_anaag_ana

    Team Member

    That is correct @arikfr, the Mac App Store version of 1Password only uses the latest stable version :+1:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file