Feature Request: YubiKey Support

13»

Comments

  • benfdc
    benfdc
    Community Member
    edited January 2014

    Most people use it for storing all their login data for forums and such. How much security does one need for storing such information?

    Personally, I store credit cards, bank account numbers, router logins and Wi-Fi shared keys, drivers licenses, passports, SSNs, insurance policy info (health, auto, life, etc.) and pretty much everything else that the app is specifically designed for. And not just forum logins, but also email, chat, and financial stuff.

    You can't be safe on the internet unless you use use strong, unique passwords; you can't use strong, unique passwords for dozens of accounts unless you have a password manager; and of all the password managers I have tried, I find 1Password to be the most comfortable.

    if you are going to hand out handguns give people training so they can properly use them and put a safety pin in place so they don't accidentally go off.

    I don't understand what you mean by this. If putting a safety pin in place means building in a back door to allow data recovery if a YubiKey is lost, then perhaps the YubiKey is not a great idea to begin with. Also, it is in the nature of a product like 1Password that it must be usable by, and beneficial to, people who are never going to RTFM. You can offer your users training, but you can't train them. My suggestion of a two-tier approach is an effort to reckon with that reality.

  • rhordern
    rhordern
    Community Member
    edited January 2014

    Hello,

    There are two concerns that I don't think need to be worried about :

    1) Compatibility with all devices :

    Yubikey neo is NFC compatible, it's currently been tested on Android, RIM, Windows Phone and Symbian devices. iPhone don't have NFC support yet but I'm pretty sure that it will be added soon.

    You can implement NFC support inside your applications, to request that the user swipes the back of the phone with the yubikey.

    Yubikey is compatible with all desktop devices that have a usb port.

    2) Worry about loosing your yubikey :

    The whole principle about having a yubikey is to have more than one. You would have 2 or 3 yubikey's (I have a yubikey neo on my keyring, a yubikey nano plugged permanently into my computer, and a yubikey standard kept in a safe place as a backup key.

    3) People who don't want to invest in a yubikey or who don't like the idea :

    A yubiky implementation should be optional, people who want it can activate it and people who don't want it can disable it

    4) Worries about making it less secure :

    You would not allow one or the other but enforce yubikey + password. A hacker would have to physicaly have your yubikey and also have your password, making it almost impossible to bruteforce your 1Password master password.

    5) You would need internet access to log into 1Password :

    This would not be a problem for users who use 1Password for only accessing data online. I personaly print out my passwords and keep them in a safe place.

    My current worry is a hacker bruteforcing my passwords, it makes it a worry to keep my 1Password database on services like Dropbox.

    I know your answer to this is it would take years to bruteforce a 30 character password… well technology evolves, here's an example of a machine that is capable of generating (according to the article) 348 billion NTLM password hashes per second, and capable of cracking a 8 character password in 5.5 hours.
    It would obviously be slower on a 1Password database as it would require more ressources. We're pretty safe at the moment but we don't know what the future will bring with 4K monitors becoming a standard the number of GPU and power per GPU will increase.

    Why wait when there is an option that lots of us already want ?

  • benfdc
    benfdc
    Community Member

    iPhone don't have NFC support yet but I'm pretty sure that it will be added soon.

    Apple seems to be passing on NFC and pushing bluetooth 4.0 instead.

  • rhordern
    rhordern
    Community Member

    They don't do the same things. I can't see things like bank cards that are already nfc equipped having a battery and bluetooth added. Bluetooth 4 will enable broadcasts that the phone can pick up but bluetooth 4 doesnt allow to detect when an object is touching the device nor does it allow to have devices without battery. I still believe iPhone 6 will have NFC but privilage bluetooth for large data transfers.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @rhorden,

    I think we can also get around your number 5 "users having to have an internet connection" by using the Yubikey in an unusual way. That is, if we just used the Yubikey as a storage device instead of using the authentication protocol, we could avoid that particular concern.

    However, that design choice would raise a different threat to the Yubikey: If the communication from the Yubikey to the host is intercepted then it can be replayed. (Basically the yubikey would just be storing a secret on it and giving that secret to 1Password upon request. We wouldn't be used the core security properties of Yubikey itself.)

    I think that that design choice would be inevitable, however. I don't see how to use a yubikey for encryption (as opposed to authentication) otherwise.

This discussion has been closed.