Yubikey instead of master password?

As title says is it possible to use Yubikey 5 NFC instead of master password? Yes, I am that lazy.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Not to worry, @Naxterra, I'd love to be that lazy too. :wink: There's no way to do this 100% of the time at present, but you can use Windows Hello to unlock with a YubiKey after you've unlocked 1Password with your Master Password once. To be totally clear, unlocking with your Master Password allows you to use Hello (and thus your YubiKey) for the duration of your Windows session so long as you don't restart 1Password during that time. Restarting 1Password itself or rebooting will require you use your Master Password once more to enable Hello. :+1:

    Additionally, I do believe this is a fairly recent addition to Hello and may not be available to you depending on your Windows version. I'm still stuck on 1803 (I can only assume due to continuing hardware incompatibilities with later Windows versions – Windows Update still says I'm totally updated) and the documentation I've seen suggests this wouldn't be available to me. Hopefully this is neither here nor there for you, but just an FYI in case you've been left behind like me. :frown:

  • Oh, boo! Between the two of us, I guess we'd have one working setup, @Naxterra – I have a YubiKey 4 but not a proper Windows version (at least not on the device I use primarily). :lol: Depending on your setup, both would probably be extra purchases, but Hello supports both fingerprint readers and a certain subset of fancier cameras for Windows sign-in (and thus 1Password). Perhaps not something you'd want to purchase for ease of unlocking 1Password alone, but if you have other cause of want one or the other, possibly something you could justify. Also, definitely don't neglect your auto-lock settings. They won't completely eliminate the need for your Master Password, but proper adjustment there (found in Settings > Security) can at least keep the need to unlock to a minimum. :+1:

  • YubiKey support in general is fairly new, @Naxterra, and none of the native apps have support for it just yet. For that reason, we ask you to set up both TOTP and your security key. The latter will be used when signing in via your browser, but you'll need the former for the apps for now. No spoilers, but it is something we hope to bring to the native apps in a future update. :+1:

  • Hrm. That definitely shouldn't be the case, @Naxterra. Your app should exchange a secret with the server to let it know that it's already authorized. Any sort of security software on your network that might maybe be blocking smooth communication here? Anti-virus? Firewall? If so, step one would be to make sure 1Password is whitelisted and see if that resolves things. If not, or if you don't have either, let me know and we'll take a closer look. :+1:

  • Well, that is not how things are supposed to be. Let's take a peek! Could you shoot me a diagnostics report via e-mail, @Naxterra? Instructions are here:

    https://support.1password.com/diagnostics/?windows

    Send 'em to support+windows@1password.com and, if you can let me know here when they've been sent off, I can try extra super hard to get to them before I scoot for the day. If I don't manage, one of my teammates can take a look while I'm away. Thanks! :chuffed:

  • Thanks, @Naxterra! I found it and am replying to you right now. You'll have an answer in your inbox soon. :+1:

    ref: IJS-31515-883

  • dubsauce
    dubsauce
    Community Member

    Bump. This would be an interesting feature because it also proves that the user who knows the master password also has access to the security key, in this case a Yubikey. If not, to me this doesn't really sound like 100% 2FA because everybody who has access to my laptop or a device of mine and knows the password can access it. But if he also requires the 2FA, that might be problematic. Also typing the password all the time is prone to interception, but a TOTP is unique, so even if anybody catches it, it doesn't really matter.

    In the end it's also about commodity, being easier to type a Authenticator 6 digit token, or just press a Yubikey, than type a 30+ char password 10 times a day.

    The reason I'm asking is that I've used LastPass in the past and by default every time you open the browser it will ask you for a press of the Yubikey => TOTP. Ocasionally it asks for the password too, but it depends if it's a full machine restart or something like that.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dubsauce: A one-time password cannot decrypt your data though. The Master Password is needed. That's why options like this are only available after unlocking with the Master Password the first time, since then a Master Password equivalent is in memory temporarily and it can be used to decrypt your data when the OS authenticates you. In order for that to work longer-term, there would need to be a secure place we can rely on to store that secret; we're not going to write it to disk.

  • dubsauce
    dubsauce
    Community Member

    @brenty : OK so I understand the idea that it requires the Master password on every reboot because it's no longer stored in memory. I actually prefer that because it's part of security.
    If a user would uncheck some or all options from "Auto-lock" that means that the Master password is stored in memory and will only be needed on a system reboot, right? (Talking about the Mac client because that's what I use at work, but I assume that other clients as Linux have similar options)
    I think it's really nice to have an option so you can "soft unlock" with 2FA as long as it was unlocked during the last boot with the master password. And of course on every boot, mandatory Password + 2FA.

  • What you're asking for actually sounds more like our Touch ID implementation (or Windows Hello on Windows), @dubsauce. Since you're on a Mac, this is actually a smidge different for you, too. Assuming your Mac supports Touch ID, you can actually use that to unlock 1Password even after a reboot, depending on your settings. Macs actually make this sort of things far easier than PCs do because every Mac that supports Touch ID also has what Apple calls the Secure Enclave. On Mac, we store your Master Unlock Key (this isn't your Master Password itself, but rather a key derived from your Master Password) in the Secure Enclave when Touch ID is enabled, and only clear it when we need to according to your security settings. This means you can set 1Password for Mac up to always unlock with Touch ID, if you'd like.

    On Windows, there's no analogue for the Secure Enclave – at least not that we've found just yet – because hardware on Windows just isn't as consistent as it is on Mac. Every Mac ever is designed by Apple, but a PC could be designed by any number of companies from Dell to Microsoft itself. This comes with its advantages as PCs tend to be more customizable, but it has disadvantages as well because we can't assume that every PC that supports Windows Hello – available on any device running Windows 10 – will also have a particular bit of hardware we need to safely store that Master Unlock Key like we do on Mac.

    Since what you're after is avoiding the Master Password moreso than any specific security property provided by 2FA specifically, we may actually offer something that works for you already in the form of Touch ID (assuming your Mac supports it). If you don't have a Touch ID Mac, well, I'll be sure to pass your feedback along the team regardless. Maybe with Face ID becoming more prevalent, we'll one day see that offered on more Macs and that can take on that role. Fingers crossed!

  • dubsauce
    dubsauce
    Community Member
    edited October 2019

    @bundtkate Thank you for the clear and thorough answer.

    To be honest I'm avoiding fingerprint security as much as possible or stuff like Face ID. The Yubikey or any U2F hardware device is portable, whereas TouchID is bound to an Apple laptop. I can use the Yubikey on any other device regardless if it's a Mac, Android(with NFC) or Linux/Windows. Another advantage with using Yubikey is that the private key is store inside and cannot be extracted. I can use it from to connect to machines via SSH or even decrypt GPG files.

    The whole reason I'm asking for this is that I usually prefer Linux over Mac and I do believe U2F devices can bridge the gap that you're talking about, that is missing on PCs.

    Thank you very much for your feedback and work!

  • It's no trouble at all, @dubsauce! Funny enough, the YubiKey's portability is what keeps me away from it. Of course, I am not a Linux gal so I don't have that gap to fill making this an easier choice for me since the devices I use have native biometric options, but I have this unfortunate tendency to lose small devices. I'm simply terrified of the idea that I could lock myself out of god knows how much by losing a particular tiny little security key. I have one for testing our U2F implementations, of course, but it lives in my USB hub connected to both my PC and my Mac and never ever moves. It's just about the only way I feel comfortable I won't lose it at some point down the line. Just goes to show that we need to keep our options open so that we can consider alternatives that better allow everyone to have access to these sorts of features, regardless of the devices they use. :chuffed:

  • Stanzilla
    Stanzilla
    Community Member

    Would love to bump this one up again, the Yubikey Windows Hello integration only works with local Windows accounts, not Microsoft accounts, so it would be lovely if 1Password could support it natively instead of relying on Windows Hello.

  • AGAlumB
    AGAlumB
    1Password Alumni

    That sounds more like a Yubikey feature request, but it's certainly something we'll keep an eye on. :)

  • Justin0xFFF
    Justin0xFFF
    Community Member

    I’m going to throw my name in the hat as well. I just ditched Lastpass for 1Password and I’m extrfrustrated by the lack of an authenticator app and clunky Yubi support.

    Here is a really great way to understand what I’m hoping for.

    1. Build your own OTP app like LastPass and allow backups please, (both of these should he obvious by now)
    2. Implement Yubikey support how lastpass or google does it. They are by far the easiest and lowest friction of the three. Open the app, plug the key in, tap it, pull it out, TADA.. on my way. No need for OTpin one area. Ease of use was exactly why I bought three Yubi keys. This shouldn’t be hard for users.
    3. Make setting the lockout/timeout on Mac easy to find. I set my auto lock (which has no off setting) to 100mins. Just stay open until I restart the session (app/chrome/computer).

    It’s seriously frustrating to have to enter a massive password 7-8-9 times a day in the middle of a workflow, and then whip out my phone or grab my keys, and god forbid I can’t find one or the other at that time...

    Thank you. Happy I switched to 1Password, but a little peeved over this clunky/frustrating feature set.

  • plttn
    plttn
    Community Member

    Okay, so to clarify some things:

    1Password has support for one time passwords being generated for a site, just click add field, select one-time password.

    What Lastpass is doing is not what Google is doing, and honestly I wouldn't want my password manager set up the way the way Lastpass sets it up. Lastpass is using the Yubico OTP instead of something like U2F. Really all Yubico OTP is is a standard OTP app but with more steps. Google is using U2F, which is significantly more secure, but doesn't necessarily allow for it to be used to handle decrypting a key (as it only handles authentication but not necessarily authorization).

    The flow of U2F doesn't provide for a way for the U2F device to make any authorization claims, it can only identify that it's the same key that was previously registered. WIth that in mind, the only way to have 1Password decrypt on just U2F would be trusting a server not to serve up the derived key unless authentication is accurate. This to me (and I'm pretty sure to Agilebits) as well, is unacceptable. Trusting someone not to do something is functionally useless as far as security goes.

This discussion has been closed.