Feature Request: Unlock 1Password with a security key (yubikey)

drumboots
drumboots
Community Member

This isn't Mac specific but there does not seem to be a "general discussion" forum or a feature request forum.

I would love to be able to unlock 1Password (web site, browser app, phone app) using my yubikey security keys, rather than typing my master password.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited December 2018

    @drumboots: We have no plans to have any hardware device that could easily be lost, stolen, or destroyed replace the Master Password*. You can, however, use Yubikey as a second factor for a 1Password account, and we're also looking at possibly supporting other integrations as well. Cheers! :)

    *Edit: clarification: technically you can do that anyway, but it isn't something we recommend or support.

  • confusingboat
    confusingboat
    Community Member
    edited June 2019

    I also think this would be an incredibly useful feature, but only as a secondary method of conveniently unlocking post-initial unlock, e.g. after the lock timeout or resumption from sleep; the master password would still be required after a cold boot/login.

    I imagine this feature as being similar to how Github allows you to use a hardware key in lieu of your password to authenticate when attempting to perform sensitive actions, but only after you've already logged in using a password and 2FA mechanism.

  • @confusingboat

    A bit has changed since this thread (December 2018). You may find this post interesting:

    Introducing support for U2F security keys

    Ben

  • bbeyer
    bbeyer
    Community Member

    I would also like this feature. To be able to unlock 1Password with a Yubikey, much like using our fingerprint now on the touchbar.

  • Hi @bbeyer

    YubiKey is intended to be used as a second factor, not the sole factor. Also consider that if we were to design 1Password in the way you're suggesting the loss of the physical YubiKey device could make your data unrecoverable.

    Ben

  • bbeyer
    bbeyer
    Community Member

    I would assume you would be able to use your master password as a backup just like you can for Touch ID.

  • I see. If that's the sort of setup you'd like @bbeyer then you may be able to configure your YubiKey to type your Master Password for you:

    Understanding Core Static Password Features : Yubico Support

    I'm not sure that is something we'd be able to recommend doing... just pointing out the fact that the technology exists. :)

    Ben

  • tsereg
    tsereg
    Community Member

    Yubikey is a 2nd factor, the name says it all. As former lastpass user, I prefer the way how its browser extension works: after (re)starting the browser I have to authenticate myself with the master password AND the 2nd factor (yubikey) to activate the extension, but the extension keeps working until I stop the browser.

    An optional 1-day timeout would have been nice (to handle the case of not restarting the browser at all), though.

    Yubikey should be used as 2FA at least for registering a new Android or IOS device, too.

    Is there any chance to have such features?

  • @tsereg

    We don't have any plans to require a second factor for unlocking 1Password. If a second factor is set up, it is required when adding a new / unrecognized device.

    Ben

  • kobi97
    kobi97
    Community Member

    I also would like to see a implementation like Microsoft did. A U2F replaces the password with a PIN. So PIN + Hardware Key = Login.
    There are smart ways to get this done on 1PW too.
    As bbeyer said TouchID and 1PW works fine, it asks you from time to time or on reboots for the master pw, why only TouchID? Why not also a Key like a yubikey?

    I hope we will see solutions to replace or half replace the master PW with a pin or something.

  • kobi97
    kobi97
    Community Member
    edited February 2020

    I hope at least when they release the YubiKey Bio with a fingerprint sensor, 1PW will adopt the same mechanism like TouchID.

    https://www.yubico.com/blog/yubico-reveals-first-biometric-yubikey-at-microsoft-ignite/

    Greetings

  • kobi97
    kobi97
    Community Member
    edited February 2020

    @Ben yes I read that. It is a possibility but not an optimal solution in my opinion.
    Exposing the Master PW is easy, because you only need to press the Yubikey for example 1-2 seconds in a Textfile and the static pw will be exposed. A direct feature from 1PW would be better.
    A Solution like Windows or Apple did, directly from 1Password would be so cool. So passwordless would be a YubiKey Bio or a normal YubiKey plus a Pin.
    That would be my dream 1PW Setup.

    Please consider this feature request in the next meeting :)

  • We don't have any plans for that, but perhaps it is something we can consider for the future. :+1:

    Ben

  • kobi97
    kobi97
    Community Member

    @Ben Thanks for considering it. I mean you already implemented it with TouchID. After a reboot a Master PW is still required and so on.
    The same implementation from TouchID with a YubiKey Bio on all devices (Windows, Android, MacBook(when closed or without TouchID...) would be possible. Isn't that a great new feature? :)

  • :+1: :)

    Ben

  • Malbec
    Malbec
    Community Member

    Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?

    I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?

  • Hi @Malbec,

    It sounds like you've got the gist of it.

    Just to confirm that I got it properly: Yubikey across all 1Password apps including online account is ONLY used to authenticate new devices? So once authorized, the device will never be asked for Yubikey again?

    Correct.

    I thought the general idea behind it is that Yuibkey can be used to unlock 1Password (desktop app, mobile, www) but this does not seem to be the case?

    Yubikey is not involved in the unlocking process; just the device authorization process.

    Ben

  • Malbec
    Malbec
    Community Member
    edited March 2020

    Thanks @Ben.
    Is it now possible to add multiple Yubikeys to 1Password account? I remember reading before introduction of U2F, that only 1 Yubikey could be associated with 1Password account. Has it changed?

  • ag_ana
    ag_ana
    1Password Alumni

    @Malbec:

    Yes, you can add multiple Yubikeys to a 1Password account :)

  • Malbec
    Malbec
    Community Member

    Thanks everyone. So I have added 2 Yubikeys to my 1P account and have 2 questions:

    1. I thought I can remove "authenticator app" and rely only on hardware Yubikeys authentication. However although I can remove any Yuibkey I have added, the only option that appears next to "authenticator app" is to "replace". Is there no way to remove/disable it and rely only on Yubikey?

    2. With the above scenario, when I force my iPhone via 1Password online account to "require 2FA" on next log in, it always show me 3 choices: NFC, authenticator OTP and lightning USB. If I choose NFC and authorize via Yubikey NFC, although it says "success" nothing happens and I get the 3 choices once again. The only way to go past this screen is if I choose authenticator OTP codes.

    Is this a bug? Any idea how to resolve it?

  • ag_ana
    ag_ana
    1Password Alumni

    @Malbec:

    I thought I can remove "authenticator app" and rely only on hardware Yubikeys authentication. However although I can remove any Yuibkey I have added, the only option that appears next to "authenticator app" is to "replace". Is there no way to remove/disable it and rely only on Yubikey?

    Not currently: you can ignore the TOTP option, but at the moment it cannot be removed, even when there is a Yubikey added to the account.

    With the above scenario, when I force my iPhone via 1Password online account to "require 2FA" on next log in, it always show me 3 choices: NFC, authenticator OTP and lightning USB. If I choose NFC and authorize via Yubikey NFC, although it says "success" nothing happens and I get the 3 choices once again. The only way to go past this screen is if I choose authenticator OTP codes.

    Is this by chance a Yubikey NFC Neo?

  • Malbec
    Malbec
    Community Member

    @ag_ana Thank you. It is YubiKey 5 NFC. I have also just downloaded 1Password 7 to my Macbook Pro as well (having first done it with Mac Pro and iOS) and updated it to the 1PW online account. It asked me for OTP code, there was no option for Yuibkey. I inserted Yubikey thinking it may work but 1PW was insisting on OTP. There was no option to ignore OTP.

    So what's the use of Yubikey if things are not working as they should and OTP is always required despite having 2 Yubikeys registered on the account?

  • ag_ana
    ag_ana
    1Password Alumni

    @Malbec:

    That's because not all of the 1Password clients support Yubikeys yet, which is why we still require a TOTP to be present. In clients that already support Yubikeys (such as the web app on 1Password.com), you can use them instead of TOTP. In clients such as 1Password for Mac, you are currently prompted for TOTP instead, which is why you need to have one configured in your account.

  • Malbec
    Malbec
    Community Member

    @ag_ana Thank you. So 1Password desktop Mac app does not have support for WebAuthn yet - okay. Why 1Password iOS app is asking me for NFC repeatedly, despite showing "success"? I thought it should work with YubiKey 5 NFC?

  • @Malbec

    YubiKey 5 NFC should indeed work. I'd like to ask you to create a diagnostics report from your iOS device:

    Sending Diagnostics Reports (iOS)

    Attach the diagnostics to an email message addressed to support+forum@agilebits.com.

    With your email please include:

    • A link to this thread: https://discussions.agilebits.com/discussion/comment/561311/#Comment_561311
    • Your forum username: Malbec
    • A screenshot of the NFC prompt and a screenshot of the "success" message: ▷ How to take a screenshot

    That way I can "connect the dots" when I see your diagnostics in our inbox.

    You should receive an automated reply from our BitBot assistant with a Support ID number.  Please post that number here so I can track down the diagnostics and ensure that this issue is dealt with quickly. :)

    Once I see the diagnostics I'll be able to better assist you. Thanks very much!

    Ben

  • Malbec
    Malbec
    Community Member

    @Ben It's already being taken care of by the support team, which were able to confirm the same issue. Thanks.

  • Great :+1:

    Ben

  • Rjevski
    Rjevski
    Community Member

    Have there been any updates on the TOTP requirement? I'd like to use a Yubikey (several ones to protect against loss/damage) to further secure my 1Password account, but I don't want to be using TOTP (that would require my phone, but the reason I'd be logging into a new device in the first place is because my old phone is unavailable/damaged/etc) and use only Yubikeys. Is it possible now?

This discussion has been closed.