fido2 webauthn and iphone
Hi,
I've been using 1 password for probably 5 years and it syncs between all my Apple devices through iCloud. I assume my license type is standalone since I don't have any login account and don't get billed every month.
As a network admin I have many different systems including Windows and Linux, and have also been using Google password sync for some "less important" accounts.
So, here's my question:
I'd like to "move beyond passwords" and consolidate my password management onto a fido2 device, preferably my iPhone with 1 password. Has anyone done this? I like the idea of all my accounts syncing across all my different devices and managed through WebAuthn but I'm worried that I may be a little early (or late) to the party.
What account would I need to do this and is it even possible?
John
1Password Version: 7.6.2
Extension Version: Not Provided
OS Version: Mac, iOS, Windows 10, Ubuntu Linux
Sync Type: iCloud
Comments
-
Hi @matthewsx
Thanks for taking the time to write in. 1Password membership accounts do support using U2F. This does not replace the Master Password, however. The Master Password (and Secret Key) are still used to encrypt the data you store in 1Password. U2F is only used to protect the device authorization process. You can read more about this here:
Use your U2F security key as a second factor for your 1Password account
We do not currently support unlocking 1Password solely with a hardware key (a la FIDO2), but that is something we're evaluating the security properties of and may be something we can offer in the future. For now, U2F hardware keys can assist in the protection of your account as an additional step beyond the Master Password (and Secret Key). Because standalone vaults don't have a device authorization process this would not be applicable there. You may want to consider upgrading to membership in order to take advantage of the latest and greatest with 1Password. Additionally as a Linux user you may be interested to know we now have a 1Password for Linux app for membership accounts in development, which is available for preview:
1Password for Linux development preview
You can read more about the benefits of membership in this article:
About 1Password membership
And if you decide you'd like to give it a try we have information on migrating from standalone to membership here:
Move your existing 1Password data to a 1Password account
I hope that helps. Should you have any other questions or concerns, please feel free to ask.
Ben
0 -
Hi,
Thanks for the quick response.
So, to be clear I really don't want to carry around an extra piece of hardware as my logins aren't currently required to be that secure and my employer would provide one if they needed to be. If however it actually provided shared key technology, and secure password management I would probably make room for it in my pockets. I am pleased to see that 1Password itself can be augmented with a U2F second factor authentication but I like the ease of using my fingerprint since I always have it with me :)
What I would like though is to be able to open 1Password with my fingerprint as I already do and have as many of my accounts secured with WebAuthn shared key technology as possible. I like the fact that 1Password syncs across my Apple devices fairly seamlessly (actually the only thing I use iCloud for) and would like to extend that functionality across all the platforms I use. I just want to make sure I'm moving in the direction of shared key rather than increasingly complex and lengthy passwords that do not actually achieve greater security regardless of how well you protect the passwords themselves.
Referencing this post:
https://discussions.agilebits.com/discussion/108823/fido2
It looks like what I'm hoping to achieve isn't the direction 1 Password is going (or maybe even could) go in. I'll take a look at your offerings under membership and see if there's more value than what I have with my current product but already paid for is a pretty strong motivator to leave well enough alone.
Perhaps a hybrid approach is what I'll end up with but ultimately I'd like one unified product that can move in the direction of passwordless authentication.
Thanks,
John
1 -
I wouldn't go as far as to say FIDO2 is the direction we're heading, but I would say it is something we're keeping a close eye on. We're not oblivious to the fact that folks don't generally like having to type their Master Password frequently. Touch ID and Face ID on Apple products, Windows Hello on Windows, and other similar offerings on other platforms can certainly help but they aren't (yet) a universal solution.
I'll take a look at your offerings under membership and see if there's more value than what I have with my current product but already paid for is a pretty strong motivator to leave well enough alone.
I'm sure our sales team would be happy to take that into consideration if you were to reach out to them. You can contact them at
support@1password.comvia email to discuss. :)Ben
0 -
Thanks Ben,
Like I said I've been pretty happy with the product as I currently use it. Will definitely keep it in mind as I move forward with my investigations.
John
1 -
Fair enough @matthewsx. :) If there is anything else we can do, please don't hesitate to contact us.
Ben
0
