I want to be sure I understand about Yubikey

Hi @Bronwen224466 - Lars from the Security Team here. You've raised a few good questions, so let's try to go through them all. To start, there are no specific restrictions by browser on your use of a Yubikey; if you've added a Yubikey to your 1password.com account's 2FA setup, you can use it with any browser, including Safari on a Mac.

You've asked about what is probably the most-likely way for someone to try to attack your account: via our website. The only other way to get a copy of your encrypted data is by stealing it directly from one of your own devices, either by taking a device physically, or a remote compromise. Both of those methods of attack are a lot less immediately available in most circumstances than an attacker simply visiting the 1password.com website, which anyone can get to. But there is more than just two-factor authentication at work to defend your secrets at 1password.com, because we knew this would be an easily-available target for would-be thieves. Your main line of defense on the 1password.com site is not enabling 2FA (whether via authenticator app or Yubikey), but your Secret Key. This is the long string of alphanumeric characters that was randomly generated on your device when you first created your account. It is never transmitted to us in any form, so it cannot be stolen from our servers, and we can't be tricked into giving you what we don't have.

So, any attacker visiting 1password.com from their own computer and trying to sign into your account would need to know both your long and strong Master Password and your Secret Key. That is the only scenario under which 1Password's 2FA might be the defense that saves you -- when an attacker has managed to acquire your Master Password and your Secret Key, but not a copy of your encrypted data. Yes, an attacker could switch 2FA methods back to the authenticator app instead - for now - but that doesn't mean they would have the secret necessary to successfully pass that authentication challenge. The reason we require an authenticator app even when you've added a hardware security key such as Yubikey is that not all of our 1Password apps support Yubikey directly yet. When we get to the point where all of our applications do support Yubikey-only 2FA, that will become an option you can select.

So what are the benefits of adding a Yubikey, over using an Authenticator app? U2F, mostly: through the use of U2F, user login is limited to the site of origin, meaning that while YOU (the user) might be fooled or phished by a malicious pop-up meant to resemble a real site, your Yubikey won't be; it can only enter its response to the authentication challenge into the proper site, no fakes. The important thing to keep in mind is that 2FA in a 1password.com account functions very differently than what most people are used to in every other situation where they use 2FA, due to the presence of the Secret Key protecting your account.

On behalf of Lars, you are welcome @Bronwen224466! If you have any other questions, please feel free to reach out anytime.

Have a wonderful day :)

@bear67512 - I'm not quite sure what you're asking? Once you've set up 2FA for your 1Password account, you can continue on to add a Yubikey (or more than one!), which you can then use anywhere you like for the 2FA challenge from your 1password.com account.

@bear67512 - no worries! Technology is moving so fast these days, it's hard to keep up with it all. That's a big part of the reason why we're here in this forum community as well as available via email at support@1password.com -- to help with any questions about what we know best -- 1Password. :)