FIDO2 to enable my entire family to use 1Password

gvnshtn
gvnshtn
Community Member

I'm a techie, if you're reading this, you're something of a techie too. But in my family, we have normal human beings who aren't in the least bit technical. They hate passwords. And when I suggest a password manager to them, the thought of a 'master password' absolutely turns them right off. They'll just keep using that same password everywhere, thanks.

But we have FIDO2 keys now. They're commodity items. And if we could unlock our vaults through a FIDO2 authentication, that would mean passwordless entry. That's what I need to enable normal humans that I know, use a password manager. Otherwise, they'll continue to be confined to the more technically savvy. We have to do better.

Thank you,

Gavin


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member
    edited February 2021

    Great suggestion. :+1:
    I think you're right. I work with technical people and its hard even to get them to think about password management.
    One of my family is only using 1Password because I've set it up for them on all their devices and chosen a master password that they can remember. This isn't scalable; there's a limit to how many accounts I can set-up :smile:

  • Hi @gvnshtn

    While FIDO2 is great and exciting it is an authentication protocol, not a means of encryption. While 1Password does use authentication (when the apps or your web browser are talking to the 1Password.com service), that is not the primary way in which 1Password protects your data. Instead the primary protection 1Password provides is encryption. Your Master Password and Secret Key are used to encrypt your data before it leaves your device.

    If we were to do as you're proposing and use FIDO2 alone we'd be peeling away the most important layer of protection for your data. It would mean that a compromise of the security of 1Password.com would be devastating, as an attacker could obtain everyone's data. With the current model, because all of the data is encrypted before it reaches 1Password.com, we're shielded from that. That's not a risk we feel our customers should shoulder or one we're willing to take.

    They hate passwords. And when I suggest a password manager to them, the thought of a 'master password' absolutely turns them right off.

    I understand. We have some tips that may help them pick an agreeable yet secure password available here:

    How to choose a good Master Password

    They'll just keep using that same password everywhere, thanks.

    Fortunately using "one password" is exactly the model 1Password is built around (hence the name). Except instead of literally using the same password for every service (which is terribly insecure), you use one password to unlock 1Password…which remembers and fills all of the strong & unique passwords for all the sites and services you have.

    I think the best we can do here is continue to point out the fact that many (most?) of the information security breaches that occur are a result of password reuse. With 1Password, yes, they have to remember one strong password, but then they can use strong unique passwords for everything else and not have to remember those. Additionally we do support technologies like Face ID, Touch ID, Apple Watch Unlock, etc, for convenience. They aren't replacements for the Master Password, but they can help reduce the frequency at which it needs to be typed.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben Hardware security keys typically also support a challenge-response type protocol. Could this be used to secure the database?
    For example, a user PIN could be combined with the Secret Key to generate a challenge and then the response could be used as the key to encrypt the database.

  • ag_ana
    ag_ana
    1Password Alumni

    @missingbits:

    I have passed your question to our security team :+1:

  • Lars
    Lars
    1Password Alumni

    @missingbits - how would something like this work on iOS, for example?

  • [Deleted User]
    [Deleted User]
    Community Member

    @Lars KeepassXC allows databases to be secured using YubiKeys in HMAC-SHA1 Challenge Response mode and it runs on Windows and Mac. I don't pretend to understand the implementation details, but it seems to use the database's master seed (a random byte string generated everytime the database saved) as the challenge and use the response as the key to encrypt the database. I was guessing that a PIN could be combined with the Secret Key to generate the challenge and that the response could be used directly or indirectly as a key to encrypt the database. I'm not sure how that would work with 1password.com though.

    https://keepassxc.org/docs/#faq-yubikey-2fa

  • Lars
    Lars
    1Password Alumni

    @missingbits - right. How would that work on mobile devices?

  • [Deleted User]
    [Deleted User]
    Community Member

    @Lars Oh, I see what you're saying. I have tried using YubiKeys with an NFC connection and the user experience isn't great

  • Lars
    Lars
    1Password Alumni

    @missingbits - it's more the fact that there are plenty of users these days who are mobile device-only (between a smartphone and a good tablet, many people don't need or see the utility in a traditional desktop). They couldn't set this up.

    That would mean we'd have to offer a confusing fork of choices ("which way is better? Why can't I have that one?," etc). We're happy to offer Yubikey support as an option for 2FA on users' 1password.com accounts, and we'll definitely continue keeping an eye on future possibilities with regard to enhancing security with hardware keys, but for now there aren't any plans to attempt this type of option.

  • [Deleted User]
    [Deleted User]
    Community Member

    @Lars Makes sense, thanks for engaging

  • Lars
    Lars
    1Password Alumni

    ;) :+1:

This discussion has been closed.