Use U2F key to unlock app
Once I've logged in a device like a PC (Windows app) or phone (Android app) I'd love it if I could unlock my vault using my (NFC) U2F key instead of having to enter a really long passphrase, which gets annoying very quickly.
I used to be able to do this with LastPass, but when I switched from a YubiKey to a generic U2F key, I couldn't keep using LastPass because they only support TOTP as a 2nd factor, and don't support U2F. So I switched to Dashlane, which has been an awful experience from day one up until they discontinued the desktop app which was the straw that broke the camel's back, so now I'm hoping 1Password can become the forever home of my passwords.
It's cute that you can use face unlock, but I'd much rather just use my U2F key. Right now I have to disable the idle auto lock functionality because entering my passphrase every 10 minutes is just not feasible.
1Password Version: 7.6.793
Extension Version: 1.23.1
OS Version: Windows 10 19041.804
Sync Type: Not Provided
Comments
-
This truthfully isn't feasible with the way U2F works. U2F is just cryptographically proving the identity, but there's nothing secret that the key is able to pass from within the key to the client device.
Implementing this would mean that there's a unencrypted key to your vault that is only used based on trust, not on encryption.
Face unlock or Windows Hello is a cryptographically escrowed key, but there's nothing in Windows at the moment that would allow for escrowing it behind a U2F key.
0 -
Hi @Muf,
plttn raises some good points above. We also had several discussions of the requested behaviour previously. For example, see this thread about a similar situation.
If you don't want to unlock 1Password with your Master Password too often, you can enable Unlock using Windows Hello in 1Password 7 for Windows. Here is how:
Use Windows Hello to unlock 1Password on your Windows PC
Please note that:
Currently, Windows Hello works in 1Password 7 for Windows and 1Password classic extension in the browser.
You will always have to unlock 1Password first with your Master Password, but for the rest of that computer session, you can use Windows Hello. Once 1Password is terminated or the computer is shut down, you'll have to unlock with the Master Password first before Windows Hello can be used again.
Let me know if it helps in your case. Thanks!
++
Greg0 -
Hi,
Although I love the quick replies thinking along, I just discovered the desktop app doesn't even support U2F for signing in. I tried to log in on my laptop this morning (after adding my two U2F keys to my account last night) and it asked me for a mobile authenticator code. I had already printed out the authenticator secret and removed it from my phone as I was under the impression it was only to be used as a fallback in case I ever lost both my U2F keys. This is the kind of broken half-feature that I've developed PTSD from with Dashlane, as it too claimed to support U2F, but then forced the use of an authenticator app for just about everything and though promises were made it would be implemented "eventually" that never happened for over two years.
When I first joined LastPass in 2014 I was willing to put up with teething issues as the whole concept of password managers was fairly new and a lot of security initiatives like FIDO were still in their infancy. When I begrudgingly switched to Dashlane in 2018 it was more for a lack of decent alternatives supporting U2F, and the lack of development since then has been disappointing to say the least. It is 2021 now and I had hoped that joining 1Password, I would be greeted with a mature password manager that supports the things it claims to support (not just on web, but on desktop too), and that I wouldn't find another unfinished work in progress with no indication of when basic hardware 2FA will be properly supported.
When I searched Google for this issue, I found reference to bundtkate saying in July 2019(!!!) that U2F would be coming to desktop apps in a "future update". The future came and went, but it's nowhere to be seen.
So I'm at an impasse. Do I dig up my printed out authenticator secret, add it to my phone again and convince myself that it won't be the same this time? Or do I just move on...
0 -
@Muf I'm not an expert but U2F was designed for use when authenticating to a website. All the implementations I have seen rely on the browser to provide the U2F functionality.
0 -
@missingbits as far as I can tell, a desktop application could totally do the U2F challenge/response with the 1Password server, but to me (speaking just for myself), it feels a little bit like a lot of implementation effort for not that much gain.
0 -
Hey @Muf, I do apologize for the confusion there. On our Security Key Support page, we indicate that these keys can be used to authenticate at 1Password.com, as well as on iPhones, iPads, and Android devices (with compatible security keys). 1Password for Mac, Windows or Linux must use the code from your authenticator, though.
Authentication via security key through the desktop apps is definitely something we want to make available, but nailing the implementation and ensuring that it functions well - and most importantly securely - is something that takes time. I do apologize for the delay in having this functionality available, but this is something that is on the Development team's radar.
0
![[Deleted User]](https://w5.vanillicon.com/v2/5ffb59761299acfaac4654dd3a18e95b.svg)
