1passwordx security with Yubikey

Hello,

I'm new to 1passsword but I'm a bit confused by the security.
I've added two Yubikeys to protect my account. After installing the extension once, it is not necessary to use the Yubikey to authenticate.

Does this not break the security model? Once the extension or an app is installed, a compromised system with a RAT and a keyboard logger can grab the password and export all accounts.

It would be nice to have a need for a second factor all the time. Is this possible please?

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @George1pw. 1Password is primarily based on encryption, not authentication. In the case of 1Password and two-factor authentication, 2FA is designed to protect against the scenario where an attacker has somehow procured both your Master Password and Secret Key, and would protect you from someone downloading your data on a new device — not to protect you on your own, authorized devices. After you've authorized a device, it is your Master Password that protects your local data.

  • George1pw
    George1pw
    Community Member
    edited March 2021

    Thank you. It is not what I hoped for. I do hope this strategy will be evaluated in the future and the mandatory use of a second factor can be an option.

  • [Deleted User]
    [Deleted User]
    Community Member

    @George1pw The YubiKey provides authentication. This helps when authenticating to a website. It doesn't help when opening an encrypted file on your own device. If the attacker already has your Master Password and Secret Key then they can open your 1Password database using their own decryption software. They don't need to use the 1Password app and so would not be affected by an additional authentication step incorporated into it. Only the legitimate user would be required to go through this additional step. So it doesn't add to security.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the feedback @George1pw :+1:

    (And to missingbits for the assist here)

This discussion has been closed.