Feature Request: Unlock 1Password with a security key (yubikey)

13»

Comments

  • Drijfhout
    Drijfhout
    Community Member

    I'm coming from Lastpass, and am trying 1P for a few days. The lacking ability to use Yubikey in stead of my master password in Windows is nearly a dealbreaker. Because I use a business laptop, I cant even use Windows Hello fingerprint somehow. On Android it works very nice, but typing my 30+ complicated master password every 15 minutes is really frustrating. I'm still figuring out if it's worth the switch...

  • [Deleted User]
    [Deleted User]
    Community Member

    @Drijfhout With 1Password you don't need to use a 30+ character master password.
    Your data is protected on 1Password's servers by your master password and secret key. An attacker cannot access your account without successfully guessing both at the same time. This is mathematically infeasible for master passwords of >14 characters.
    Your data is protected on your device by your master password and your device's security. If your device's user account is protected with a passcode, password and/or biometrics then a master password of >14 characters is more than sufficient.
    This is more secure than using your YubiKey in place of the master password because your master password is used to encrypt your vault, while the YubiKey is typically just used as a form of authentication. Adding YubiKey based two factor authentication to protect a server account is very powerful. Adding authentication steps to your local client app feels secure, but it can easily be bypassed by an attacker with access to you unlocked device because they don't need to use the app. For example, they can copy your database to their device, install a keylogger to capture your master password and decrypt your vault on their own device.
    My recommendation would be to choose a unique master password of >14 characters that you find easy to type. You shouldn't need to type it every 15 minutes. If you don't have the desktop app installed then in the browser click on 1Password extension -> Settings -> Settings. If you do have the desktop app installed then click in the app click on 1Password menu -> Settings -> Security.

  • Drijfhout
    Drijfhout
    Community Member
    edited October 2021

    Thank you for your response. I understand your reply. A shorter master password makes it more usable, but nevertheless, the use of an hardware key to unlock 1p is much more user friendly. Or finger print for that matter.
    I have te desktop app installed, but unfortately I still cannot use the fingerprint of Windows hello.
    And I have en few desktops without a fingerprint as well, so unlock with yubikey is much appreciated.

    One more thing, is it possible to disable the locking of Firefox addon completely? I mean even when closing Firefox? One pc isn't leaving the house. I understand the security risk, but would like to know if its possible.

  • [Deleted User]
    [Deleted User]
    Community Member

    @Drijfhout If the length of your master password is driving you to find ways of avoiding entering it then it is not helping your security. As with most things there needs to be a compromise. However, I agree that biometrics is much more convenient and encourages use of stronger passwords. My company doesn't allow use of the fingerprint reader on our laptops which tends to lead to passwords which only just meet the company requirements.

    You can set 1Password so that you only need to enter the master password once per power cycle. In the browser, click on 1Password extension -> Settings -> Settings and make sure that "Integrate with 1Password app" is checked. In the desktop app, click on 1Password menu -> Settings -> Security and set "Lock after computer is idle" to never.

  • Thanks for the assist @rootzero. :smile:

    If you have any further questions @Drijfhout, just let us know!

  • Drijfhout
    Drijfhout
    Community Member

    Hello Jack,
    No further questions. Allthough a bit dissappointed about this few missing functionalities. I understand the why, but I would choose a bit more for convenience versus safety.

    Regards,

  • ag_ana
    ag_ana
    1Password Alumni

    Understood, thank you for the feedback :+1:

  • ropnop
    ropnop
    Community Member

    Adding my comments to this: it really feels like the 1PW team has never used a Windows machine. The frequency with with you have to reboot, coupled with the lack of the desktop app being able to use biometrics or a yubikey to authenticate to the desktop application is extremely frustrating.

    Like many others, I have a long, complex password that I use for my 1PW master password. Having to type this every. Single. Time. My machine has to reboot (or the battery dies) means in order to even get my day going sometimes I’m having to enter the password multiple times. I shouldn’t have to enter this at all if biometrics or a yubikey are configured on the device/account.

    This exact thing has been solved a number of times over by leveraging a TPM. When the desktop app is installed (or updated), it can check if a valid TPM is present. If so, it can generate a public/private key pair and escrow the private key in the TPM. Then Windows Hello can be used, or simply fingerprint auth can be used for the public key (that the desktop app is using for its request) can be validated by the TPM.

    If a machine without a TPM is encountered, this would generate some complexity, however it could be solved similar to the way that Microsoft has implemented passwordless authentication for Microsoft accounts. A push can be sent to a mobile app that has 1PW installed to validate the auth, or a yubikey could be used and the auth could be passed via FIDO2 somehow. The last option is the most contrived, but it could be leveraged in an instance where the user doesn’t have a mobile app handy with 1PW installed on it and logged in to their account. And finally the absolute last option should be requiring a user to enter their actual master password.

    Similarly, this applies on the MacOS desktop client as well. While you don’t have to reboot a Mac nearly as much as a Windows machine (especially after Apple deprecated the usage of KEXTs), you still do situations where it requires a reboot. Either from a software update, some old software that is really reliant on a KEXT that you install, or a battery dying, etc. Every MacBook has had a Secure Enclave for a very long time now. So the same pattern described above for a machine with a TPM could be used here. New M1 iMacs also support this, and their keyboards even include Touch ID.

    For the fallback scenarios, what is described above still applies here.

    So I ask the 1PW team: what is the plan to fix this usability issue? What are the clear and explicit timelines for doing so?

    I’ve been evaluating 1PW as a long time LastPass customer and I can say that I have a very hard time right now recommending 1PW to anybody and finally making the switch. Key reasons for this:

    1. The browser plugin is almost useless without the desktop app

    2. The browser plugin requires me to enter my password constantly (even with re-auth cranked to the most permissive state)

    3. The desktop app constantly locking (even cranked to the most permissive state) on Windows and requiring me to enter my master password over and over. On MacOS this problem is equally as frustrating, but at least I can use Touch ID after first auth?

    I appreciate that the 1PW team is responsive to threads like these and provides thoughtful responses and I’m looking forward to the dialogue with the 1PW team on these fairly extreme usability issues.

  • noogie60
    noogie60
    Community Member
    edited November 2021

    Now that Yubikey has a biometric (fingerprint) security key out (https://www.yubico.com/products/yubikey-bio-series/), would it be feasible to have this unlock 1password for PCs and Macs instead of the master password?

  • Lars
    Lars
    1Password Alumni
    edited November 2021

    Welcome to the 1Password Support Community, @noogie60! I'm not quite sure what you mean, can you clarify?

    If what you're looking for is touch-based biometric access to 1Password, both 1Password for Mac and 1Password for Windows support that and have for a while now. Even so, your Account Password is required periodically because that is what is used to derive the key to decrypt your data.

    In (for example) the macOS environment, Touch ID can be employed securely to allow the system to request the key in the secret enclave instead of having to enter your Account Password every time. But if you experience hardware failure or even if you get a new device, that stored key cannot be transferred; you need the Account Password to create a new one on the new (or restored) device. If you've forgotten what it is, your data will be unrecoverable.

    If what you're looking for is the ability to use a Yubikey instead of your Account Password, then no. That's been technically possible using the static password feature of certain Yubikeys for a while now as well, and we haven't pursued it because of the risks associated with physical keys: loss/damage/corruption of the key, potential theft, etc.

  • andrewconrad
    andrewconrad
    Community Member

    Similar request, so to clarify: On mac and windows, I can use my fingerprint to unlock 1password intraday (only periodically requiring the master password); on iPhone it is face id; I assume Android has either fingerprint or face id as well. What would be helpful is to enable the same thing with a Yubikey (regardless of biometric or not; NFC, if available). e.g., intraday unlocking with the Yubikey with only occasional master password. Additionally, I'd like this to work on Linux, please!

  • Tertius3
    Tertius3
    Community Member

    @andrewconrad On Windows, a Yubikey can be registered with Windows Hello, and 1Password can be unlocked with Windows Hello (after entering the master password only once after a system reboot), so you can do this already. If 1Password wants to get unlocked, it calls Windows Hello, Windows Hello prompts you to touch the Yubikey, you touch the Yubikey, and 1Password unlocks.

  • noogie60
    noogie60
    Community Member

    @Lars Yes - I mean the ability to use the biometric Yubikey instead of the account password.
    Wouldn't the biometric features (fingerprint) allay the physical risks?
    As for loss and corruption - you can offset that buy keeping the password as as an alternative option

  • @noogie60:

    Just so you're aware, the Yubikey Bio series does not expose the fingerprint for use in Windows Hello or as a Touch ID replacement on macOS. Instead of any touch acting to authorize a U2F action, only the registered fingerprint will authorize the U2F action. What Lars mentioned about standard Yubikeys would apply to this Yubikey as well.

    Jack

This discussion has been closed.