Use of only a Yubikey for 2FA

bitkeeper
bitkeeper
Community Member
edited December 2022 in Business and Teams

I'd like to ONLY use Yubikeys for 2FA. But it seems like an authenticator app is required to have 2FA on. And there is no way to remove the authenticator from the 2FA options once the keys are set up...

Signing into the 1P binary on Windows after setting up the account on a MacOS machine did not even ask for the keys - only for the authenticator TOTP.

The account is a a Teams account. Should I be on some other plan to have Yubikeys only...?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @bitkeeper:

    At this time, not all of the 1Password apps support U2F as a 2FA option. Given that, an authenticator app is required to be set up as well for our apps that do not support a U2F physical token.

    However, I can see how that would be useful, so I'll add your voice internally for enforcing U2F as the only two-factor authentication method.

    Jack

    ref: dev/b5/b5#6677

  • bitkeeper
    bitkeeper
    Community Member

    Sounds good. Thanks.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Jack, you are welcome @bitkeeper. If you have any other suggestions, please feel free to reach out anytime.

    Have a wonderful day :)

  • mosatch
    mosatch
    Community Member

    I'd like to add my vote for allowing U2F only (as an option), so long as iOS and macOS are supported. I'd rather have two yubikeys than have to deal with another authenticator.

  • Thanks for letting us know you're interested in this functionality, @mosatch :+1:

  • Ziggy_Stahdust
    Ziggy_Stahdust
    Community Member

    +1 to Yubikey U2F!

  • Hey @Ziggy_Stahdust

    To clarify, Yubikey U2F is available today. It does however require that TOTP also be enabled.

    Use your security key as a second factor for your 1Password account

    Ben

  • peatmonster
    peatmonster
    Community Member

    For me adding a Yubikey is to prevent unauthorised access to your device as any hacker would need physical access to the Yubikey to be able to login to your account. After authorising Yubikey as your two-step authentication method allowing Authenticator app as an alternative option reduces security and renders the purpose of the Yubikey obsolete. Personally I would prefer the option to choose which authentications I want to add and whether they should be arrange in an AND or an OR logic. I would opt for higher security so I would personally choose AND logic requiring all the following Yubikey, SMS, email and Authenticator app in order to be able to add a new device and to choose whether it is require each time and for which devices. That would require any hacker to have access to your email account, phone and hardware devices to gain access to your account. Given the increasing cyber threats of today I want my password manager to give me the option to balance convenience over security via advance settings. I am a user of 1Password and I love the product but I need to be able to choose the level of protection I want and how hard I make it for myself to login. Others who preference connivence over security can choose to add less two factor authentication levels or an either OR logic. Would love to have some feedback from your dev team about this feature request and if we can expect it soon. Please add my vote for it!

  • Thanks for your feedback on this @peatmonster! :smile:

  • Matt84
    Matt84
    Community Member

    +1 For the ability to use Yubikey as the ONLY 2FA

  • Appreciate the feedback from you Matt84. I've passed it on to the team.

  • wavesound
    wavesound
    Community Member

    +1!

  • Thanks for taking the time to voice your request, @wavesound.

  • soz
    soz
    Community Member

    I subscribed to a family account after having a local vault for a long time, and was very surprised to see I could not remove the Authenticator app after adding my YubiKey. Without that option, I don't even see the need for adding a YubiKey, as the attacker simply doesn't need it to access my vault.

    Just a long way of saying +1...

  • @Soz, thank you for sharing your feedback on this, and for being a longtime 1Password supporter.

  • 1Adrian
    1Adrian
    Community Member

    +1. By enforcing TOTP security is reduced, which bugs me a lot since we're talking about a password manager here. Users should at least have the option to disable it by confirming that they don't use devices that don't support U2F. Is there any schedule for this to be implemented? Thanks!

  • Hi @1Adrian

    By enforcing TOTP security is reduced

    I think it is worth considering the fact that 2FA does not have the same level of impact for 1Password as it does for other services. The reason being much of the protection that is in place with 1Password relies on encryption, rather than traditional authentication. We talk about how 1Password does authentication a bit differently in this blog post:

    1Password is LayerUp-ed with modern authentication

    The function of 2FA with 1Password membership accounts is to help protect the device authorization process. Once a device is authorized 2FA is no longer required, unless the device is subsequently deauthorized through the web app, or the browser/app's locally cached copy of the secret is cleared. Essentially 2FA helps prevent a replay attack from authorizing a device. It is not designed to help in the case that someone has access to one of your authorized devices. As such 2FA does not prevent you from accessing locally cached data (e.g. while your device is offline).

    There is some additional context in this thread that may be helpful as well.

    Is there any schedule for this to be implemented?

    I couldn't say that there is a schedule, but getting all of our 1Password 8 apps shipped will certainly help move the ball forward. 1Password 8 for Windows and Linux are currently shipping, with Mac coming soon. 1Password 8 for iOS has just entered Early Access, and 1Password 8 for Android will be following along later this year. Exact dates have not yet been announced.

    Ben

  • janedeux
    janedeux
    Community Member

    +1 Ability to use Yubikey as only 2FA, please. Any update on the timeline?

  • ag_max
    edited September 2022

    Hi @janedeux, no update to share just yet. I'll check with our team tomorrow (Monday) to see if anything has changed. Rest assured that our team is still interested and we are continuing to track interest in this area.

  • jakw0j
    jakw0j
    Community Member

    Any update on that?

  • Hi @jakw0j,

    No new updates to share I'm afraid. This is still very much a feature that the team would like to implement in the future. ref: dev/b5/b5#6677

  • renatolsromao
    renatolsromao
    Community Member

    Is it safe to remove 1Password from my other Authenticator APP if I've configured a Yubikey??

  • Hello @renatolsromao,

    Is it safe to remove 1Password from my other Authenticator APP if I've configured a Yubikey??

    That's not really a question we can answer for you. "Safe" is somewhat relative, and depends your personal circumstances. For example, I have a family member who is very prone to losing things, and would never suggest they rely solely on a Yubikey. On the flip side, there are situations wherein the benefits of a physical hardware security key may be advantageous, and getting rid of the software authenticator could boost your personal security posture.

    In a technical sense, 1Password will let you use either type of authenticator any time you sign into a new device, so the choice comes down to what's best for you.

    Let me know if you have any questions.

  • ftwo
    ftwo
    Community Member

    Would love to see the option to remove the 2FA app, as soon as you've added one (or two) Yubikeys.
    Please give users more options here.

  • ScottS1P
    edited December 2022

    Hi @ftwo, thanks for adding your voice to this request. While I'm happy to share this with the team, this thread has been running for quite a long time and we don't want to continue sending emails about it to everyone who has posted before. As such, I'm closing out this thread. Please feel free to open a new thread or email support@1password.com if you have any other questions or comments.

    ref: IDEA-I-677

This discussion has been closed.