Yubikey. What is the point?

Options
xthisu
xthisu
Community Member
in Lounge

Hello,

I watched a ton of videos and read several articles on Password Managers and Yubikey before deciding that these would be my choices. To my surprise and dissapointment, 1Password doesn't allow me to use Yubikeys as the only means of two-factor authentication, I'm forced to also add an Authenticator app.

Even on your support site https://support.1password.com/security-key/ there is no mention of this. The instructions lead you to believe you can just turn on two-factor authentication, setup your key and away you go. Only through the process of setting up two-factor authentication do you realize that you will also end up adding the authenticator app and that it would also be a permanent method of authentication.

I don't want want an app. The whole point of Yubikeys is to have a somewhat hackproof physical key in your pocket to protect your account. Authenticator apps live on devices or computers that can easily be compromised...again it's the whole point of the hardward key.

I bought 4 keys, two for me, two for my partner, so we'd each have one and a backup...only to find out that I wasted my money.

Why can I not remove the authenticator app from 1Password and only use my Yubikeys?

I understand and accept the risk of lost keys and that I would then lose access to all my accounts if that happened.

Thank you.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Jack.P_1P
    Jack.P_1P
    Options

    Hi @xthisu:

    Thanks for asking! Up until relatively recently, security keys weren't supported on all of our apps, and we didn't want to create a situation where you couldn't add your 1Password account to all of the possible apps. With that said, allowing security key only two-factor authentication for your 1Password account is definitely something we've heard, and I've shared your thoughts internally.

    Just to make sure you're also aware of this, two-factor authentication for your 1Password account is exactly that, authentication. After you've added your 1Password account to the 1Password app, unlocking the 1Password app will use either your account password, or biometrics (Touch ID, Face ID, Windows Hello) if enabled.

    Jack

    ref: dev/b5/b5#6677

  • Cromwell
    Cromwell
    Community Member
    Options

    Hi Jack

    I also would like the feature of having security keys as the one and only 2FA method - especially on mobile. What is the point of having 2FA on a phone when the phone litterally has the 2FA app installed? Many people have their mobile authenticators on the same device in which one pass is installed. Should an adversary gain access to the phone, they could effectively bypass the 2FA as the authenticator is literally right there. I do believe that adding the ability to only use security keys would be a good feature to have.

  • Longshot408
    Longshot408
    Community Member
    Options

    I share the same view as OP and Cromwell; the fact that 1Password supports Yubikey was a big factor in my decision to go with this service, but I'm extremely disappointed to find out that I cannot remove all other sign-in methods. This defeats the purpose of having such a secure sign-in method since it leaves back-doors to go through. Please address this.

    Also, I would like to be able to use my Yubikey to sign in to 1Password when on my desktop, instead of Windows Hello or my Windows pin.

  • Jack.P_1P
    Jack.P_1P
    Options

    Hi @Cromwell / @Longshot408:

    1Password operates on an encryption model, not an authentication model. By this, what I mean is that your data is secured with encryption keys derived from your account password and Secret Key, and not based on providing proof of who you are, like with a traditional username / password based login, that may or may not offer two-factor authentication.

    Because of this, two-factor authentication for 1Password operates a little differently than most other services that support two-factor authentication. Two-factor authentication only comes in to play when adding your 1Password account to a new install of the 1Password app. Once your 1Password account has been added, you've been authenticated, and what is protecting your data is encryption (your account password). In your example, if an attacker were to have access to your phone, needing two-factor authentication would not be the blocker that stopped them from having access to your information. The blocker would be the fact that your information is encrypted until unlocked with your account password, or your device's biometry options.

    Jack

  • neverTire
    neverTire
    Community Member
    Options

    Hi Jack,

    A casual observer to the above conversation, with some initial off the top of my head, comments:

    1. Maybe it's just me, but I always get the impression that the people who work at 1Password, think that they know best.
    2. Also, I think you avoided answering the OP's concern/question. If I read the following, from your own website:

    "Set up your security key

    Before you can use your security key as a second factor for your 1Password account, you’ll need to turn on two-factor authentication for your 1Password account. Then follow these steps:

    Sign in to your account on 1Password.com on your computer.
    Click your name in the top right and choose My Profile.
    Click More Actions > Manage Two-Factor Authentication.
    Click Add a Security Key.
    If you don’t see Add a Security Key, turn on two-factor authentication for your 1Password account.

    Enter a name for your security key and click Next.
    Insert your security key into the USB port on your computer.
    If Windows Security asks you to create a PIN, enter one and click OK. Your PIN is stored locally on your security key.

    Touch the sensor on your security key.
    When you see “Your security key was successfully registered”, click Done.
    From now on, you can use your security key instead of a six-digit authentication code to sign in to your 1Password account."

    I would like you to explain what is meant by the last sentence, from your own website.

    I can see how the OP was clearly mislead and is far from happy as a result.

    This is what you have failed to address. And, this type of response from 1Password representative's seems to be typical.

    Regards,
    Peter

    P.S. You might like to answer my post:

    https://1password.community/discussion/127756/security-design-question#latest

  • neverTire
    neverTire
    Community Member
    Options

    Hi Jack,

    My apologies...

    You did explain how it works, however, I think it would be much clearer if it was stated exactly the function a YubiKey provides in the 1Password environment.

    If it was clearly stated that the YubiKey was not a replacement for an Authenticator App, and that an Authenticator App is still required, it would eliminate a lot of confusion.

    The confusion comes about as a result of "semantics", if you like. One has to distinguish between 1Password account and 1Password app.

    Now that I understand the limitations of a YubiKey in a 1Password environment, it seems to provide very little value add. You seem to say as much in your own post.

    Peter

  • BennytheDog
    BennytheDog
    Community Member
    Options

    Hello Jack,

    I am also perplexed and confused. I am testing the free trial, in large part, because 1password says it supports Yubikeys. I have been confused by the 1password Yubikey setup process for a couple days because of 1password's wording. I've been searching to find why I have to add yet another app in order to setup my Yubikeys. Why do I need to install an authenticator app if it will not be used once I have setup the Yubikey?

    Your company's attempt to differentiate encryption from authentication left me confused, I don't really see how your design is different from other password managers which all claim end-to-end encryption and zero-trust design. (Note: I appreciate your security audits by 3rd parties and your challenge contest to decrypt passwords.) Your article on encryption vs authentication seems obvious to me but misplaced in how you are trying to apply it. I consider the sign-in with the master password to be authentication to access an encrypted environment. What am I missing?

    I am now strongly considering staying on my current password manager which made the security key setup noticeably easier. BTW: Because I have a relatively non-techie spouse who might change her master password to something relatively simple, I consider the security key (Yubikey or the like) paramount.

    Regards,
    BennytheDog

  • Jack.P_1P
    Jack.P_1P
    Options

    Hey @BennytheDog:

    Thanks for following up. You've touched on a few points here, and I'd like to cover them in turn.

    Why do I need to install an authenticator app if it will not be used once I have setup the Yubikey?

    As I noted above, it was only relatively recently where all of the available 1Password apps supported security keys. If an authenticator app was not set up as well, you would be unable to add your 1Password account to those versions of 1Password. We don't want you to be locked out of your 1Password account, and requiring an authenticator app as a backup helps ensure that you aren't locked out.

    I consider the sign-in with the master password to be authentication to access an encrypted environment. What am I missing?

    Adding your account to the 1Password app is where authentication is relevant. You authenticate to the 1Password.com service using a protocol called Secure Remote Password. Your password or Secret Key are never transmitted across the internet, and we don't have access to it. Once you've successfully authenticated, that 1Password app is now authenticated, and no longer needs to reauthenticate with the 1Password.com service unless it is deauthorized from within your account settings. What protects your data after your 1Password account has been added is your account password by decrypting your data when you unlock 1Password, not authenticating to the 1Password.com service. Given this, any two-factor authentication methods are only required when you first add your 1Password account to the 1Password app.

    BTW: Because I have a relatively non-techie spouse who might change her master password to something relatively simple, I consider the security key (Yubikey or the like) paramount.

    Your data is protected on your device by your account password, so a strong but memorable account password would be our recommendation. While it's possible to use biometry (like Face ID or Windows Hello) to unlock the 1Password app, it isn't a replacement for knowing your account password, and you'll be prompted every so often to enter your account password, even with biometry enabled.

    Let me know if that clears things up, or if you still have questions!

    Jack

  • BennytheDog
    BennytheDog
    Community Member
    Options

    Thanks, your response added some insight.

    Regards,
    BennytheDog

  • Jack.P_1P
    Jack.P_1P
    Options

    Hi @BennytheDog:

    You're very welcome! 😁 Please get in touch if there's anything else we can help you with in the future.

    Jack

This discussion has been closed.