Is it possible to set up 2fa/yubikey with only with a windows laptop?

sford
sford
Community Member
edited January 2023 in Windows

To use a yubikey, it seems like you have to enable 2FA.
It seems the only way to enable 2FA is to download authy or a microsoft phone app down to the phone.
This seems to create a set of trusted devices that the laptop can be added to.

Is it possible to set up 2fa/yubikey with only with a windows laptop?


_1Password Version:8.9.13
_Extension Version:desktop app
_OS Version:windows 10.0.19045 Build 19045
Browser:desktop app

Comments

  • Hi there @sford

    While it's true you need to have an authenticator app set up before you can add a hardware key, that authenticator app can be 1Password itself! 🙃

    When you set up two-factor authentication for your 1Password account, click 1Password in the browser toolbar, then the ⋮ icon and Scan QR Code, like this:

    image

    Then, paste the one-time password back into the page to confirm that it's set up correctly. Reload the page, and you'll then be able to add a hardware key.

    Hope that helps! I'll be here if you have any questions or need further help. :)

    — Grey

  • sford
    sford
    Community Member

    Hi @GreyM1P,
    Thanks so much for your answer. I didn't realize this could be done, and it is exactly what I was looking for.

    However, I had already gone ahead and installed "authy" on the phone and have used it to add my laptop and desktop pc.
    But I dont like having stuff on my phone in general, especially security related stuff.
    Is there an advantage to using "authy" on the phone as opposed to removing it and using 1Password?

    If I want to remove authy and use my 1Password for two-factor auth, how would I do that?
    Would I turn off 2fa in my account at 1Password.com, then remove authy from the phone, then turn 2fa back on and do the setup you describe?
    Is it worth it at this point, or is it best to just to leave things as is and move on?

    Would it affect my Yubikey if I changed it?

    Note I only have set up 2fa on 1Password and Yubikey, no other accounts yet.

    Thanks, Sford

  • @sford

    You're welcome! To answer your points:

    Is there an advantage to using "authy" on the phone as opposed to removing it and using 1Password?

    Yes. Although you can use 1Password to hold its own 2FA codes, you shouldn't use only 1Password to do this. Having an additional authenticator app, such as Authy in your case, will help prevent against total lockout. If you couldn't sign in to your 1Password account anywhere, and lost your Yubikey, you'd be stuck, because your 2FA codes are inside the thing you're trying to unlock.

    As we say in the article, Turn on two-factor authentication for your 1Password account:

    Although 1Password can be used to store one-time passwords for other services where you use two-factor authentication, it’s important to use a different authenticator app to store the authentication codes for your 1Password account. Storing them in 1Password would be like putting the key to a safe inside the safe itself.

    (emphasis original from the article)

    So having your 2FA codes for your 1Password account available somewhere outside of 1Password is definitely a good idea.

    Is it worth it at this point, or is it best to just to leave things as is and move on?

    I would say that now you have Authy set up, you'll be good to go. Bear in mind that you can't export secrets out of Authy, so make sure you always have access to it, or your Yubikey, so that you don't get locked out.

    Note I only have set up 2fa on 1Password and Yubikey, no other accounts yet.

    Sounds like the next job on the list to me! 😄 You can use Watchtower to help you find accounts which support two-factor authentication but don't have one-time passwords saved in 1Password:

    Use Watchtower to find passwords you need to change # Identify logins that support two-factor authentication

    Let me know if you get stuck at any point. :)

  • sford
    sford
    Community Member

    Thanks, @GreyM1P, you've been immensely helpful.

    Excellent point on Authy. It's loaded, running, working and with the points you mentioned, we're good here.
    Thanks for the link btw. I'm a little overwhelmed by all this (gee, can you tell) so it will be studied.

    While the Yubi is a 5C nfc, and the phone is a fairly recent Moto-G, it doesn't have nfc.
    So I bought a USB A to C adapter, and the phone does now see the Yubi.

    But none of my accounts {bank, credcard, invest, or stock) seem to support it !?!. They only seem to support sms 6 digit code.
    I'll look into Amazon, but, so far only my personal account here at 1Password is using this.

    Thanks so much for all your help.

  • @sford

    Always happy to help. :)

    But none of my accounts {bank, credcard, invest, or stock) seem to support it !?!. They only seem to support sms 6 digit code.

    Unfortunately, this does seem to be the state of things in some areas, especially the financial industry, where best practices (strong password + two-factor authentication) aren't always implemented in favour of something else. We wrote a blog post about that a while back which is still, regrettably, true today:

    An open letter to banks

    Although we say "banks", you can safely extend that to many different types of financial institution such as stock trading platforms, investment management firms, and so on.

    I'll look into Amazon

    Amazon does work with industry-standard two-factor authentication, so you can use 1Password to generate your one-time passwords.


    An extra point: It's important to distinguish between using two-factor authentication to access your 1Password account, and using 1Password to generate two-factor authentication codes for other websites. You can find the details of both of those below:

    I'm a little overwhelmed by all this (gee, can you tell)

    It's a lot to take in! This is especially true if you're setting most things up from scratch. Feel free to throw any questions my way here – if I can't help with something specifically, I'll try and point you in the right direction. :)

This discussion has been closed.