To protect your privacy: email us with billing or account questions instead of posting here.

YubiKey Two-factor authentication doesn't work

Options
1Passmeananswer
1Passmeananswer
Community Member
edited May 2023 in Memberships

I successfully set up two-factor authentication using two YubiKeys. To see if it worked, I signed out of both the 1Password website and the Chrome browser extension on my WIN11 machine, but was able to sign in to both the extension and the my.1password.com sign in page without any prompt to insert my YubiKey for authentication. Why is this? Why even have two-factor authentication set up if 1Password doesn't ask for it? Am I missing something? I haven't checked to see if the YubiKeys are required on my Chromebook yet. Thanks.

1Password Version: 8.8.0
Extension Version: 2.10.0
OS Version: Not Provided
Browser:_ Chrome, Edge
Referrer: forum-search:YubiKey Two-factor authentication doesn't work

Comments

  • jFred
    jFred
    Community Member
    Options

    1Password works differently with respect to 2FA. It is only used when you try to install 1Password on a new device. So you won’t be asked for 2FA on your existing device that already have 1PW installed. Try to install 1PW on a new device that you’ve not used before and you’ll be asked for your YubiKey.

    1PW primarily relies on encryption to protect your vault. You need to enter your secret key AND your password to decrypt your vault.

  • 1Passmeananswer
    1Passmeananswer
    Community Member
    Options

    jFred, I'm still confused about 2FA then. I'm someone who has migrated over from LastPass. On their browser extension, if one has 2FA set up with the YubiKey, one must insert one's YubiKey after entering the password in order to open the extension, which of course also leads to the vault. One can also just insert the YubiKey alone, if prompted, to sign in (which I don't think is very safe).

    But, if I understand your reply correctly, with 1PW, I needn't worry, because my vault is protected since the data there is encrypted. Notwithstanding that, if someone were to steal my laptop, and also be so brilliant as to figure out my laptop PIN and my 1PW password, they would then gain access to all my passwords. Is that not correct? No secret key to access the vault would even be necessary, would it? Why protect the vault only, when the low-hanging fruit contained in the now opened browser extension is ripe for the picking? Or am I just being paranoid?

  • lodaka
    lodaka
    Community Member
    Options

    In the case of a theft, you can deauthorize the particular device, which will prompt 2FA the next login on that device. Having said that, I would love to see at least an option to require 2FA each login, for those of us who are extra .... vigilant.

  • 1Passmeananswer
    1Passmeananswer
    Community Member
    Options

    Yes, Iodaka, we should have the option. We're paying for the product.

  • ag_josephine
    ag_josephine
    Options

    Hi @1Passmeananswer,

    1Password is primarily based on encryption, not authentication; what this means is that after you've already authenticated (allowed) a device to download your data, at that point it's your account password that ultimately protects your local data.

    2FA protects against the download of your data in the unlikely event someone got ahold of both your account password and Secret Key, but since there's a local cache of your data on a trusted device, 2FA doesn't come into play at that point - the data's already there.

    Requiring 2FA in this scenario wouldn't actually add any extra security unless there were no local cache, which would mean you wouldn't be able to access your data in an offline scenario, either.

    With that said, While I can't make any promises, I've filed a feature request internally to bring this to the attention of our team. They regularly review feature requests from our customers to consider what should be added or changed to future versions of 1Password.

  • lodaka
    lodaka
    Community Member
    Options

    @ag_josephine Thank for explaining that. I just read another post regarding offline access and caching. This makes a lot of sense. I can see that it's certainly a balance.

    Having said that, could this exist as an option, to require online authentication every login. It would be highly inconvenient in some use cases (i.e. travelling in out of bounds areas or foreign countries with no access), but for the most part, I am rarely without access to the Internet. However, if there were an option for this, I would actually have this on and only "disable" if I am about to go offline for a lengthy period of time. Just thinking out loud a bit.

  • ag_josephine
    ag_josephine
    Options

    @lodaka,

    I can understand why this might be something you'd like to see within 1Password and so, while I can't make any promises, I've filed a feature request internally to bring this to the attention of our team. They regularly review feature requests from our customers to consider what should be added or changed to future versions of 1Password. Your feedback, along with feedback from our other customers, helps them immensely with their planning.

    Thank you again for your suggestion, we appreciate your feedback and love hearing from you!

This discussion has been closed.