Feature request: Unlock 1Password with a Yubikey
Comments
-
Not sure if this is the right place to discuss (vs. starting a new thread,) but since I saw YubiKeys mentioned I'll give it a go.
I would like the ability to associate any number of YubiKeys (or their equivalent hardware-based FIDO / webauthn equivalents) directly in the 1Password for Mac desktop app.
I.e. for unlocking the local 1Password vault / app itself.
When implemented with an additional 4-digit PIN code (in 1Password natively, not within the hardware-key prompt), this could improve overall 1Password security and convenience by allowing a very secure main 1Password unlock password, while making it quick and easy for the user to unlock 1password just by tapping their YubiKey device and entering a quick 4-digit PIN code.
Only 3 tries allowed for said PIN code, after which 1Password would fall back to requiring the full-length main 1Password-unlock password.
0 -
Wouldn't local FIDO2-resident-key unlock be better? I.e., the FIDO2-key ultimately verifies user verification, through either PIN, biometrics, or something else.
0 -
Hello @gosmond! 👋
Thank you for the suggestion. Can you tell me a little more about the use case here? Why would you like to unlock 1Password for Mac using a YubiKey + PIN rather than using one of the following options:
- Your account password
- Your fingerprint (Touch ID)
- Your Apple Watch
I did want to mention that we're currently testing passkey unlock in a public beta which allows you to unlock 1Password using a passkey rather than an account password. Passkeys are usually saved in a platform manager like iCloud Keychain but they can also be saved to a YubiKey. You can read more here:
The passkey unlock beta requires that you create a special new account, passkeys can't be added to existing accounts yet. Once you've created a passkey unlock account and saved your initial passkey in a passkey manager, you can add your YubiKey.
Please be aware that passkey unlock is still in beta so you may run into more issues than usual. If you're hesitant about using a beta then I would stick with a regular account for now.
-Dave
1 -
Hi Dave --
The reason I'd like to use a Yubikey+PIN, preferentially, vs. the other options you described, is that in my view it can be configured so that it is a more-secure means of authentication in a wider range of threat scenarios.
I.e. TouchID is very secure, until a bad actor or law enforcement compels you to use TouchID to unlock something. As there is no PIN or password required this can be done against the fingerprint-owner's will, even when the owner is unconscious.
Account password alone is reasonably secure, until a bad actor or LE uses keystroke loggers, hidden cameras, or even advanced keyboard audio analysis to intercept the password as you type it.
AppleWatch may or may not be secure but it is exceedingly expensive, bulky, and difficult to keep "backup units" on-hand in case it is lost, damaged or stolen.
With multiple YubiKeys configured, esp. the tiny form-factor Nano series, it is possible to authenticate BOTH with something you have (the device) and something you know (the PIN).
Unlike the other methods you describe, it is much harder for a bad actor to compromise your means of authentication without you knowing. If the physical Yubikey is stolen or seized, without the PIN it cannot be used.
If the PIN code is perhaps remotely compromised (via keyboard logging, video/audio keypress interception, etc,) the attacker still also must physically possess the Yubikey device to authenticate successfully.
It is still possible for it to be compromised but it requires hurdling of _both _ the "something you know" and "something you have" barriers.
Additionally and separate from the above concerns, with a physical token + PIN required, and multiple backup tokens configured & securely stored in obscure locations, it is possibly to self-enforce a no-access policy to the device by ditching or destroying any tokens in ones possession. In that case it is not even possible for an attacker to compel authentication/access, even under the worst forms of coercion.
(But access could be restored at some later time, i.e. by retrieving a hidden/scattered backup token at a later date.)
0 -
-- deleted, unnecessary --
0 -
With apologies for being prolix --
I see that 1Password already does support YubiKeys as a 2FA option, but it is at present only configured to require a 2FA option when initially enrolling a new device. It is encouraging to see token-style technology incorporated into 1Password, now it just needs to be strengthened to its full potential:
I request that the YubiKey (+ YubiKey PIN, optionally) 2FA method be extended in the form of a additional 1Password account preferences, as follows:
Checkbox: "Require 2FA token on EVERY 1Password unlock, on any device. (Mobile/desktop/web.)
Additional option: "...after X minutes, hours, days". (I.e. only require the 2FA token for 1Password unlock after a configurable time period since previous unlock.)
If it is not already clear, it is also important to be able to configure 2FA-unlocking so it is the ONLY available method, not just an additional/backup method alongside plain password, TouchID, or Apple Watch.
0 -
Thank you for the detailed feedback! I appreciate you sharing more about your use case so that I can better understand the need here. I think that our passkey unlock beta, which already allows you to use a security key to unlock a 1Password account, provides the functionality that you're looking for: Unlock 1Password with a passkey (beta)
YubiKey security keys allow you to set a PIN so that the PIN is required before someone is able to use a saved passkey: Understanding YubiKey PINs – Yubico
Passkey unlock is currently being tested in the beta but hopefully will be rolled out to other accounts in the future. 🙂
-Dave
0
