Why is 1Password not asking for my FIDO2 PIN? + Feature Request

70853n · March 17

No user verification?

I've recently started using a YubiKey (5 Series), for which I've set a FIDO2 PIN. The purpose of the FIDO PIN is User Verification, isn't it? Neither signing in on MacOS nor on Android prompts me for the FIDO PIN. This suggests that 1Password uses Webauthn userVerification with discouraged instead of preferred. Is that so? If so, why diverging from the standard?

Benefit of user verification

The use case behind user verification is simple, isn't it? A touch, or button press alone does not verify the person using the physical security key is legitimate. If, let's say, someone purposefully steals my YubiKey (and somehow they managed to get my other credentials, email, master password and secret key), the physical security key itself doesn't provide any security anymore. I.e. the security value of said key would be solely in the hurdle of getting physical access to it. Therefore, the FIDO PIN is very much useful to prohibit invalid use of a physical security key, even if some one has illegitimate possession of it.

Feature request

Hereby I'd like to submit the following user stories to increase 1Password's product value.

User story 1

As a Personal Password Manager client
I want to be prompted for the FIDO PIN of my physical security key
at least on the first time authorizing a new or previously deauthorized device
so that the Webauthn User Verification decreases the risk of illegitimate sign ins,
while not impacting the user-experience on already authorized devices.

User story 2

As a Personal Password Manager client
I want to configure whether the FIDO PIN of a physical security key is prompted for
a) only once on initial authorization of a new or previously deauthorized device or
b) with every sign in
so that I have the benefit of user verification while
a) opting for a better user-experience on already authorized devices or
b) opting for a worse user-experience for the sake of more security.

Btw. I am aware that the always require user verification feature does not work on the Series 5 (ERROR: Always Require UV is not supported on this YubiKey.)(https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-config-options-command-args).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

70853n · March 24

No one cares? All services where I encounter the possibility to add a FIDO key ask for the FIDO PIN, except for 1Password.

LeonidOrlov · May 2

Was surprised to find the same issue today, but I found out that PIN is required in Safari, but not on Google Chrome. Definitely needs to have a PIN asking in all browsers.

fernando91 · May 3

I absolutely agree with the OP.

Considering the importance of 1password authentication, they should absolutely force the requirement of a FIDO2 PIN.

// as a side note, I'm very surprised there's no way for the user to globally enable this requirement - it appears to be an issue with the FIDO2 spec itself. Whatever service does the authentication determines whether a PIN is needed.

Dave_1P · May 9

Hello @70853n, @fernando91, and @LeonidOrlov! 👋

Thanks for flagging this! I agree that the inconsistent requirement of a PIN is confusing, the experience should be consistent regardless of what platform or browser you're signing into and I've filed an internal work item to have our development team look into this further. The team was already planning some work in this area and we appreciate your feedback and reports.

The relevant Yubico recommendation can be found here. Specifically:

User presence is appropriate for second factor authentication (2FA).

User verification is not recommended for 2FA because the user will have already entered a shared secret (password) sent to the server over the network. In this case, explicitly set userVerification to discouraged. Otherwise, a superfluous user verification step will be required for users that have set a PIN or enrolled a fingerprint on their security key, creating a bad user experience.

Yubico, the creators of the YubiKey, themselves recommend setting userVerification to discouraged and instead advise that user presence, such as physically touching the key when authenticating, is the correct requirement for 2FA.

Unlike other services, 1Password relies on encryption rather than just authentication to protect your 1Password account and the items that you store inside of it. No one can access your 1Password account without both your account password and your Secret Key. So, if you're using a security key with 1Password, an attacker will need three things to access your 1Password account:

Your account password.
Your Secret Key.
Physical possession of your security key.

A requirement of a PIN when using a security key for 2FA, specifically when it comes to your 1Password account, doesn't seem like it would increase the security of your account in a meaningful way that would balance the inconvenience and risk of possible lockouts if you've set a PIN and then forgot it because you don't use it very often.

Let me know if that makes sense and if you have other questions. 🙂

-Dave

ref: dev/b5/b5#26430

fernando91 · May 10

@Dave_1P
Thank you for digging into this, and for your detailed analysis.

The point about requiring a PIN is relevant when your opponent is government or police, and they want to get access to your vault.

Depending on the jurisdction, you can be physically forced to give up your fingerprint. But an actual PIN is protected by the right to remain silent (e.g. 5th Amendment for Americans). I realise 1pw also requires a password, but the FIDO2 PIN is an additional layer of protection.

This is also why I never used passkeys. They are all unlocked by your device's biometric unlock. You can't force a PIN to be used, so any roadside police stop by an overzealous offier could result in compromising passkeys.

As a side note, 1pw's Secret Key is another benefit of the service. Entropy aside, nobody can threaten you to divulge the Secret Key, since nobody memorizes it.

70853n · May 13

Hello @Dave_1P! 👋🙂

Thanks a lot for your reply. I'm happy to read that the Team is already considering working in this area.

The relevant Yubico recommendation can be found here. Specifically...

True, Yubico does recommend this as stated. Though, maybe we can differentiate two scenarios here:
1) The user authorizes a new Device or a previously unauthorized one, respectively.
2) The user signs in on an authorized device.

Yubico's recommendation makes perfect sense for scenario 2), as the sign-in process would be cumbersome.
But the recommendation might not consider a situation 1), where someone is using the physical passkey on an unauthorized device. So only for an initial authorization on an unauthorized device, I'd like to be asked for the FIDO PIN. I hope the User Stories in my original post give a detailed enough description.

Dave_1P · May 15

@fernando91

If we're talking about 1Password accounts that are protected using an account password and Secret Key then you can't just unlock the account using the YubiKey alone, you need both the account password and Secret Key before the YubiKey is even asked for.

@70853n

Only the first scenario applies to 1Password since you're only ever asked for your security key the first time that you sign in to your 1Password account on a new device or browser. Once authentication has taken place, your security key is no longer needed unless you sign out of your account or deauthorize that device or browser from 1Password.com.

Can you clarify your comments a little further? I don't see any reference to "an authorized device" in the Yubico recommendation. The recommendation specifically applies to any scenario where a YubiKey is being used for two-factor authentication which would be relevant to the first scenario in your post. If a device is already "authorized" then the security key is no longer required since authentication has already taken place.

-Dave

70853n · May 16

Hi @Dave_1P,

thanks for your reply. Yubico does not differentiate authorized and unauthorized devices afaik. 1Password on the other hand does. Therefore, just Yubico's recommendation alone seem to be a bit limiting in terms of security and UX.

My point is simply this: If a new device (unauthorized by default) or an explicitly unauthorized device tries to authenticate, ask for the FIDO PIN, only during such an initial (re-)authorization.

Thanks. Best,
Tobias