Support for U2F security keys (opens in new tab)

bad_user6y ago

What happens if your house burns down with everything in it?

You’d then have to contact support to let you bypass 2FA, but if that’s possible then the 2FA protection is weak, prone to social hacking.

4 more replies

AdmiralAsshat6y ago

I tried to get mine as future-proof as possible, but I was left with a choice of either getting the Yubikey Neo with NFC or a Yubikey with USB-C.

I went with the Neo, because it supports all of my current devices, and for USB-C future testing, I tested it on my phone with an USB A-C adapter and it worked there as well. I'm a Linux/Android user without any Apple devices, though, so YMMV.

EDIT: Should also mention that I received a free basic Yubikey as a gift for subscribing to Ars Technica about a year ago. USB-to-MicroUSB and USB-to-C adapters worked on that for all of my devices, as well. I feel pretty confident switching to Yubikeys now that I have two and can keep the newish one on my keychain at all times, with the basic one in a secure place at home.

rstuart41336y ago

> I tried to get mine as future-proof as possible

I don't think that's possible right now. Until they come up with a solution to "I've lost my 2fa token" that isn't as painful as losing you wallet there will be new designs coming out. (Actually, it's more painful. You only have a few cards in your wallet, while your 2fa token may be recognised by 100's of sites.)

This isn't a criticism of FIDO2/WebAuthn. I am impressed by how each iteration solves a new part of the problem, and FIDO2 was definitely a step forward, fixing rough edges in FIDO. But we aren't there yet. We need a FIDO3 and possibly 4, 5 and 6.

izacus6y ago

Usually you just use multiple keys - one USB-C in the MacBook, one tiny USB-A in the laptop and the built-in Titan key in the Pixel phone. You don't remove them.

jwr6y ago

Aren't you effectively removing the second factor by keeping it permanently attached to each of your devices?

jiveturkey6y ago

few providers support enrolling multiple yubikeys into your account.

abstractbarista6y ago

I guess one solution is to use hardware that takes connector compatibility more seriously. I only use stuff with USB-A, and the Yubikey works with my phone via NFC (Yubico's Neo model).

Similarly, my laptop has an SD card reader and Ethernet port. My laptop and phone have 3.5mm jacks. All my small devices use micro-USB.

No dongles or adapters makes for seamless usage. I guess the only 'adapter' is keeping a micro-USB -> USB-A cable around.

kitten_smuggler6y ago

A bluetooth capable U2F device like the Titan.

kevin_nisbet6y ago

https://solokeys.com are an option as well if you like open hardware. https://github.com/solokeys/solo

I think the NFC ones are shipping after they worked out some kinks.

cbhl6y ago

Friendly reminder that "T1" Bluetooth Titan keys were recalled last month; they don't work with iOS 12.3+.

Details are available at https://security.googleblog.com/2019/05/titan-keys-update.ht...

dickeytk6y ago

you can't use that with computers. You have to use a dongle + cable to connect to new macbook pros

jwr6y ago

Either the USB-A dongle or the USB-C one should work in all of these cases with an additional dongle (sigh).

By the way: I recommend getting the larger keys, not the nanos. These nanos look cute, but especially the newer ones are intended to be fixed to one device permanently, which in my opinion is both inconvenient and not the intended usage.

I wonder if iPad apps will start supporting Yubikeys — especially with the new iPad pros and their USB-C port it seems natural.

Ideally, I'd love to see Blink integrate ssh-agent, gpg-agent and its card support, which would let me use my existing (excellent) setup for using GPG keys stored on a Yubikey for ssh (see https://github.com/drduh/YubiKey-Guide for a great writeup of this approach).

jiveturkey6y ago

krypton (https://krypt.co/). If you're ok with one dongle, you can get the A or C flavor of a yubikey neo and keep a converter permanently in the other devices.

ecesena6y ago

Given that you likely also have cable adapters and you need 1 primary key + 1 backup anyway, my recommendation would be to buy 1 usb-a and 1 usb-c.

Or you can make your own :)

iPhone/iPad is currently not solved, hopefully with iOS 13 we'll see positive news.

kop3166y ago

Fastmail uses app passwords, and I used that for my phone/tablet.

brightball6y ago

The new Yubikey's with NFC support work on my 2 year old iPhone already.

jwr6y ago

Which apps support it? Can you use it for any of the online services?

https://en.wikipedia.org/wiki/Password-authenticated_key_agr...

dwaite6y ago

That is Yubikey OTP support, not FIDO/U2F.

currymj6y ago

so it appears, no, all reasonable solutions are quite cumbersome for the time being, for an individual who wants to use many accounts anyway. a company might be able to cook up a system that works well for its employees though.

josefresco6y ago

Got a free YubiKey from Wired. Then I read that mobile is a pain, and that I really need two ... it's sat in my bag now for months, unused. I already use 2FA, and it works good enough - I'm not sold on how this will make my life better, especially on mobile.

tptacek6y ago

The primary purpose of U2F/WebAuthn is to break phishing attacks. Code-based TOTP 2FA, the kind you're probably using now, is already adequate to the task of making sure you're not credential-stuffed.

DINKDINK6y ago

>TOTP 2FA is already adequate to make sure you're not credential-stuffed.

PAKEs provide defense against both credential stuffing, (some types of) phishing/MITM, CA trust etc without UX cost (a security solution that "Just works" for users with security apathy. U2F defends against compromised user space (PAKEs would fail to protect against a key logger) and require more onerous exfiltration (either physical theft of the device or biasing the U2F keys/functions)

Wiki's:

https://cryptowiki.net/index.php?title=Password-authenticate...

Blogs:

https://blog.cryptographyengineering.com/2018/10/19/lets-tal...

[1]: https://www.yubico.com/wp-content/uploads/2018/09/yk5-diagra...

tpetry6y ago

Autofill of a password manager is a working countermeasure against phishing too: If autofill does not work there is something wrong and you should look closer...

7 more replies

devy6y ago

The free YubiKey from Wired is a base model. It doesn't have NFC/Bluetooth etc. But if you get the latest model from this article's promoted model (YubiKey 5) it will have all the bells and whistles for mobile/USB-C/contactless and even supports PIV SmartCard protocol, where you can upload a key pair you generated on your own outside of YubiKey.[1]

rtehfm6y ago

Yubico makes a Yubikey with NFC, if you're interested.

https://www.yubico.com/products/yubikey-for-mobile/

baseballdork6y ago

Solokey is also available, I just got mine in the mail.

https://solokeys.com/collections/preorder/products/copy-of-s...

jwr6y ago

Why not use both? Most places that support 2FA support both TOTP (so Authy or Google Authenticator) and/or U2F/Webauthn. So, on mobile you can copy the authenticator codes, and on your computer you don't have to, as you can use the plugged in key.

benburleson6y ago

I also got the Wired YubiKey and had the same hesitation. I ended up purchasing a newer model YubiKey with NFC; I use the new one as my primary and the older model as the backup kept at home.

benburleson6y ago

I mean, backup is kept at a super-secret-secure unidentified location.

dickeytk6y ago

I’m going to use both. TOTP most of the time, U2F in a safe at home in case I break/lose my phone

chimeracoder6y ago

> I’m going to use both. TOTP most of the time, U2F in a safe at home in case I break/lose my phone

That's backwards. TOTP is vulnerable to phishing attacks, which are the primary threat model. Far better to use U2F for daily use, and then keep a printout of the TOTP QR code in a safe at home as a backup.

evo_96y ago

I switched recently to Bitwarden. 1Passwords pricing/subscription changes was the the push I needed.

Bitwarden has been fantastic, I highly recommend it.

https://bitwarden.com

judge20206y ago

Same, but decided not to use the TOTP feature so that the password manager isn't a single point of failure.

sorum6y ago

$2.99 per month is too steep of a price to pay for your personal security? Really? I'd dump my Spotify/Apple Music/Netflix/whatever in a heartbeat, if I had to choose between paid subscriptions in my life

Fnoord6y ago

$3 per month can be a lot of money, depending on where you live and your financial situation.

Bitwarden is free as in a beer and free as in speech. Only if you want the 2FA features you need a subscription.

Then Bitwarden costs 10 USD per year. That's approx as much as 1Password asks for 3 months. Ie. Bitwarden is almost 4 times as cheap.

For that price you get a very good program with an open source frontend, and an open source backend (third party, in Ruby).

And Lastpass, after they were acquired by LogMeIn, has the balls to go from 12 USD/year to 24 USD/year. Without any additional features whatsoever a 100% price increase? That's why I went shopping. And I ended up at Bitwarden.

icebraining6y ago

I'm selling water bottles at $100/gallon. Considering water is literally essential to life, how many can I get you?

euroclydon6y ago

So this works with 1Password the website? I've been using 1Password for years, and never go to the website? How does this make my life better? Can I unlock 1Password the desktop app with the U2F key?

AGKyle6y ago

Our implementation of 2FA only happens when adding your account to a new device. Subsequent unlocks do not require any sort of 2FA except for certain conditions.

Our apps do not currently support U2F/WebAuthn when signing in, so they'll default back to TOTP based until we implement support for U2F. We aren't making any promises as to when this will arrive but at least two of our apps now have some form of support for it internally. It's far from complete and not ready for users but it is being worked on.

Note that U2F in this case is only about authentication, not decryption of data. This is why it's only used on initial setup of your account on a new device. The cryptography side for unlocking 1Password is entirely independent of U2F/MFA.

Hope that helps but let me know if you have any questions.

Kyle

1Password

iscrewyou6y ago

> So while it works great as your second factor in those browsers, for now you’ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers).

mevile6y ago

If this is the sort of thing where I can just tell 1password this device is OK with 2 factor, once per device, I could use this. If this the sort of thing that whenever I wanted to lookup a password, forget it. Even if I had to two it once a week or once a month I wouldn't bother. Maybe if I were paranoid about being a target I would, but I'm not.

wereHamster6y ago

Literally the first paragraph:

> Last year we added two-factor authentication to provide another layer of protection for your 1Password account. When this is enabled, you are prompted to enter your second factor any time you sign in from a new device.

If you read it carefully, you'll have the answer to your question.

jehteh6y ago

Switched from lastpass to gnu pass and storing my private subkeys on a couple of yubikeys has actually worked really well for me (took a few days to get my head around gpg and smartcard setup, but that was worth doing even if I didn't setup pass). That said, I am running android, windows/WSL and ubuntu; other platforms may not be so painless.

zymhan6y ago

It appears via the screenshot that you can have multiple 2FA devices, which is great. I love my Yubikey in theory, but in practice I'm only using it for services where I can have a TOTP or SMS 2FA backup method, because I'm not convinced it will always work or be available. Even if having SMS 2FA enabled negates any security benefits of the Yubikey.

Thus far it's just Dropbox and Gitlab that I use it for, since they're among the few services that allow multiple 2FA methods to be used at the same time.

I believe SMS 2FA does not _completely_ negates it, in the sense that if you use your Yubikey all the time (except when you lose it) you still get for instance all the phising protection. Of couse if someone targets you directly, then yes, you lose most of the advantages since SMS 2FA is pretty easy to break.

graton6y ago

All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.

They have all worked with Yubico U2F keys and with the Google Titan keys. Pretty convenient way to have two factor authentication. I like the Yubikey 5 Nano as you can leave it plugged into a port in your laptop all the time.

xur176y ago

> All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.

I've run into a number of services that only allow a single U2F key (it's been a while, so I don't remember the exact ones). Even if they do support multiple U2F keys, how do you handle enrolling both? I keep my backup key offsite, so ideally I could enroll it without physically possessing the device. If I have both in my possession at all times (or even sometimes), I'm at risk of losing both of them.

swhitt6y ago

All services except for AWS.

chimeracoder6y ago

> All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.

AWS and Twitter are two services which only allow a single U2F device.

AGKyle6y ago

Correct, you can add several devices. You can have TOTP + U2F devices or just U2F devices or just TOTP.

It's as simple as clicking the button to add another, and walking through the steps. Just be sure to name them in such a way that you can tell them apart. I typically use the identifier on the key itself. It's usually printed somewhere opposite the USB contacts.

Kyle

1Password

dickeytk6y ago

I have 3 yubikeys to avoid this problem

GoMonad6y ago

How do you manage keeping all the keys "synced" in terms of which services they are registered with.

I keep keys in separate locations for safety, but that makes adding all keys to a new account a big pain.

This hasn't been a big problem yet because there are so few services that support the keys, but I wonder how people would manage it if it became widespread.

zymhan6y ago

Yeah that's exactly the situation I don't want to be in.

nevir6y ago

Which services that support U2F do not support multiple devices (that you care about)?

ben10406y ago

Last I checked, Twitter supports U2F, but only allows enrolling one key.

edit: I guess the thread is referring to multiple fallbacks that aren't U2F, but even still, if you're relying solely on U2F it's good practice to have more than one key lest you lose it and get locked out.

https://www.yubico.com/products/yubikey-fips/

zymhan6y ago

I haven't kept a running list, but just checking a few services I use at work, and Terraform Enterprise doesn't appear to support more than one 2FA method being enabled at a time.

bloopernova6y ago

I'm seeing several links to different physical keys in the comments. Is there somewhere/someone that verifies these keys? Like a 3rd party testing/standards body?

I've always had it drilled into me that doing crypto yourself is fraught with peril. It seems that doing hardware would be doubly dangerous. I'd want more verification that the implementation is correct and "strong".

klodolph6y ago

I think verification that the implementation is correct is easy enough, which implies that it is "strong", because these devices simply implement a spec.

What you might want to look at is things like hardware hardening or side channels. (Whether or not you consider this a matter of "correctness" can be argued, but here I would consider correct = implements correct algorithm.)

I think attacks against U2F devices are fairly difficult because you can't really use them as any kind of oracle, just due to the way the user interface works. But I am not a crypto expert, I just know how U2F works.

dkanejs6y ago

There are FIPS versions of Yubi Keys:

These are validated by NIST (National Institute of Standards):

https://csrc.nist.gov/Projects/Cryptographic-Module-Validati...

ecesena6y ago

https://fidoalliance.org/

Note that most keys are level-1 certified, i.e. against online attacks. Physical attacks are generally not much important, because if an attacker has access to your key, he can simply use it. (unless you went through the additional hassle to set a pin, but very few people do it.)

toastal6y ago

I've had an OnlyKey for a couple of years now. It offer 12 slots per profile and 2 profiles, and the slots supporting TOTP, U2F, Yubikey, plaintext and a whole lot of other tools. With the configuration app and firmware open source, I'm really surprised I've never seen anyone else with one.

HungSu6y ago

https://onlykey.io/ I assume you mean this - it looks great!

hamburglar6y ago

This looks awesome and I wish I could use it. Could you guys also consider bringing back the completely-offline mode that doesn't make my password manager depend on a 3rd party service? I'm prohibited by company policy from using my favorite password manager because of this.

AGKyle6y ago

You mean the licensed version? It never went away.

When you launch you'll be prompted to purchase. On the screens near the bottom there is a line of text about purchasing a license, go that route instead of signing up for the 1Password.com service.

Kyle

1Password

hamburglar6y ago

Interesting. If this is the case, I think you have a communications problem. I was under the impression that after 6.0, the only way to get a license was to have your older one grandfathered. I can't find any information about this on your website. All of the options on your product info pages other than "enterprise (email us for a quote)" show monthly subscriptions only.

Where can I see product info about the licensed version? Can you provide a link?

efesak6y ago

Try https://www.enpass.io (I sync db through Dropbox but you can use almost whatever you want...)

technofiend6y ago

Just thought I'd mention that PayPal recently quietly added TOTP second factor support. It's not u2f but it's better than SMS. Perhaps u2f is in the cards now since they're listening to customer feedback on the issue.

vmurthy6y ago

For those of you who have the desktop version - it looks like U2F support is a work in progress:

"So while it works great as your second factor in those browsers, for now you’ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers)"

charlietango926y ago

only tangential, but I've wanted to carry my Yubikey on my keyring, but have always been nervous about making it unreadable by sullying the contacts. Should I be concerned about this? Where do you all carry them?

hdabrows6y ago

That's how I've been carrying mine for the last four years and it's fine. I think you're more likely to lose it than to damage it. I have a second one that's identical (registered to the same services) that I keep in a safe place.

jbergknoff6y ago

I came across https://www.thingiverse.com/thing:2588513 in some Reddit thread about this, got it printed on my public library's 3d printer, and it's been pretty nice. (Had to etch some grooves in the sides of the Yubikey so there's something to grab it to pull it out of the sheath, but that wasn't a big deal)

wiredfool6y ago

I’ve hade one for 10 years or more and it’s fine. It’s a durable little thing.

remus6y ago

I've had mine on a keyring for 6 months and it hasn't shown any signs of wear. I'd be surprised if it doesn't last at least another 18 months.

I've had a "blue" Yubikey (the one around 20$) on my keyring for 2.5 years. Still works like a charm. Very robust stuff.

btrettel6y ago

After about 6 months of use, my blue Yubikey is tarnished but functions as intended.

equalunique6y ago

I carry mine on my key ring. No issues since I bought it around 3 years ago.

xaduha6y ago

I'm using this with a contactless smartcard, works just fine on Android https://github.com/tsenger/CCU2F

dexterdog6y ago

Hasn't this been in Bitwarden and Lastpass for a while now?

jasongill6y ago

Bitwarden might (not sure), but Lastpass only supports Yubikey's TOTP implementation, not U2F, and they seem to have no real motivation to support U2F based on their support ticket responses

dcbadacd6y ago

In Bitwarden, yes.

sleepybrett6y ago

So this only applies to 1password.com not the desktop app synced through cloudprovider/filetransfer/whatnot?

shay_ker6y ago

Can you use Yubikey NFC to do 2FA on most/all iOS apps? That's my biggest barrier to getting a Yubikey.

afturner6y ago

Finally! Been waiting for this

javagram6y ago

I have never used 1password.com.

Adding 2FA to it is great but I think the best security is likely still just to sync and use local apps for this data, to avoid being exposed to any JavaScript vulnerabilities or if 1password.com were ever hacked.

jmull6y ago

I've been using 1password for some years, but I'm not even sure what the use case for the web site is.

I have a "vault" (1password's term for an encrypted file containing passwords and related info) that's sync'd across devices through dropbox (and accessed through a locally installed app), which I think is what you're suggesting.

Anyway, I think there's no particular need to access passwords through the site.

I'd definitely feel uncomfortable typing my 1password vault password into a web page or anything else besides the apps.

alienreborn6y ago

1Password has Wifi Sync option too.

javagram6y ago

Yep! 1password is great. I do use their cloud sync service with all the apps, I just don’t ever use the website or the browser extensions to limit my exposure.

https://9to5mac.com/2018/05/22/yubikey-neo-iphone-lastpass/

j / k navigate · click thread line to collapse

161 comments

currymj6y ago

I have long debated getting a Yubikey but have held off because I don't want to have to carry around several dongles at all times to be able to send an email.

Surely other people are in the situation of:

- iPhone, iPad

- Macbook with only USB-C ports

- Windows/Linux workstation with only USB-A ports

Is there currently a non-cumbersome solution that will work on all of these?

cbhl6y ago

It's cumbersome, but less so than when we were plugging and unplugging our one hardware USB-A OTP token into everything (and using a desktop web browser to generate OTPs for the phones).

If you do end up getting a security key, I recommend getting at least two. If one fails, you'll want the other one as a backup so that you can get back into your accounts.

mtgx6y ago

NFC keys should work for iOS, too, now:

bad_user6y ago

What happens if your house burns down with everything in it?

You’d then have to contact support to let you bypass 2FA, but if that’s possible then the 2FA protection is weak, prone to social hacking.

4 more replies

AdmiralAsshat6y ago

I tried to get mine as future-proof as possible, but I was left with a choice of either getting the Yubikey Neo with NFC or a Yubikey with USB-C.

rstuart41336y ago

> I tried to get mine as future-proof as possible

izacus6y ago

Usually you just use multiple keys - one USB-C in the MacBook, one tiny USB-A in the laptop and the built-in Titan key in the Pixel phone. You don't remove them.

jwr6y ago

Aren't you effectively removing the second factor by keeping it permanently attached to each of your devices?

jiveturkey6y ago

few providers support enrolling multiple yubikeys into your account.

abstractbarista6y ago

I guess one solution is to use hardware that takes connector compatibility more seriously. I only use stuff with USB-A, and the Yubikey works with my phone via NFC (Yubico's Neo model).

Similarly, my laptop has an SD card reader and Ethernet port. My laptop and phone have 3.5mm jacks. All my small devices use micro-USB.

No dongles or adapters makes for seamless usage. I guess the only 'adapter' is keeping a micro-USB -> USB-A cable around.

kitten_smuggler6y ago

A bluetooth capable U2F device like the Titan.

kevin_nisbet6y ago

https://solokeys.com are an option as well if you like open hardware. https://github.com/solokeys/solo

I think the NFC ones are shipping after they worked out some kinks.

cbhl6y ago

Friendly reminder that "T1" Bluetooth Titan keys were recalled last month; they don't work with iOS 12.3+.

Details are available at https://security.googleblog.com/2019/05/titan-keys-update.ht...

dickeytk6y ago

you can't use that with computers. You have to use a dongle + cable to connect to new macbook pros

jwr6y ago

Either the USB-A dongle or the USB-C one should work in all of these cases with an additional dongle (sigh).

I wonder if iPad apps will start supporting Yubikeys — especially with the new iPad pros and their USB-C port it seems natural.

jiveturkey6y ago

krypton (https://krypt.co/). If you're ok with one dongle, you can get the A or C flavor of a yubikey neo and keep a converter permanently in the other devices.

ecesena6y ago

Given that you likely also have cable adapters and you need 1 primary key + 1 backup anyway, my recommendation would be to buy 1 usb-a and 1 usb-c.

Or you can make your own :)

iPhone/iPad is currently not solved, hopefully with iOS 13 we'll see positive news.

kop3166y ago

Fastmail uses app passwords, and I used that for my phone/tablet.

brightball6y ago

The new Yubikey's with NFC support work on my 2 year old iPhone already.

jwr6y ago

Which apps support it? Can you use it for any of the online services?

https://en.wikipedia.org/wiki/Password-authenticated_key_agr...

dwaite6y ago

That is Yubikey OTP support, not FIDO/U2F.

currymj6y ago

josefresco6y ago

tptacek6y ago

DINKDINK6y ago

>TOTP 2FA is already adequate to make sure you're not credential-stuffed.

Wiki's:

https://cryptowiki.net/index.php?title=Password-authenticate...

Blogs:

https://blog.cryptographyengineering.com/2018/10/19/lets-tal...

[1]: https://www.yubico.com/wp-content/uploads/2018/09/yk5-diagra...

tpetry6y ago

Autofill of a password manager is a working countermeasure against phishing too: If autofill does not work there is something wrong and you should look closer...

7 more replies

devy6y ago

rtehfm6y ago

Yubico makes a Yubikey with NFC, if you're interested.

https://www.yubico.com/products/yubikey-for-mobile/

baseballdork6y ago

Solokey is also available, I just got mine in the mail.

https://solokeys.com/collections/preorder/products/copy-of-s...

jwr6y ago

benburleson6y ago

I also got the Wired YubiKey and had the same hesitation. I ended up purchasing a newer model YubiKey with NFC; I use the new one as my primary and the older model as the backup kept at home.

benburleson6y ago

I mean, backup is kept at a super-secret-secure unidentified location.

dickeytk6y ago

I’m going to use both. TOTP most of the time, U2F in a safe at home in case I break/lose my phone

chimeracoder6y ago

> I’m going to use both. TOTP most of the time, U2F in a safe at home in case I break/lose my phone

evo_96y ago

I switched recently to Bitwarden. 1Passwords pricing/subscription changes was the the push I needed.

Bitwarden has been fantastic, I highly recommend it.

https://bitwarden.com

judge20206y ago

Same, but decided not to use the TOTP feature so that the password manager isn't a single point of failure.

sorum6y ago

Fnoord6y ago

$3 per month can be a lot of money, depending on where you live and your financial situation.

Bitwarden is free as in a beer and free as in speech. Only if you want the 2FA features you need a subscription.

Then Bitwarden costs 10 USD per year. That's approx as much as 1Password asks for 3 months. Ie. Bitwarden is almost 4 times as cheap.

For that price you get a very good program with an open source frontend, and an open source backend (third party, in Ruby).

icebraining6y ago

I'm selling water bottles at $100/gallon. Considering water is literally essential to life, how many can I get you?

euroclydon6y ago

So this works with 1Password the website? I've been using 1Password for years, and never go to the website? How does this make my life better? Can I unlock 1Password the desktop app with the U2F key?

AGKyle6y ago

Our implementation of 2FA only happens when adding your account to a new device. Subsequent unlocks do not require any sort of 2FA except for certain conditions.

Hope that helps but let me know if you have any questions.

Kyle

1Password

iscrewyou6y ago

mevile6y ago

wereHamster6y ago

Literally the first paragraph:

If you read it carefully, you'll have the answer to your question.

jehteh6y ago

zymhan6y ago

Thus far it's just Dropbox and Gitlab that I use it for, since they're among the few services that allow multiple 2FA methods to be used at the same time.

graton6y ago

All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.

xur176y ago

> All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.

swhitt6y ago

All services except for AWS.

chimeracoder6y ago

> All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.

AWS and Twitter are two services which only allow a single U2F device.

AGKyle6y ago

Correct, you can add several devices. You can have TOTP + U2F devices or just U2F devices or just TOTP.

Kyle

1Password

dickeytk6y ago

I have 3 yubikeys to avoid this problem

GoMonad6y ago

How do you manage keeping all the keys "synced" in terms of which services they are registered with.

I keep keys in separate locations for safety, but that makes adding all keys to a new account a big pain.

This hasn't been a big problem yet because there are so few services that support the keys, but I wonder how people would manage it if it became widespread.

zymhan6y ago

Yeah that's exactly the situation I don't want to be in.

nevir6y ago

Which services that support U2F do not support multiple devices (that you care about)?

ben10406y ago

Last I checked, Twitter supports U2F, but only allows enrolling one key.

https://www.yubico.com/products/yubikey-fips/

zymhan6y ago

I haven't kept a running list, but just checking a few services I use at work, and Terraform Enterprise doesn't appear to support more than one 2FA method being enabled at a time.

bloopernova6y ago

I'm seeing several links to different physical keys in the comments. Is there somewhere/someone that verifies these keys? Like a 3rd party testing/standards body?

klodolph6y ago

I think verification that the implementation is correct is easy enough, which implies that it is "strong", because these devices simply implement a spec.

dkanejs6y ago

There are FIPS versions of Yubi Keys:

These are validated by NIST (National Institute of Standards):

https://csrc.nist.gov/Projects/Cryptographic-Module-Validati...

ecesena6y ago

https://fidoalliance.org/

toastal6y ago

HungSu6y ago

https://onlykey.io/ I assume you mean this - it looks great!

hamburglar6y ago

AGKyle6y ago

You mean the licensed version? It never went away.

When you launch you'll be prompted to purchase. On the screens near the bottom there is a line of text about purchasing a license, go that route instead of signing up for the 1Password.com service.

Kyle

1Password

hamburglar6y ago

Where can I see product info about the licensed version? Can you provide a link?

efesak6y ago

Try https://www.enpass.io (I sync db through Dropbox but you can use almost whatever you want...)

technofiend6y ago

vmurthy6y ago

For those of you who have the desktop version - it looks like U2F support is a work in progress:

charlietango926y ago

hdabrows6y ago

jbergknoff6y ago

wiredfool6y ago

I’ve hade one for 10 years or more and it’s fine. It’s a durable little thing.

remus6y ago

I've had mine on a keyring for 6 months and it hasn't shown any signs of wear. I'd be surprised if it doesn't last at least another 18 months.

I've had a "blue" Yubikey (the one around 20$) on my keyring for 2.5 years. Still works like a charm. Very robust stuff.

btrettel6y ago

After about 6 months of use, my blue Yubikey is tarnished but functions as intended.

equalunique6y ago

I carry mine on my key ring. No issues since I bought it around 3 years ago.

xaduha6y ago

I'm using this with a contactless smartcard, works just fine on Android https://github.com/tsenger/CCU2F

dexterdog6y ago

Hasn't this been in Bitwarden and Lastpass for a while now?

jasongill6y ago

Bitwarden might (not sure), but Lastpass only supports Yubikey's TOTP implementation, not U2F, and they seem to have no real motivation to support U2F based on their support ticket responses

dcbadacd6y ago

In Bitwarden, yes.

sleepybrett6y ago

So this only applies to 1password.com not the desktop app synced through cloudprovider/filetransfer/whatnot?

shay_ker6y ago

Can you use Yubikey NFC to do 2FA on most/all iOS apps? That's my biggest barrier to getting a Yubikey.

afturner6y ago

Finally! Been waiting for this

javagram6y ago

I have never used 1password.com.

jmull6y ago

I've been using 1password for some years, but I'm not even sure what the use case for the web site is.

Anyway, I think there's no particular need to access passwords through the site.

I'd definitely feel uncomfortable typing my 1password vault password into a web page or anything else besides the apps.

alienreborn6y ago

1Password has Wifi Sync option too.

javagram6y ago

Yep! 1password is great. I do use their cloud sync service with all the apps, I just don’t ever use the website or the browser extensions to limit my exposure.