Feature request: Unlock 1Password with a Yubikey

maxamaxa2

Thanks for reaching out! Unlocking 1Password with a passkey (including one saved on your security key) is still being tested as part of our public beta. If you'd like to give a try then you can use the steps in the article that I shared earlier. For your convenience, here's the article again: Unlock 1Password with a passkey (beta)

I don't have a release date for then passkey unlock will be released outside of the beta but the team is working as hard as possible to get that done.

Forcing password each time just incentivize people to use a weak master password which is very counter productive.

You can choose to be prompted for your account password less often if you wish: How to set 1Password to lock automatically

Alternatively, you can choose to unlock 1Password using biometrics, an Apple Watch (on Mac), or Windows Hello (on Windows) instead of having to use your account password each time:

Mac:
* Use Touch ID to unlock 1Password on your Mac
* Use your Apple Watch to unlock 1Password on your Mac

Windows:
* Use Windows Hello to unlock 1Password on your Windows PC

I hope that helps.

-Dave

1P_Dave
Was on the verge of throwing 1pass under the bus since it's so frustrating to type the password to log in all the time, but as a last resort I searched the forum and came across this. Auto-sign in when signed in to windows with a yubikey, alternatively signing in to 1pass with yubikey would be a great enhancement and much more user friendly. Forcing password each time just incentivize people to use a weak master password which is very counter productive.

We are now in August, any sign of a real release date for the new feature?

gosmond

Thank you for the detailed feedback! I appreciate you sharing more about your use case so that I can better understand the need here. I think that our passkey unlock beta, which already allows you to use a security key to unlock a 1Password account, provides the functionality that you're looking for: Unlock 1Password with a passkey (beta)

YubiKey security keys allow you to set a PIN so that the PIN is required before someone is able to use a saved passkey: Understanding YubiKey PINs – Yubico

Passkey unlock is currently being tested in the beta but hopefully will be rolled out to other accounts in the future. 🙂

-Dave

With apologies for being prolix --

I see that 1Password already does support YubiKeys as a 2FA option, but it is at present only configured to require a 2FA option when initially enrolling a new device. It is encouraging to see token-style technology incorporated into 1Password, now it just needs to be strengthened to its full potential:

I request that the YubiKey (+ YubiKey PIN, optionally) 2FA method be extended in the form of a additional 1Password account preferences, as follows:

Checkbox: "Require 2FA token on EVERY 1Password unlock, on any device. (Mobile/desktop/web.)

Additional option: "...after X minutes, hours, days". (I.e. only require the 2FA token for 1Password unlock after a configurable time period since previous unlock.)

If it is not already clear, it is also important to be able to configure 2FA-unlocking so it is the ONLY available method, not just an additional/backup method alongside plain password, TouchID, or Apple Watch.

-- deleted, unnecessary --

Hi Dave --

The reason I'd like to use a Yubikey+PIN, preferentially, vs. the other options you described, is that in my view it can be configured so that it is a more-secure means of authentication in a wider range of threat scenarios.

I.e. TouchID is very secure, until a bad actor or law enforcement compels you to use TouchID to unlock something. As there is no PIN or password required this can be done against the fingerprint-owner's will, even when the owner is unconscious.

Account password alone is reasonably secure, until a bad actor or LE uses keystroke loggers, hidden cameras, or even advanced keyboard audio analysis to intercept the password as you type it.

AppleWatch may or may not be secure but it is exceedingly expensive, bulky, and difficult to keep "backup units" on-hand in case it is lost, damaged or stolen.

With multiple YubiKeys configured, esp. the tiny form-factor Nano series, it is possible to authenticate BOTH with something you have (the device) and something you know (the PIN).

Unlike the other methods you describe, it is much harder for a bad actor to compromise your means of authentication without you knowing. If the physical Yubikey is stolen or seized, without the PIN it cannot be used.

If the PIN code is perhaps remotely compromised (via keyboard logging, video/audio keypress interception, etc,) the attacker still also must physically possess the Yubikey device to authenticate successfully.

It is still possible for it to be compromised but it requires hurdling of _both _ the "something you know" and "something you have" barriers.

Additionally and separate from the above concerns, with a physical token + PIN required, and multiple backup tokens configured & securely stored in obscure locations, it is possibly to self-enforce a no-access policy to the device by ditching or destroying any tokens in ones possession. In that case it is not even possible for an attacker to compel authentication/access, even under the worst forms of coercion.

(But access could be restored at some later time, i.e. by retrieving a hidden/scattered backup token at a later date.)

Hello gosmond! 👋

Thank you for the suggestion. Can you tell me a little more about the use case here? Why would you like to unlock 1Password for Mac using a YubiKey + PIN rather than using one of the following options:

• Your account password
• Your fingerprint (Touch ID)
• Your Apple Watch

I did want to mention that we're currently testing passkey unlock in a public beta which allows you to unlock 1Password using a passkey rather than an account password. Passkeys are usually saved in a platform manager like iCloud Keychain but they can also be saved to a YubiKey. You can read more here:

• Unlock 1Password with a passkey (beta)

The passkey unlock beta requires that you create a special new account, passkeys can't be added to existing accounts yet. Once you've created a passkey unlock account and saved your initial passkey in a passkey manager, you can add your YubiKey.

Please be aware that passkey unlock is still in beta so you may run into more issues than usual. If you're hesitant about using a beta then I would stick with a regular account for now.

-Dave

Ideally the passkey unlock function would work with a passkey store on a yubikey

On android pixel 8 pro - I currently see no option to use an external security passkey

On windows I do - so thats good - except you still need access to your email password if you are on a fresh device so they have displaced the password to your email provider

I would not describe the current solution has ideal or even good, and it is only paswordless with some large caveats

Will 1P fix both the above? Who knows....I would love them to

Wouldn't local FIDO2-resident-key unlock be better? I.e., the FIDO2-key ultimately verifies user verification, through either PIN, biometrics, or something else.

Not sure if this is the right place to discuss (vs. starting a new thread,) but since I saw YubiKeys mentioned I'll give it a go.

I would like the ability to associate any number of YubiKeys (or their equivalent hardware-based FIDO / webauthn equivalents) directly in the 1Password for Mac desktop app.

I.e. for unlocking the local 1Password vault / app itself.

When implemented with an additional 4-digit PIN code (in 1Password natively, not within the hardware-key prompt), this could improve overall 1Password security and convenience by allowing a very secure main 1Password unlock password, while making it quick and easy for the user to unlock 1password just by tapping their YubiKey device and entering a quick 4-digit PIN code.

Only 3 tries allowed for said PIN code, after which 1Password would fall back to requiring the full-length main 1Password-unlock password.