This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Multi-factor authentication (ex: Yubikeys)

John L
John L Junior Member
Please add support for mult-factor authentication and soon? I need to use a password management system on my work machine (it's allowed) but I don't because their system monitoring software can easily pick up my password that I have to use to unlock 1Password. Please, please, [i]please[/i] add support for multi-factor authentication? On that note, I have a Yubikey and would love to see you guys offer support for using one in conjunction with 1Password.

Comments

  • John, I have to plead ignorance. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/sad.gif' class='bbc_emoticon' alt=':(' /> Can you tell us what "multifactor validation" is? It sounds like it might be (for example) a login form with, say, a security question or "captcha" image, in addition to the username and password—is that right? If so, 1Password interacts with forms, saving the values entered for fields on a form and later filling those same values into the same fields. I don't see how it could provide values for random questions.



    Also, can you explain how you envision a Yubikey working with 1Password?



    Thanks (and sorry for my cluelessness)!
  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    edited February 2011
    How about us adding a virtual keyboard to the master password window? Would that help you?
  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    [quote name='John L' timestamp='1297216580' post='20274']

    I have a Yubikey and would love to see you guys offer support for using one in conjunction with 1Password.

    [/quote]



    When you run your Yubikey in "static password" mode, then you can use your Yubikey with 1Password today.
  • To work only with a master password is not very secure. I would like to see 1Password supporting two-factor authentication with a one time password token (hardware, not software http://en.wikipedia.org/wiki/File:RSA-SecurID-Tokens.jpg)
  • I was reviewing password software available (currently a 1Password user for cross-platformness, coming from KeePass) and was looking at LastPass and saw they supported Yubikeys. One time passwords and other multifactor authentication is a very good thing to support. I urge Agile to very seriously consider something like this. The devices themselves are quite cheap $25 single, $15 in bulk (50x) and they seem to have very open developer and integration support so I think it would be very easy to utilize in 1Password and give 1Password a critical feature that your competition implements. (They also do grid authentication)



    I think Agile needs to get out there and poke around more at competing products so you stay competitive and up to date.
  • [quote name='ChristianM' timestamp='1297427147' post='20426']

    To work only with a master password is not very secure.

    [/quote]

    Christian, I'm sorry your message seems to have been overlooked. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/sad.gif' class='bbc_emoticon' alt=':(' />



    Welcome to the forum (wa-a-ay overdue!) and thanks for your suggestion.



    Please note that your master password is an absolute lock: without it, a bad guy has essentially NO chance of getting to your 1Password data, so the security of that data is directly proportional to the "guessability" (the simplicity or complexity) or your master password. The usual rules for creating good passwords apply.
  • [quote name='Chris Epler' timestamp='1312468245' post='36732']

    I was reviewing password software available (currently a 1Password user for cross-platformness, coming from KeePass) and was looking at LastPass and saw they supported Yubikeys. One time passwords and other multifactor authentication is a very good thing to support. I urge Agile to very seriously consider something like this.

    [/quote]

    Thanks, Chris.



    Please see [url="http://forum.agile.ws/index.php?/topic/3539-multi-factor-authentication-ex-yubikeys/page__view__findpost__p__20295"]Stefan's post, above[/url].
  • Chris Epler
    edited August 2011
    Yes, I'm aware of Yubikeys support static passwords, I'd like to see the ability to use OTPs with 1Password, not simply accepting keyboard input but some ACTUAL SUPPORT and frankly I find the response to just use static mode a very lackadaisical response.
  • DBrown
    DBrown
    edited August 2011
    [b]lackadaisical[/b] [i]adj[/i]

    [indent] lacking enthusiasm and determination; carelessly lazy[/indent]

    I'm sorry you feel that way, Chris.



    I can assure you that [i]no[/i] features are missing from 1Password because of a lack of enthusiasm or determination or as a result of careless laziness.



    We're only human, though, and there are only 24 hours in our day, too.



    We apologize for any inconvenience caused by our not yet having implemented the kind of support for Yubikeys that you'd like to see in 1Password, and we thank you for your patience.
  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    edited August 2011
    [quote name='Chris Epler' timestamp='1312761011' post='37557']

    Yes, I'm aware of Yubikeys support static passwords, I'd like to see the ability to use OTPs with 1Password, not simply accepting keyboard input but some ACTUAL SUPPORT and frankly I find the response to just use static mode a very lackadaisical response.

    [/quote]



    Suppose our Windows version would support this. Then there is always the ability to unlock your keychain on other platforms (iOS, Android) who do not support the Yubikey.



    Not to mention: you can always unlock your keychain in the web browser via JavaScript (1PasswordAnywhere is doing this) without OTPs.



    Unless all platforms support the Yubikey and there is no way around it, adding support for the Yubikey to our Windows version would not be opportune.
  • brenty
    edited August 2011
    Nevermind "opportune". It would be a hack unless it was built into the data format itself. Security by obscurity is not really a solution.



    In the case of Yubikey and other OTP (one-time password) solutions, an internet connection is also necessary because the code cannot be validated against itself or the system it is being use on, since that wouldn't really be an additional discrete factor, and if they were compromised it would be just as trivial to capture the code generator along with the Master Password and the data.



    We have had [url="http://forum.agile.ws/index.php?/topic/4716-feature-request-multi-factor-authentication/"]some great discussions[/url] about this on the Mac forums, but one of the main obstacles to implementing something like this that I can see is in the same vein of what Stefan mentioned. In this case, however, 1Password was designed with local storage and access in mind. While a lot of what it does involves logging into websites, a lot of people (myself included) store important information in it that is useful offline (financial information, personal documentation, licenses, etc.) Being without an active internet connection would render a remotely validated MFA token (such as YubiKey, RSA, Verisign, or Vasco) useless and result in one's data being inaccessible.



    It is still early, and there is not a clear best solution in this area. In time, hopefully a better solution will emerge and this area will become more standardized. I long for a day when I can use my cell phone itself or something else I already have with me as a second factor to authenticate at the bank, the DMV, the airport, and online. We will have to wait and see how things shake out. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • Chris Epler
    edited August 2011
    http://static.yubico.com/var/uploads/pdfs/Yubikey%20Client%20COM%20API.pdf

    http://forum.yubico.com/viewtopic.php?f=4&t=632



    As for mobile devices you could simply have a list maintained in the database of authorized mobile devices that do not require MFA like how LastPass does it by UUID for iOS devices.
  • Challenge-response mode also looks interesting:



    [url="http://www.yubico.com/challenge-response-tools"]http://www.yubico.com/challenge-response-tools[/url]



    In this mode the Yubikey would be like a dongle authentication token where it's sent a challenge and a response is given and compared, so if the key doesn't respond properly then the software can lock up the database, or unlock (or allow it to unlock with the master password).
  • DBrown
    DBrown
    edited August 2011
    Thanks, Chris.



    We never say "never," but I know of no plans to expand the current level of support for Yubikeys.



    Again, we apologize for any inconvenience, and we thank you for your patience.
  • Stefan von Dutch
    Stefan von Dutch Community Moderator
    [quote name='Chris Epler' timestamp='1313066051' post='38516']

    Challenge-response mode also looks interesting:



    [url="http://www.yubico.com/challenge-response-tools"]http://www.yubico.co...-response-tools[/url]



    In this mode the Yubikey would be like a dongle authentication token where it's sent a challenge and a response is given and compared, so if the key doesn't respond properly then the software can lock up the database, or unlock (or allow it to unlock with the master password).

    [/quote]



    This would not stop someone from unlocking your keychain using some other route where our software is not involved (the JavaScript route, for example).