Feature Request: Multi-Factor Authentication

kbyrd

<div class="IPBDescription">RSA SecurID Token, et al</div>An RSA Secure ID tokens is a small hardware device or piece of software that generates random-ish strings (say 6) digits at specified interval (say every 30 seconds). Using E-Trade as an example here's how the process works.



1) Assume my current userid/pass is: joeblow/weaksauce.



2) I'm issued an RSA SecureID device from E-Trade. This device has a serial number that is mapped to my E-Trade account.



3) When logging into E-Trade, I look at RSA token. Assume it says "451 294" right now. I enter "joeblow" for userid and "451294weaksauce" for password.



What I would like is to store "joeblow" and "weaksauce" (or a real 1Password generated password) in 1Password. Then I'd like to mark the E-Trade account has needing a hardware token, and specifying the pattern ("######password" or "password#####"). Then when I cmd-\ on the E-Trade site I would like 1Password to ask me for the current RSA token string of numbers, then have 1Password autofill the concatenated result on the E-Trade site.



This would be an incredibly useful feature in 1Password. RSA secureID tokens are used in many bank and nearly all corporate VPN logins. I'm really only familiar with RSA, so I only covered digits and prepend and appending modes for password entry but I bet that covers nearly the entire set of deployed users.





Please!

brenty

Hi, kbyrd, and welcome to the forums!



I really hate for us to start off on the wrong foot, but you should know that RSA was recently [url="http://www.engadget.com/2011/03/18/rsa-hacked-data-exposed-that-could-reduce-the-effectiveness-o/"]compromised[/url]. They are being really cagey about what the bad guys actually got away with, but you may want to get a new SecurID key at the very least.



With that out of the way, I am a big fan of multifactor authentication, and I really like your idea. Unfortunately, this could be a difficult thing to implement. A big part of the reason is that there is no real standard for how multifactor authentication tokens are requested or entered. I have two such MFA devices myself, and the services they are used to access have very different authentication methods, even than the one in your example. Never mind that there are innumerable conventions for even plain vanilla username/password authentication! One consideration is that MFA services are businesses competing to be The One source and provider of MFA solutions, so they have little to no interest in working together toward greater interoperability. That's probably the biggest stumbling block on the road to standards that could be used to improve the user experience. So while this is definitely something we will be looking at for the future, it could be a while before this is feasible.



The good news is, it sounds like your situation is just right for a clever little hack I came up with! Since your username and password are static, and 1Password fills them sequentially, you may be able to do the following:



[list=1]

[*]Enter your username and password into the fields on the login page.

[*]Instead of submitting the form, click the 1Password toolbar button.

[*]Manually save the Login item.

[*]In 1Password, Edit the Login item.

[*]Change the "Submit" value to "Never."

[*]Return to the site and use 1Password to fill your (partial) login credentials.

[*]At this point, the cursor should be at the end of your filled password, so press the UP ARROW on your keyboard.

[*]This will make the cursor jump to the beginning of your password, and -- viola! -- just type in the token from your key and submit the form!

[/list]



I'm excited to share this, and I hope you found the tip useful. Also, I apologize if you were at all put off by the RSA tale of woe. These things happen, unfortunately, and our best defense is awareness. The more information we have, the better equipped we are to assess risk and make the best choice to mitigate a threat to our data security. And thanks for bring this up. It is definitely something we are thinking about going forward, and knowing our customers' needs is the first step toward meeting them. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



P.S: I can only hope that, as a 1Password fan, your real password is [i]not[/i] weaksauce -- either literally [i]or[/i] figuratively! I like it. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />





[quote name='kbyrd' timestamp='1302124371' post='24096']

An RSA Secure ID tokens is a small hardware device or piece of software that generates random-ish strings (say 6) digits at specified interval (say every 30 seconds). Using E-Trade as an example here's how the process works.



1) Assume my current userid/pass is: joeblow/weaksauce.



2) I'm issued an RSA SecureID device from E-Trade. This device has a serial number that is mapped to my E-Trade account.



3) When logging into E-Trade, I look at RSA token. Assume it says "451 294" right now. I enter "joeblow" for userid and "451294weaksauce" for password.



What I would like is to store "joeblow" and "weaksauce" (or a real 1Password generated password) in 1Password. Then I'd like to mark the E-Trade account has needing a hardware token, and specifying the pattern ("######password" or "password#####"). Then when I cmd-\ on the E-Trade site I would like 1Password to ask me for the current RSA token string of numbers, then have 1Password autofill the concatenated result on the E-Trade site.



This would be an incredibly useful feature in 1Password. RSA secureID tokens are used in many bank and nearly all corporate VPN logins. I'm really only familiar with RSA, so I only covered digits and prepend and appending modes for password entry but I bet that covers nearly the entire set of deployed users.





Please!

[/quote]

kbyrd

[quote name='brenty' timestamp='1302157782' post='24128']

Hi, kbyrd, and welcome to the forums!



I really hate for us to start off on the wrong foot, but you should know that RSA was recently [url="http://www.engadget.com/2011/03/18/rsa-hacked-data-exposed-that-could-reduce-the-effectiveness-o/"]compromised[/url]. They are being really cagey about what the bad guys actually got away with, but you may want to get a new SecurID key at the very least.

[/quote]

Thanks for the warning, I am aware of the unfolding RSA situation.









[quote name='brenty' timestamp='1302157782' post='24128']

With that out of the way, I am a big fan of multifactor authentication, and I really like your idea. Unfortunately, this could be a difficult thing to implement. A big part of the reason is that there is no real standard for how multifactor authentication tokens are requested or entered. I have two such MFA devices myself, and the services they are used to access have very different authentication methods, even than the one in your example. Never mind that there are innumerable conventions for even plain vanilla username/password authentication! One consideration is that MFA services are businesses competing to be The One source and provider of MFA solutions, so they have little to no interest in working together toward greater interoperability. That's probably the biggest stumbling block on the road to standards that could be used to improve the user experience. So while this is definitely something we will be looking at for the future, it could be a while before this is feasible.

[/quote]

Ahh, I've only been issued and only talked with people with RSA-brand tokens, and these all seem to display some stream of characters which either acts as the password entirely (1Password couldn't help here) or (more commonly) is prepended or appended to a password. I figured by supporting this last mode, 1Password would be useful for the majority of the market. But, as I said, I made a big assumption having only been issued RSA-type devices









[quote name='brenty' timestamp='1302157782' post='24128']

The good news is, it sounds like your situation is just right for a clever little hack I came up with! Since your username and password are static, and 1Password fills them sequentially, you may be able to do the following:



[list=1]

[*]Enter your username and password into the fields on the login page.

[*]Instead of submitting the form, click the 1Password toolbar button.

[*]Manually save the Login item.

[*]In 1Password, Edit the Login item.

[*]Change the "Submit" value to "Never."

[*]Return to the site and use 1Password to fill your (partial) login credentials.

[*]At this point, the cursor should be at the end of your filled password, so press the UP ARROW on your keyboard.

[*]This will make the cursor jump to the beginning of your password, and -- viola! -- just type in the token from your key and submit the form!

[/list]

[/quote]

Thanks for this. This is what I ended up doing before the original post and it seemed so mechanical it made me think 1Password could do it all internally after capturing the current token sequence from a dialog.



[quote name='brenty' timestamp='1302157782' post='24128']

P.S: I can only hope that, as a 1Password fan, your real password is [i]not[/i] weaksauce -- either literally [i]or[/i] figuratively! I like it. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />

[/quote]



Of course not! It's some impossible to pronounce insanely long tring of letters, digits, and symbols.

brenty

I'm glad to hear back from you. It's good to hear that you're as inventive as you are security conscious! (Moreso than I am, since you came up with that first!)



Another thought I had reading your response is in regards to the mechanism employed by one of the services I use with a one-time password generator: The login page has 3 main fields: one for the username, password, and the generated token; but if I fill the first two and leave the third empty, I will be prompted separately after I submit the form. This makes it a bit easier, since I can just have 1Password autosubmit initially, and then enter my token manually when prompted. Of course the other I use has a much more convoluted authentication process...



You make a very good point about it being "mechanical." In an instance like this I have no doubt that the Agile devs could implement something like this in the future, given the time. Unfortunately, as a small team we really have to prioritize and allocate resources for features that will improve the experience for the greatest percentage of people. So you and I might have to wait a bit. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/mellow.gif' class='bbc_emoticon' alt=':mellow:' />



On the other hand, MFA is certainly growing, so it could reach a critical mass sooner than we think, and then the guys might have no choice but to move on this at the expense of other features. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />



If there are other folks out there using other providers for multifactor authentication, please speak up. We are at our best when armed with customer feedback!



Personally, I have used MFA keys from the following providers over the years:



[list]

[*]Blizzard

[*]PayPal

[*]Verisign

[/list]



While I haven't used theirs personally, RSA would be on that list, and I am sure there are more. I think the Blizzard key is from Vasco, and PayPal may be using Verisign's if I recall correctly. I would love to hear about others' experiences. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



[quote name='kbyrd' timestamp='1302191198' post='24156']

Thanks for the warning, I am aware of the unfolding RSA situation.



Ahh, I've only been issued and only talked with people with RSA-brand tokens, and these all seem to display some stream of characters which either acts as the password entirely (1Password couldn't help here) or (more commonly) is prepended or appended to a password. I figured by supporting this last mode, 1Password would be useful for the majority of the market. But, as I said, I made a big assumption having only been issued RSA-type devices



Thanks for this. This is what I ended up doing before the original post and it seemed so mechanical it made me think 1Password could do it all internally after capturing the current token sequence from a dialog.



Of course not! It's some impossible to pronounce insanely long tring of letters, digits, and symbols.

[/quote]

[Deleted User]

Took a bit to figure out what [url=http://www.acronymfinder.com/Multi_Factor-Authentication-(login-security)-(MFA).html]MFA[/url] meant here. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

kbyrd

[quote name='brenty' timestamp='1302207457' post='24176']



Personally, I have used MFA keys from the following providers over the years:



[list]

[*]Blizzard

[*]PayPal

[*]Verisign

[/list]

[/quote]



I understand prioritizing work, I write software too. I figured you all would only do this if there was enough demand. I'm hoping my post uncovers that demand.



Ok, to add to the list:

[list]

[*] E-Trade (MFA key was SecurID by RSA)

[*] Juniper SSL VPN for two different employers (MFA key was SecureID RSA both times)

[/list]

khad

Thanks for those additional MFA providers, kbyrd! We genuinely appreciate the feedback. As it sounds like you already know from personal experience, it really does help to know what our customers are looking for in order to better gauge where we should be channeling our resources.



This is something we are excited about ourselves. Thanks for letting us know you are interested too. We will see how things progress in this area.



Cheers!

brenty

[quote name='sjk' timestamp='1302209612' post='24177']

Took a bit to figure out what [url=http://www.acronymfinder.com/Multi_Factor-Authentication-(login-security)-(MFA).html]MFA[/url] meant here. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

[/quote]



Sorry. I really should have been more clear (and diligent -- thanks for clarifying that for me, sjk!) <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />

[Deleted User]

I'd first searched this topic for a parenthetical "(MFA)" to follow the first use of its non-acronymed expansion before looking elsewhere. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

jpgoldberg

I've been thinking a lot about 1Password and multi-factor authentication (MFA) for a while now (from well before the breach of RSA's SecureID).



On the one hand more of our users are using these systems and so we certainly need to look at ways to improve 1Password to make things easier for people. 1Password is designed to make "doing the easy thing" the same as "doing to secure thing".



On the other hand, MFA is an attempt to solve "the password problem" by making knowledge of passwords less important. That is, MFA systems are designed to hold up despite the fact that people have weak and reused passwords. 1Password addresses the password problem differently by making it easy to have strong unique passwords. It's not so much that these two approaches conflict, but they don't really compliment each other very much either. If you have strong unique passwords for each site and you store those passwords securely, MFA adds no real security.



But just because I feel that the people who use 1Password don't need MFA doesn't mean that everyone will feel that way or be given the choice even if they agree with me. Thus we need to look at ways to make 1Password more MFA friendly. That process is not very advanced at the moment and so discussions like this about how people use MFA systems is extremely valuable to us.



So please keep the comments, thoughts and observations coming.



Cheers,



-j

kbyrd

[quote name='jpgoldberg' timestamp='1302317188' post='24322']

But just because I feel that the people who use 1Password don't need MFA doesn't mean that everyone will feel that way or be given the choice even if they agree with me. Thus we need to look at ways to make 1Password more MFA friendly. That process is not very advanced at the moment and so discussions like this about how people use MFA systems is extremely valuable to us.

[/quote]



It's the "or be given the choice" thing.



1Password and MFA are in different markets. Well, that's not quite accurate. You sell to different people. I want to log into my company's VPN? I use Juniper SSL tied to RSA SecureID. I don't pick it. Juniper and RSA marketed and sold to my corp IT folks, not me. Even when I'm on the VPN, I have a domain/NIS password. Plus a couple of both intranet and outsourced but still work-related passwords using traditional user/pass authentication. I don't choose any of that.



1Password, on the other hand, is my choice as an end-user. You market and sell to me. I buy 1Password for similar reasons as my corp IT folks bought from Juniper & RSA, we want to secure things, but in my case, I'm buying in response to what others on imposed. From my point of view, MFA is sort of (OK, I'm stretching here) like just another weird set of restrictions on password length and complexity. Being a new 1Password user, I tend to think of 1Password as my way to log into things. I could care less (not really, I have natural curiosity) about what's going on under the hood, when presented with an authentication of any sort on my computer, I want to solve it with 'cmd-\'. MFA is just another one of those to me.



What I said above not choosing MFA isn't completely true. I did opt in to MFA from E-Trade, but then they chose SecureID. But, that's only because a friend had a serious account breach. It turns out that if you know the account number, mailing zip, and social sec number, you can retrieve the userid and then change the password on an account. In his case, someone stole some mail.

jsfrederick

If you all are really looking at MFA for 1Password, I also recommend the Yubikey by Yubico (www.yubico.com). I already have one and it works great. I think they have a free Developers Toolkit that give you what you need for integration.

[Deleted User]

[quote name='jsfrederick' timestamp='1302367942' post='24398']

If you all are really looking at MFA for 1Password, I also recommend the Yubikey by Yubico (www.yubico.com).[/quote]

There's a lot of discussion about it in:



[url=http://forum.agile.ws/index.php?/topic/3-suggestion-yubikey-support/]Suggestion YubiKey Support[/url]



… and elsewhere (as search results for [i]YubiKey[/i] will reveal).

anonymousfishy

I'm looking at the following:



1password (love the UI, don't mind the price), lastpass (love yubikey, hate the interface), keepass (hate the interface even more).



I want to use 1password however I'm scared of the following scenario because my GMail recently got "hacked".



I have 2 computers + iPhone. (one MBP, one PC).



I'm not worried about my MBP but if I'm syncing my 1password file in Dropbox between the computers and someone gets ahold of my PC, they'd be able to potentially keylog my master password and then acquire my file from Dropbox then they'd have access to everything in the password list.



Am I too paranoid to be thinking that, or is that type of vector something to be afraid of? Because of this, it makes me feel like I really want a multi-factor authentication method to really protect me. And I don't see any solution to multi-factor authentication with 1password so ultimately if someone has my "master password" and has my "password list" i'm screwed and since that's not a farcry from being impossible I'm not sure this is the ideal solution and may have to be forced to use lastpass which really freaking SUCKS in terms of the UI.



Thoughts?

[Deleted User]

anonymousfishy,



Welcome to the Forums!



I understand your worries. I'm not kidding when I say that I had several of your same concerns. A lot of research and reading brought me to AgileBits (1Password and Knox, specifically), but I was still a bit skeptical of whether my data was secure. Certainly, there is almost always a daily article regarding security breaches. LastPass and Dropbox have both had recent coverage, but they are not alone.



Personally, I have grown to have a lot of faith in the AB team's explanations as to why 1Password...and Knox...are unlikely to be compromised. I am not even remotely learned enough in the areas of encryption or code breaking to offer more than an opinion on the subject, but based on what I've read, I am confident that AB's security methods are safe enough for my needs.



As I mentioned, I am not qualified to offer evidence of this company's product security, but I am positive there will be posts from those in the company who will give you his or her honest opinion(s). I've always appreciated the fact that when an AB staff member doesn't know an answer, you are told exactly that.



In the interim, you may find the following blog post an interesting read: [url="http://blog.agile.ws/2011/04/dropbox-security-questions/"]Dropbox Security Questions[/url]



The blog is written by one of AB's top security gurus, Jeff Goldberg. I've read many of his Forum responses to security questions, and we've corresponded via personal messages. I have a very high regard for his knowledge, and he ALWAYS shoots it straight. No salesmanship. Just the facts.



I'm betting Jeff will respond to your post, but there are several other AB staff and Forum members who are knowledgable in the encryption/security arena, and I believe you will hear from some of them too.



As you specifically mentioned the potential threat of keyloggers, you may find the following article interesting [url="http://mackeyloggerprotection.com/"]How to Protect Your Mac From Keyloggers[/url] (the article was written by one of AgileBits' co-founders, Dave Teare)



Eventually, I hope your worries are mitigated to the point that you are as confident as I am with the application and my security. I wish I knew enough about the underlying code to provide more comfort, but suffice it to say that Dave, Jeff and the rest of the AB team have convinced me that I'm as safe as I can be at this time.



Thank you for posting your comments. I suspect more people than you realize feel as you do. In the beginning, I know I sure did.



Brandt

anonymousfishy

Thanks for the response. That article doesn't touch on the biggest issue of them all: if your computer is compromised (not even physically) but over the internet, someone potentially has access to your local hard drive and or dropbox, and then they have your master password list. If they've gotten that far they could probably figure out a way to keylog your master password and you're pretty much SOL... unless you have another form of authentication.

[Deleted User]

[quote name='anonymousfishy' timestamp='1305168989' post='26801']

Thanks for the response. That article doesn't touch on the biggest issue of them all: if your computer is compromised (not even physically) but over the internet, someone potentially has access to your local hard drive and or dropbox, and then they have your master password list. If they've gotten that far they could probably figure out a way to keylog your master password and you're pretty much SOL... unless you have another form of authentication.

[/quote]



As I stated earlier, I am not an encryption guy, so I wouldn't feel right claiming that you are "safe" from a physical or remote compromise. However, from discussions I've followed on this Forum and on the Internet, I am led to believe that even if an attacker compromised your hard drive and/or Dropbox account, the 1Password data file is still unlikely to be decrypted, and therefore, your passwords would not be known.



While waiting for the true encryption experts to respond, please take a look at this article from AB's website: [url="http://help.agile.ws/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the Cloud[/url]



The following quote may address one of the issues that you mentioned:



[quote][color="#333333"][font="Helvetica,"]When we first designed 1Password we anticipated that some users would have their computers stolen. The same security measures that we we built into the[/font][/color][color="#333333"][font="Helvetica,"] [/font][/color][color="#333333"][font="Helvetica,"][url="http://help.agile.ws/1Password3/agile_keychain_design.html"]design of the Agile keychain[/url][/font][/color][color="#333333"][font="Helvetica,"] [/font][/color][color="#333333"][font="Helvetica,"]for dealing with the theft of a computer also keep your private data safe should cloud storage be compromised.[/font][/color][/quote]



Attacking the 1Password data file is further discussed in the following blog post: [url="http://blog.agile.ws/2011/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/"]Defending Against Crackers[/url]



However, from your reply, I believe you are more concerned that after hacking your computer, an individual could install a keylogger on your system and "phone home" your Master Password for later use. To this point, I have no more than a basic understanding as to the feasibility of such an attack. Actually, Dave's keylogger article summarizes about all I know...and that is just because I read it. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



I wish I could offer more than ignorance, but I am keen to hear what the AB "experts" have to say.



Thanks again for posting the questions.



Brandt

Catcher

Interesting stuff here [url="http://www.kimpl.com/847/secure-online-cloud-storage-service/#more-847"]My link[/url]



HTH



C

brenty

First, welcome to the forums, anonymousfishy and Catcher! And thanks for your responses, bswins! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />



Thanks for the link there, too, Catcher. That provides a bit of an overview of those storage solutions. It is always important to get different perspectives when trying navigate everything that's available and make an informed decision. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />



So I will try to address your concerns, anonymousfishy. Foremost is the issue of having your system compromised. While we all hope this never happens to us, in this day and age you absolutely have to be aware of the risks and stay vigilant. Asking questions like this and -- more importantly -- doing some independent research of your own is key, and I am happy to see that you are doing just that!



It sounds like you are concerned about a scenario where 1) your Mac is secure, 2) your PC is not, and 3) you are sync'ing your 1Password data between the two, for instance, over Dropbox. You are absolutely correct that this poses a risk. And it is crucial to be aware of the risks, however slight, especially when your personal, private data is at stake. You are right in surmising that the PC is the a significant attack vector in this scenario, with all of the vulnerabilities. The thing to keep in mind, though, is that in the case that any of your systems are compromised -- whether physically or over the internet -- it won't matter if you are using 1Password, LastPass, KeePass, or some kind of unencrypted stickynotes app. If an attacker has access to your system, having your data encrypted just means that they need to get the key, and, in our scenario, that would be your Master Password for your 1Password data file. The most important thing you can do is make sure they do not get in in the first place, by using malware protection, virus scanning, a firewall, and staying up to date with all security patches and -- most importantly -- practicing "safe surfing" by not going to untrusted websites or opening attachments in email. The very fact that you are concerned about these things means that you have (and continue to) give internet security the thought and attention it deserves. It is, after all, your data on the line when connected. All we can do is give you the tools. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Multifactor authentication can definitely be a huge benefit, but in the scenario we are discussing, the attacker already has access to your machine and, therefore, your data itself -- [b]as well as[/b] your encryption key and, by extension, your One Time Password from any MFA (such as a Yubikey) you use via a keylogger. They can get whatever they need right from you! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/ohmy.gif' class='bbc_emoticon' alt=':o' />



As far as 1Password is concerned, I happen to be a huge fan of the UI myself. I have not used KeePass, but LastPass is a great service (with a lot of transparency with regards to security -- if I had a hat, it would be off to them!) that absolutely does its best to keep your data secure, given the limitations inherent to a cloud service. Where 1Password is less accessible to a degree (remotely, multiplatform), we benefit from data being locally stored, because the user has complete control over their data, and, if necessary, 1Password can be used completely offline to store and access sensitive data. I guess what I am getting at is each solution has its tradeoffs. In the end, you have to decide which of these (or any others) is the best fit for you. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



To that end, please do not hesitate to ask any other questions you might have. Should you choose 1Password, we want you to do so because it fits your needs (and, okay, maybe because it is ever-so-pretty, too -- but that's just icing on the cake!)



I am really glad you brought this up, because having these things discussed openly only serves to increase awareness, if nothing else. I hope I was able to address some of your concerns. If I missed something, or if there is something else you are curious about, just let me know! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />

anonymousfishy

I definitely appreciate the reply, and yes in this case a yubikey would be compromised with 1password if all it's doing is "entering a password" at the touch of a button. However with the way Lastpass authentication works even if they grabbed the key to access the password file from the yubikey it wouldn't work a second time, they'd need the yubikey itself.



I'm more worried about an external attack that phones home rather than a physical one compromising my system.



I really wish 1password had a way to verify physically.. I really don't want to use lastpass.

anonymousfishy

Is there any indication that 1password will add OTP (one time password) support in the near future? Either through yubikey or the way google does it through the iPhone?

jpgoldberg

Hi Anonymousfishy and Catcher.



First of all you are absolutely correct that a compromised machine is, well, compromised. Nothing on it can be fully trusted once it is compromised. And because this is more of a concern at the moment for Windows machines, we've added a "virtual keyboard" input mechanism if 1Password for Windows.



Of course that will only defend against traditional key loggers and cannot defend against a sophisticated and targeted attack against such virtual keyboards. To date however, we aren't aware of such attacks; so the virtual keyboard does provide a real layer of practical protection.



The single use key mechanism provided by Yubikey is, unfortunately, not available to us with the way that 1Password works with your data. The kinds of protocols used to get the single use keys to do their magic require communication with a trusted server away from your machine.



So Yubikey's utility is limited to web (or other) remote services. 1Password is completely local. (Yes, I know that we do great cloud syncing through Dropbox, but the actual use of 1Password is completely local.)



So at the moment we aren't in a position to offer the kind of thing you are discussing here. However, we are always looking ahead and multi-factor authentication with a physical dongle is among the things we think about. But "thinking about" doesn't mean "planning at this time."



I really want to thank you for initiating this discussion. These are often hard and subtle questions. There are advantages and disadvantages to our design of always connecting to local data only. One of the disadvantages is that single use keys are harder to implement. One of the advantages is that we don't have a single, high value target for someone to attack.



This leads to something I have a tendency to rattle on about. People often say that there is a trade off between "convenience and security." I feel that that is wrong. We work to make doing the convenient thing also the secure thing. But this doesn't mean that there aren't security trade-offs that we have to make. But these are almost always between security in one respect for security in another.



Okay. Enough of my preaching. I'm being called to dinner.



Cheers,



-j

anonymousfishy

Thanks, I appreciate the reply.



This really comes down to, "So if they have your master password they have all the passwords to everything? Uhh...."



That just feels... unsafe to me.



So, I was looking into possibly using a TrueCrypt volume on a USB to prove a physical location instead of dropbox but now I read that 1password doesn't work with a TrueCrypt volume? You guys are really shooting me in the foot here trying to go the extra effort of strong security.



*sigh*

brenty

[quote name='anonymousfishy' timestamp='1305248080' post='26841']

This really comes down to, "So if they have your master password they have all the passwords to everything? Uhh...."



That just feels... unsafe to me.

[/quote]



Hmm. I guess I really don't fully understand what you are getting at. If you replace "Master Password" with "encryption key," this is true of any and all data. I must be missing something... <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/huh.gif' class='bbc_emoticon' alt=':huh:' />



[quote]

So, I was looking into possibly using a TrueCrypt volume on a USB to prove a physical location instead of dropbox but now I read that 1password doesn't work with a TrueCrypt volume? You guys are really shooting me in the foot here trying to go the extra effort of strong security.

[/quote]



As far as using TrueCrypt is concerned, their full disk encryption is transparent and should work just fine. It's the removable volumes that we have trouble with. We want your 1Password data to be secure, but not at the expense of integrity. Volumes can be corrupted and damaged if data is not fully written and they are not unmounted properly; and this is a lot more of a risk with a USB dongle or cable and drives that are bus powered or can come unplugged. This is why we don't just power off our computers; we shut them down.



[quote]

I'm more worried about an external attack that phones home rather than a physical one compromising my system.

[/quote]



I think maybe this is where I am misunderstanding you. When I read "external," I guess I am assuming a network attack of some kind. Conversely, malware and such that needs to "phone home" would seem to suggest an internal threat [i]resident[/i] in your system. A "physical" threat generally refers to a person in [i]proximity[/i] to your system at home or in the workplace, who could either take the hardware itself or copy data to a removable drive...or just install a keylogger and walk away. Obviously, there can be combinations of these as well.



I guess the point I was trying to make was that no matter what service you use, you need to use a strong password because it is possible in any case that your data could be accessed, either locally or remotely. The encryption ensures that someone with access cannot automatically read the data, and a strong password ensures that they cannot guess or brute force the password in a humanly reasonable timeframe.



Hopefully we can get to the point where we can either agree or disagree. Right now I feel like I am still trying to pin down what we are debating! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />



Thanks for your patience. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

jpgoldberg

[quote name='anonymousfishy' timestamp='1305248080' post='26841']

This really comes down to, "So if they have your master password they have all the passwords to everything? Uhh...."

[/quote]

They need both your master password and your 1Password data, but yes. Password management systems really do increase security in huge ways. One trade off is that all your eggs are in one basket.



I'm not ruling out some sort of multi-factor access system, but we certainly don't have anything like that yet.



[quote]

So, I was looking into possibly using a TrueCrypt volume on a USB to prove a physical location instead of dropbox but now I read that 1password doesn't work with a TrueCrypt volume?[/quote]



Because 1Password's data format is broken up into separate files for each item, operation of 1Password is file system intensive. Our experience is that it just doesn't work reliably on non-local disks.



However, feel free to give that a try. It may work for you. Let us know how it goes.



Cheers,



-j

Catcher

You may want to take a look at what the guys at Versaneo GmbH are doing. There are the people behind pidder - [url="https://www.pidder.com"]pidder[/url]



C

khad

[quote]You may want to take a look at what the guys at Versaneo GmbH are doing.[/quote]

Anything in particular? I have looked at pidder, but I am not seeing the connection to this thread. Perhaps I missed something. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/mellow.gif' class='bbc_emoticon' alt=':mellow:' />

Catcher

Well as the OP had mentioned other apps than can look after passwords I thought I'd throw pidder into the pot. ! actually use it for social networking but am aware that it can manage passwords. Not trying to drive your potential customers away.



I'm a huge fan of 1P <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



C

anonymousfishy

[quote name='brenty' timestamp='1305261073' post='26847']

Hmm. I guess I really don't fully understand what you are getting at. If you replace "Master Password" with "encryption key," this is true of any and all data. I must be missing something... <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/huh.gif' class='bbc_emoticon' alt=':huh:' />







As far as using TrueCrypt is concerned, their full disk encryption is transparent and should work just fine. It's the removable volumes that we have trouble with. We want your 1Password data to be secure, but not at the expense of integrity. Volumes can be corrupted and damaged if data is not fully written and they are not unmounted properly; and this is a lot more of a risk with a USB dongle or cable and drives that are bus powered or can come unplugged. This is why we don't just power off our computers; we shut them down.







I think maybe this is where I am misunderstanding you. When I read "external," I guess I am assuming a network attack of some kind. Conversely, malware and such that needs to "phone home" would seem to suggest an internal threat [i]resident[/i] in your system. A "physical" threat generally refers to a person in [i]proximity[/i] to your system at home or in the workplace, who could either take the hardware itself or copy data to a removable drive...or just install a keylogger and walk away. Obviously, there can be combinations of these as well.



I guess the point I was trying to make was that no matter what service you use, you need to use a strong password because it is possible in any case that your data could be accessed, either locally or remotely. The encryption ensures that someone with access cannot automatically read the data, and a strong password ensures that they cannot guess or brute force the password in a humanly reasonable timeframe.



Hopefully we can get to the point where we can either agree or disagree. Right now I feel like I am still trying to pin down what we are debating! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />



Thanks for your patience. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

[/quote]



Thank YOU for your patience as well and to the admins that responded.



It really comes down to this which is why I can't choose to use 1password: If I got ahold of your 1password file, and your master password I'd have access to all your pw's and other data you keep (bank accounts, SSN, etc).



If 1Password supported multi-factor authentication then you'd still be safe in that situation.



This is a deal breaker to me. I can't put my eggs all in one basket when the attack vector isn't insanely unreasonable to compromise it all.



Thank you for clearing this up for me.

brenty

[quote name='anonymousfishy' timestamp='1305282319' post='26864']

Thank YOU for your patience as well and to the admins that responded.

[/quote]



My pleasure! [url="http://www.schneier.com/crypto-gram-0005.html#1"]Security is a process[/url], and I enjoy a good security discussion any day. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



[quote]

It really comes down to this which is why I can't choose to use 1password: [b]If I got ahold of your 1password file, and your master password[/b] I'd have access to all your pw's and other data you keep (bank accounts, SSN, etc).



[b]If 1Password supported multi-factor authentication then you'd still be safe in that situation.[/b]

[/quote]



I disagree wholeheartedly. That's the crux of it, I guess. Maybe I am too tired to think straight, but I am having trouble coming up with a scenario in which MFA would help. For example, how did someone get both your data and your password to begin with? If they put a keylogger in your system, they can easily intercept the OTP from your YubiKey as well. If aliens abduct you and subject you to torture to get your password, couldn't they just get you to tell them where your data and MFA dongle are as well? In the case of LastPass, the decryption key is stored on your system as well. While this means LastPass can't decrypt your data, anyone with enough access to your system can get that along with your password.



[b]There is no way to both [i]have[/i] the key to decrypt your data when you want to and at the same time [i]not[/i] have it so that it cannot fall into the wrong hands. If anyone tells you otherwise, they are either misinformed, delusional, or trying to sell you something. That's why it is so important you use a strong password and guard it well.[/b] <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />



[quote]

This is a deal breaker to me. I can't put my eggs all in one basket when the attack vector isn't insanely unreasonable to compromise it all.



Thank you for clearing this up for me.

[/quote]



Absolutely! Thanks so much for clarifying what you meant. I guess we just view things differently. Having my data secure does me no good if I can't get to it when I need to (by having the decryption key, etc.), but, by the same token, this means that someone else can get that same key, password, or token as well. It's just a matter of knowing the risks and minimizing them as much as possible. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

Mezzanine

I can see the benefit of the MFA concept of "something you know" with "something you have" in this case. The later would be physical; a fingerprint (not so good), an iris or a security dongle cycling passcodes on an LCD display. These physical things would need to be physically stolen whereas passwords and data could potentially be stolen by anyone in any location with a network connection...



Regards,

Mezzanine.