Anyone using Yubikey on iOS/Mac?

With Apple’s recent iOS Safari/Brave support for WebAuthn/FIDO iPhones can now do 2FA with hardware keys from Yubico. 1Password and other apps already work with the Mac, but I was wondering if anyone is yet using the YubiKey 5Ci which has a Lightning connector and, if so, how well it’s working for you.

I just heard a podcast with Alex Stamos, formerly CSO or Yahoo! and Facebook, and he offhandedly mentioned that he uses this key…

1 Like

I have the 5Ci and it’s pretty good. Unfortunately, the iPad Pro doesn’t support it yet so I have to use a fallback method there. I do have a second Yubikey (USB C only) in our safe just in case, this is connected to my 1Password account too.

1 Like

Ah yes, I read that it doesn’t yet support Apple’s USB-C. Hopefully that will change soon, as I’m looking to get the next iPad Pro revision this year.

Is there any problem with 1P differentiating between which key to use at any given time? So, if you’re logging into to Gmail, for example, can you easily do so on Mac and iOS without 1P getting confused?

I think you are misunderstanding how the Yubikeys work. Basically it is like having an additional password to your account (don’t worry, I mean this is a safe and secure way).

When you go to setup the Yubikey, you register them with the platform you are using for your account. Any service I’ve seen has allowed multiple keys to be registered. Once they are registered, you can use any of them when accessing your account.

So on your Mac, you’d log in with your master password. Then it’ll prompt you for your 2FA using your Yubikey (Or other FIDO compatible security key). It doesn’t care which key is being used as long as the key has previously been registered with the account.

All of that is to say that no, 1Password shouldn’t be confused when using different keys on different devices. It doesn’t “know” persay which key to use, it just knows which keys it should accept then accepts them indiscriminately.

To that end, if you have multiple security keys, know where each of them are at any given moment. I’d bet that’s why Rose’s spare key is in a locked safe. My spare key is not in a safe, but it is in a locked drawer. (If you do have a backup key, you would also need to register both keys with your services otherwise the backup key won’t work)

I use LastPass, so my experience will be specific to that, but I am sure it will extend to 1Password as well.

3 Likes

I have a USB-C version that I setup with my MacBook. All of the services that use them seem to also support 2FA via “Google Authenticator” (which means you can use that or any compatible app, such as Authy or 1Password.) Most of the time I just use my 2FA codes via 1Password rather than my Yubikey.

The only PITA is that Google always defaults to looking for the Yubikey and takes a full minute or two to timeout and ask if you want to use another method. Minor annoyance, but worth noting.

Pro 1Password Tip

You can setup 1Password to keep your 2FA codes, but where do you store the 2FA code for your 1Password.com account?

(Besides using a Yubikey, of course.)

Answer: Authy! That way if anyone manages to figure out your Master Password, they’ll still need to access your Authy account before they can get into your 1Password information.

3 Likes

I keep my Lastpass 2fa inside of Lastpass. My reasoning is that in order to get through the 2fa, they would already need to be in my account.

Of course, Lastpass only falls back onto a code based 2fa (when using a FIDO key) when you are trying to log in on a mobile device.

I just finished reading a long-ago-saved article about security keys. I went through it fairly quickly (meaning I didn’t study it thoroughly enough to understand it deeply), and then I came here to get an idea of how widely MPU people have adopted them. Judging from the number of responses to this post, I’d have to conclude that the answer is “Not very (widely)”.

I’ll be honest, I don’t use 2FA unless it’s required (e.g. AppleID), even though I know I should. Partly it’s the added friction that 2FA incurs, and partly it’s because I have to keep things reasonably simple for other family members.

So my question is: How many MPU’ers use 2FA widely and what device do you use for the second factor? I’m mostly curious about the machines you use at home.

I use it almost everywhere I can, mostly because 1Password makes it so easy by copying the 2FA code to the clipboard when you auto-fill the password.

I don’t use it on some places where the risk/value seems extremely low. For example, I think Grammarly offers 2FA, but I can’t figure out what bad thing would happen if someone figured out my 60+ character 1Password-generated password and managed to access my Grammarly account. I guess they could proof-read things?

The only exception to my 1Password use for 2FA is 1Password itself, for obvious reasons. I keep that in Authy, so even if someone tried to access my 1Password account, they wouldn’t be able to without the 2FA code.

As far as the Yubikeys go… I have a couple, but I rarely use them. Mostly I consider them a safety net, but I don’t think they’re all that practical. Maybe that will change over time.

1 Like

So, one of the things in the article I read was that you should use different sources for passwords and 2FA codes. Intuitively this makes sense, I think, but I wonder if it’s overkill.

I think so. At any rate it’s been discussed many times before here, perhaps most recently here.

1 Like