Anyone using Yubikey on iOS/Mac?

With Apple’s recent iOS Safari/Brave support for WebAuthn/FIDO iPhones can now do 2FA with hardware keys from Yubico. 1Password and other apps already work with the Mac, but I was wondering if anyone is yet using the YubiKey 5Ci which has a Lightning connector and, if so, how well it’s working for you.

I just heard a podcast with Alex Stamos, formerly CSO or Yahoo! and Facebook, and he offhandedly mentioned that he uses this key…

1 Like

I have the 5Ci and it’s pretty good. Unfortunately, the iPad Pro doesn’t support it yet so I have to use a fallback method there. I do have a second Yubikey (USB C only) in our safe just in case, this is connected to my 1Password account too.

1 Like

Ah yes, I read that it doesn’t yet support Apple’s USB-C. Hopefully that will change soon, as I’m looking to get the next iPad Pro revision this year.

Is there any problem with 1P differentiating between which key to use at any given time? So, if you’re logging into to Gmail, for example, can you easily do so on Mac and iOS without 1P getting confused?

I think you are misunderstanding how the Yubikeys work. Basically it is like having an additional password to your account (don’t worry, I mean this is a safe and secure way).

When you go to setup the Yubikey, you register them with the platform you are using for your account. Any service I’ve seen has allowed multiple keys to be registered. Once they are registered, you can use any of them when accessing your account.

So on your Mac, you’d log in with your master password. Then it’ll prompt you for your 2FA using your Yubikey (Or other FIDO compatible security key). It doesn’t care which key is being used as long as the key has previously been registered with the account.

All of that is to say that no, 1Password shouldn’t be confused when using different keys on different devices. It doesn’t “know” persay which key to use, it just knows which keys it should accept then accepts them indiscriminately.

To that end, if you have multiple security keys, know where each of them are at any given moment. I’d bet that’s why Rose’s spare key is in a locked safe. My spare key is not in a safe, but it is in a locked drawer. (If you do have a backup key, you would also need to register both keys with your services otherwise the backup key won’t work)

I use LastPass, so my experience will be specific to that, but I am sure it will extend to 1Password as well.

4 Likes

I have a USB-C version that I setup with my MacBook. All of the services that use them seem to also support 2FA via “Google Authenticator” (which means you can use that or any compatible app, such as Authy or 1Password.) Most of the time I just use my 2FA codes via 1Password rather than my Yubikey.

The only PITA is that Google always defaults to looking for the Yubikey and takes a full minute or two to timeout and ask if you want to use another method. Minor annoyance, but worth noting.

Pro 1Password Tip

You can setup 1Password to keep your 2FA codes, but where do you store the 2FA code for your 1Password.com account?

(Besides using a Yubikey, of course.)

Answer: Authy! That way if anyone manages to figure out your Master Password, they’ll still need to access your Authy account before they can get into your 1Password information.

3 Likes

I keep my Lastpass 2fa inside of Lastpass. My reasoning is that in order to get through the 2fa, they would already need to be in my account.

Of course, Lastpass only falls back onto a code based 2fa (when using a FIDO key) when you are trying to log in on a mobile device.

I just finished reading a long-ago-saved article about security keys. I went through it fairly quickly (meaning I didn’t study it thoroughly enough to understand it deeply), and then I came here to get an idea of how widely MPU people have adopted them. Judging from the number of responses to this post, I’d have to conclude that the answer is “Not very (widely)”.

I’ll be honest, I don’t use 2FA unless it’s required (e.g. AppleID), even though I know I should. Partly it’s the added friction that 2FA incurs, and partly it’s because I have to keep things reasonably simple for other family members.

So my question is: How many MPU’ers use 2FA widely and what device do you use for the second factor? I’m mostly curious about the machines you use at home.

I use it almost everywhere I can, mostly because 1Password makes it so easy by copying the 2FA code to the clipboard when you auto-fill the password.

I don’t use it on some places where the risk/value seems extremely low. For example, I think Grammarly offers 2FA, but I can’t figure out what bad thing would happen if someone figured out my 60+ character 1Password-generated password and managed to access my Grammarly account. I guess they could proof-read things?

The only exception to my 1Password use for 2FA is 1Password itself, for obvious reasons. I keep that in Authy, so even if someone tried to access my 1Password account, they wouldn’t be able to without the 2FA code.

As far as the Yubikeys go… I have a couple, but I rarely use them. Mostly I consider them a safety net, but I don’t think they’re all that practical. Maybe that will change over time.

1 Like

So, one of the things in the article I read was that you should use different sources for passwords and 2FA codes. Intuitively this makes sense, I think, but I wonder if it’s overkill.

I think so. At any rate it’s been discussed many times before here, perhaps most recently here.

1 Like

Reviving an old tread :slight_smile:

Does one need to leave the Yubikey plugged in all the time to use 1Password or only to create the account during the setup?

Same question for iOS only once needed during the setup of 1Password or do I need to use it every time I want to open 1Password?

Only to sign in for the first time*

*Depending on the browser extension use you may need it to sign in to the main app and each browser extension for the first time.

i am particularly interested in the implementation with 1password.

In order to use 1password so I need to have it plugged in all the time or only during the first setup?

You only need to use the key when you’re signing into your 1Password account on a new device/app/extension, not every time you unlock the app thereafter.

You can find out more about the integration on the support site:

https://support.1password.com/security-key/

My reply was only in regards to 1Password :slight_smile:

The first time you log into your 1Password account in the application you need your key.
If you use the non-classic browser extension then you will need the key to sign into each browser.

Hope that clarifies things for you.

It’s also worth mentioning that Yubikey is, in almost all cases, an option for 2FA.

For example, when logging into Dropbox or Fastmail or 1Password, etc., I can either use a 2FA code (from Authy or 1Password or Google Authenticator) or I can use my Yubikey as my 2FA.

So if you don’t have your Yubikey with you, it doesn’t mean that you are going to be locked out of your account.

I am using 1Password and the build in 2fa / otp generator wherever possible.

Therefor the 1Password vaults have become extremely important to secure. After all it holds the passwords and the 2fa/otp…

Initially I made a mistake to use 1password to generate the 2fa to unlock the account but that can lead to a catch 22 situation in case you get locked out of all devices with 1Password up and running to generate the code to get started in the first place.

The recommended solution is to use a different application to generate the code. But the Yubikey is a much more secure solution.

Main concern is on iOS where it would be impractical to have to use the key every time to unlock 1Password.

So if I only need it when logging into the 1Password admin website or have to setup 1Password on a new device I will go for it.

Please confirm if I have this correct.

Correct.

You only need the Yubikey (or any 2FA code) the first time you are setting up a new device (unless you specifically tell the service not to remember the device you are logging in with).

So you should be fine.

However, I would recommend that you have two Yubikeys (because “one is none”) in case one is lost, stolen, damaged, and set up both keys with your 1Password account.

Have one be your “every day use” and put the other one in a secure location, maybe even at a family member’s house or somewhere that wouldn’t be lost in a fire, flood, etc.

FWIW - I use 1Password for all of my 2FA codes except for 1Password itself. I use Authy for my 1Password 2FA code… and Authy is itself protected by a long, secure password which is in 1Password. My thinking is that I am extremely unlikely to ever lose all of my 1Password-enabled devices and need to log in to a new 1Password device on the same day. (And, of course, I have my Yubikeys as well.)

1 Like