At a technical level, most FIDO2 implementations only allow you generate signatures, not decrypt data. The FIDO2 standard is based only on authentication, and as a result, it can’t be used to decrypt your vault. Given the way that 1Password works, it's not (currently) feasible to achieve this while maintaining a good experience all the way through, as is the goal of 1Password at a fundamental level.įirst, I should note that 1Password's security is based around encryption, not authentication. This is definitely something that I've seen requested before, but unfortunately, it's a complex topic. Is this something that 1password is working on, or has on their roadmap? Alternatively, is there a way to implement this functionality through an exposed/public API? This would be so useful! The only complication could be support for multiple yubikeys, but this is not a new problem, and the usual solution is to have a symmetric key protecting the master secret and then have that symmetric key wrapped with as many asymmetric keys as necessary to support multiple tokens. It should be possible to integrate yubikeys the same way, especially for yubikeys that have the PIV applet. 1P just integrates with this platform function in order to avoid having the user type in their password. I assume that the master password is cached in encrypted form and recovered after biometric/PIN-based authentication. As I understand it, the master Password + secret key are used for decrypting the password vault on the client.įor this reason, it makes sense that touchID and windows hello can be used as alternatives, since they leverage onboard encryption through TPMs to protect secrets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |