Protect 1Password accounts by enforcing security key 2FA at work

One of the strongest forms of 2FA is a FIDO2/WebAuthn hardware security key, like a YubiKey. That’s a small USB dongle that you plug in to your device, or tap via NFC, to authenticate who you are.

We recently introduced the option for 1Password Business admins to enforce this type of 2FA inside their organizations. Once enabled, all team members will be required to use a physical security key when they first sign in on a new device at work.

1Password is the only major password manager that gives you the choice to enforce FIDO2/WebAuthn hardware security keys in this way.

We understand that the strength of your security matters. That’s why we’re giving you the choice to level up your digital defenses by ensuring your team is using the strongest possible form of 2FA with 1Password.

“YubiKeys provide an extra layer of protection for your 1Password account,” said Derek Hanson, vice president, solutions architecture and alliances, Yubico. “With phishing-resistant YubiKeys, our customers receive the highest level of hardware-based security and a great user experience for those who want to use the same security key across services, browsers and applications.”

The advantages of hardware security keys

2FA is designed to prove that you or someone you trust – and not a criminal – is trying to access or sign in to something.

There are many different ways to use 2FA, most of which revolve around special one-time codes:

• SMS
• Automated phone calls
• Email
• Dedicated 2FA apps like Authy

Security keys are a particularly strong form of 2FA for two reasons. First, it’s resistant to phishing. An attacker could send a fake but seemingly legitimate email asking you or another team member for a TOTP, or a 2FA backup code. A FIDO2/WebAuthn security key, meanwhile, only works with the owner’s chosen (and legitimate) websites and apps.

Second, hardware security keys are a possession factor, which means that authentication is tied to a physical object. It’s highly unlikely a criminal will target you (or one of your co-workers) specifically, and then travel to your location and try to steal your key. The process is simply too expensive and time consuming.

Instead, criminals are more likely to try other tactics, like phishing, that can target many people at once and be initiated remotely.

Security keys are also a small step toward a passwordless future. They eliminate one-time codes, which is one less piece of information that you and your co-workers have to copy or type out.

Hardware security keys & 1Password

1Password supports all FIDO2/WebAuthn security keys, including those made by Yubico.

Enforcing security keys eliminates TOTPs from the process of signing in to 1Password, while strengthening your overall security by combating phishing attacks, which are increasing in frequency and sophistication.

Once enabled, this requirement will cover all the 1Password apps that your team uses for work, including 1Password 8 for Mac, Windows, and Linux.

How to get started

To enforce hardware security keys at your organization:

• Sign in to your account on 1Password.com.
• Select ‘Security’ in the sidebar, followed by ‘Two-factor authentication’.
• Select the ‘Security Key’ toggle, while leaving the ‘Authenticator App’ and ‘Duo’ options turned off.
• Ensure the ‘Enforce two-factor authentication’ option is turned on.

Your co-workers will then need to add their security keys the next time they sign in or unlock 1Password.

Secure your secrets

Strengthen your security by enforcing FIDO2/WebAuthn keys in your organization. It will safeguard your team’s data and give you peace of mind, allowing you to focus on other tasks at work. You’ll also be helping your co-workers develop good security habits inside and outside the office – a crucial step toward building a strong culture of security.

Jasper Patterson

Web Developer