The support of Yubikey for 2FA when logging in to the Enterprise Server is already on our roadmap. We plan to implement this functionality with the next major version 18. Unfortunately, we are currently unable to provide a release date for the new version and kindly ask for your understanding.
I support the wish for an additional hardware key (e.g. FIDO2 key), which should be available for all platforms. Referring to the encryption method completely misses the point: the safety of the data itself is not in doubt. To prevent from the damage that if someone somehow got access to the masterkey (which on smartphones can not be such a long phrase) a second method requiring some physical presence of something (FIDO2 key or biometric features) as an ADDITIONAL safety measure would be nice.
I am revisiting this issue following a request to give feedback on Password Depot and features we would like. Personally I would like the ability to have a physical device such as the Google Titan or Yubikey as another level of security.
As I understand it I can ad the 2 Factor Authentication by generating a Key File. Where this file is stored is not covered in the manual from what I can see. Presumably, it will be stored on the device itself, USB stick or in the cloud? Could you please clarify?
I am thinking that having a physical key on your person would be safer for cases say where a laptop got stolen and the key file maybe become accessible. Yes you would still have to by pass the master password.
However, I see from a previous question this type of hardware key is not compatible because this device is intended for authenticating users on a server and not for encrypting data. Since you do not store any data on your servers, you cannot use this technology. Please confirm.
Regarding Youbikey and similar hardware there is no possibility of integrating such hardware into our already existing encryption. In addition to that, this will not improve the security which is already given in Password Depot.
Thus, the explanation in our knowledgebase is still valid:
"Does Password Depot support Yubikey?"
"No, because this device is intended for authenticating users on a server and not for encrypting data. Since we do not store any data on our servers, we cannot use this technology."
For locally stored databases or databases which are stored to the Cloud you can use 2 Factor-Authentication by encrypting your file with a master password and key file. In this case, the key file does not have to be stored on the local system, for example, your computer, but you can also store it on a USB drive or you can use another Cloud service for storing this external key file. You just need to make sure that this key file is always available during authentication otherwise, you cannot open your database.
Besides, even when using 2-Factor-Authentication for your local file, we recommend creating a strong and secure master password, too. Additionally using a key file for encryptiong does not mean that the master password should be weak or easy to guess.
We think that referring to the encryption method actually does not miss the point since encryption with AES 256-bit is encryption of high standard. In addition to that, it is also possible to encrypt databases with 2 Factor Authentication, that is for locally stored databases encryption with master password and keyfile. In this case, access to the database is only authorized when both master password and key file are correct. This feature is already available for our Windows, macOS and Android edition and will also be available for iOS, soon. However, we appreciate your feedback and will forward your request to our product marketing for further discussion!
Comments
Dear Markus,
Thank you for your post.
The support of Yubikey for 2FA when logging in to the Enterprise Server is already on our roadmap. We plan to implement this functionality with the next major version 18. Unfortunately, we are currently unable to provide a release date for the new version and kindly ask for your understanding.
I support the wish for an additional hardware key (e.g. FIDO2 key), which should be available for all platforms. Referring to the encryption method completely misses the point: the safety of the data itself is not in doubt. To prevent from the damage that if someone somehow got access to the masterkey (which on smartphones can not be such a long phrase) a second method requiring some physical presence of something (FIDO2 key or biometric features) as an ADDITIONAL safety measure would be nice.
Hi Julian,
sounds good thx for the Information!
Cheers Markus
Hi Nick,
In Password Depot, your information is encrypted with AES 256-bit, thus an extra level of security or additional encryption is actually not required.
You can read more about this method of encryption here:
https://www.password-depot.de/en/know-how/blowfish-and-rijndael.htm
I am revisiting this issue following a request to give feedback on Password Depot and features we would like. Personally I would like the ability to have a physical device such as the Google Titan or Yubikey as another level of security.
As I understand it I can ad the 2 Factor Authentication by generating a Key File. Where this file is stored is not covered in the manual from what I can see. Presumably, it will be stored on the device itself, USB stick or in the cloud? Could you please clarify?
I am thinking that having a physical key on your person would be safer for cases say where a laptop got stolen and the key file maybe become accessible. Yes you would still have to by pass the master password.
However, I see from a previous question this type of hardware key is not compatible because this device is intended for authenticating users on a server and not for encrypting data. Since you do not store any data on your servers, you cannot use this technology. Please confirm.
Hi Nick!
Regarding Youbikey and similar hardware there is no possibility of integrating such hardware into our already existing encryption. In addition to that, this will not improve the security which is already given in Password Depot.
Thus, the explanation in our knowledgebase is still valid:
"Does Password Depot support Yubikey?"
"No, because this device is intended for authenticating users on a server and not for encrypting data. Since we do not store any data on our servers, we cannot use this technology."
For locally stored databases or databases which are stored to the Cloud you can use 2 Factor-Authentication by encrypting your file with a master password and key file. In this case, the key file does not have to be stored on the local system, for example, your computer, but you can also store it on a USB drive or you can use another Cloud service for storing this external key file. You just need to make sure that this key file is always available during authentication otherwise, you cannot open your database.
Besides, even when using 2-Factor-Authentication for your local file, we recommend creating a strong and secure master password, too. Additionally using a key file for encryptiong does not mean that the master password should be weak or easy to guess.
Is there anything in the roadmap for the future regarding YubiKey?
Dear Martin,
Thank you for your request!
We think that referring to the encryption method actually does not miss the point since encryption with AES 256-bit is encryption of high standard. In addition to that, it is also possible to encrypt databases with 2 Factor Authentication, that is for locally stored databases encryption with master password and keyfile. In this case, access to the database is only authorized when both master password and key file are correct. This feature is already available for our Windows, macOS and Android edition and will also be available for iOS, soon. However, we appreciate your feedback and will forward your request to our product marketing for further discussion!
Please sign in to leave a comment.