1Password has announced plans to add support for PIN-protected YubiKeys in its desktop applications after a customer identified a limitation that prevented certain hardware security key configurations from working.
The company says the feature will arrive in an upcoming beta release for macOS and Windows, with stable availability expected in early July.
The announcement was made by Jason Meller, Vice President of Product at 1Password, in response to a public discussion initiated by security researcher and entrepreneur Pablo Sabbatella. Earlier this month, Sabbatella criticized the password manager's handling of a security-related report, claiming it took more than 100 days for the company to address the issue and that the report was not accepted under its bug bounty program.
Although Sabbatella clarified that the issue did not expose user credentials, vault contents, or customer data, he argued that it affected a security feature important for organizations with stricter security requirements. According to his posts on X, he had also identified the root cause and suggested a solution after initial troubleshooting efforts failed to resolve the problem.
In his response, Meller explained that 1Password's browser-based application already supports YubiKeys that require a PIN, but the company's desktop applications do not currently support that configuration. As a result, users attempting to authenticate with a PIN-protected YubiKey on desktop platforms could encounter issues and might be instructed to disable the PIN requirement in order to proceed.
YubiKeys, developed by security company Yubico, are hardware authentication devices commonly used as a second factor for account protection. Many organizations require a PIN in addition to physical possession of the security key, creating a stronger authentication model that protects against unauthorized use if a key is lost or stolen.
1Password is one of the largest password management providers, serving individuals, businesses, and enterprise customers with password storage, credential management, and multi-factor authentication capabilities.
According to Meller, the inability to use PIN-protected YubiKeys on desktop clients was not considered an intentional design decision and is now being treated as a product issue requiring a fix. He acknowledged that instructing users to remove PIN protection from a hardware token represented an undesirable security outcome, particularly for organizations operating under more stringent threat models.
Meller stated that while 1Password's team was initially focused on troubleshooting a compatibility problem, Sabbatella's discovery that the PIN requirement was triggering the issue enabled engineers to pinpoint the underlying limitation and accelerate development of a solution.
The company now plans to introduce YubiKey PIN support in the next beta release of its desktop applications for macOS and Windows within the coming weeks. A stable release is expected to follow in early July if testing proceeds as planned.
Leave a Reply