Passkey for 1password general questions
I read the new blog about using a passkey to access 1password. I get the thing using 1P as a place to store your passkeys like the passwords before.
But when I use passkey to access 1P in my head I'm ending up with a chicken egg problem.
Where does that passkey go that I use for 1P?
- How is it secured? My PC/Mac/iOS login password?
- What happens when I loose my Phone or my Mac? Am I locked out of 1P?
- Is my passkey uploaded somewhere (iCloud keychain)? How is it encrypted?
In the end I have again to remember a Password at the moment this is my 1P Master password and the secretary which I have as a hard copy in a save place as a backup. In my head this shifts towards my device password with the risk of loosing access due to fire/theft/simple lost/etc. Also my master password can be more secure since I have to input it less often than the device login.
Comments
-
Seems this topic of backuping the passkey hasn't been addressed yet?
0 -
This is how it works if you create that passkey in the Apple ecosystem:
https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios
0 -
Okay, so I am using iCloud keychain in that case to manage my passkey for accessing 1P for managing my passwords and passkey for my web logins. So I can skip 1P and directly use iCloud keychain because from that moment on my icloud password is my new 1P Masterpassword+Secretkey. Doesn't sound like a good solution.
0 -
For whatever reason, 1Password users choose the 1Password manager over iCloud Keychain. The 1Password team then decided to use iCloud Keychain as the master password. Why not store all the passwords in iCloud Keychain and get rid of 1Password
0 -
1Password is a replacement for the iCloud keychain... it wouldn't make sense to store passkeys in iCloud if you're storing them in 1Password. Apple has a support article that describes iCloud passkey recovery if you lose all of your devices, and it looks like it relies on your iCloud username/password and SMS, which doesn't really seem ideal. If an attacker (or an oppressive government) somehow has your iCloud credentials and is able to perform a SIM swap, would they have everything needed to hijack your account?
From what I understand of how all of this works, each of your devices with an enrolled 1Password account would have their own private key linked to the security chip of the device itself. You'd unlock 1Password the same way your unlock your phone or computer: with biometrics, a pin, or a password. But I also question what would happen if all devices were, say, destroyed in a fire. Perhaps it will be possible to use something like a YubiKey that you can keep in a safe?
Hopefully someone at 1Password can share the recovery process if devices are lost/stolen/destroyed (and hopefully they can correct me if I'm wrong in my assumption of how this stuff works!)
edit: also, this is a helpful article regarding passkeys (and I'm guessing this company is the reason 1Password will be able to bring this to market this summer)
0 -
My laptop has three logins: mine, my wife's, and my daughter's. We use fingerprint recognition to log in. However, I've had an instance where I accidentally logged into my daughter's account using my fingerprint.
Passkey is effective if there are no backup authentication method to fall back on.
If a person has lost their fingers due to an accident and they were using fingerprint recognition as the only means of authentication. So what happen next?
Passwords will continue to be used, the implementation of passkeys is a desperate measure.0 -
Passwords and pins will continue to be used as a backup to biometrics on the devices with 1Password installed, but an attacker would need the physical device in order to gain access to your account. The main benefit of passkeys is they are un-phishable since they need the the physical device in order to log in to any passkey-enabled account. This is not desperation, it's almost a requirement for your average user who can easily get fooled by a phishing attempt.
Cloudfare had a similar attack attempt that LastPass had... the difference was all users were using YubiKeys (or something similar), so the attackers were never able to gain access to Cloudfare's system. Passkeys bring the benefit of physical 2fa without needed a separate USB device.
0 -
@Funky_D sure, I am not doubting the security of passkeys. I would use them and store them in 1P. Nothing would change since I also don't know the passwords that are stored in 1P. My problem is just that using a passkey for 1P is kind of counter productive in my eyes. I would replace my secret key + my very good master password with that passkey and the passkey for 1P would be stored in icloud keychain. Which would be secured with my icloud password. Which I consider less secure than the secret key/master password combo and also I can't find a benefit since I still have to memorize a password it is just a different one.
0 -
Could someone at 1password please explain clearly what recovery/backup method there will be for the recently-announced passkey access to one's 1password account? As others in this thread have pointed out, loss or theft of the device containing the 1password account passkey will be a huge problem unless there is a secure recovery method. Would it be possible, for instance, to backup the 1password account passkey to a Yubikey 5?
0 -
Is 1Password planning to make passkey login to 1Password a replacement for the account password + secret key, or a parallel alternative?
0 -
Has any seen the recent WSJ article about how criminals are snooping on people entering in their iPhone device passcode and then stealing their phone ? I pasted it below. On a iPhone, you can reset the Apple ID password simply by entering the less complex device passcode on the iPhone. The attacker can then permanently lock out the victim from their Apple iCloud account by changing the Apple-ID password, resetting the recovery key, and turning on Apple's new advanced data protection. Besides all the other damage the attacker does with your phone, you are permanently locked out of your Apple iCloud account and you will lose access to all your passkeys stored in it.
0 -
Yes, I have read that.
This is why I don’t want to rely on a single vendor and hope we can have physical security keys as a backup.
0 -
That is just one of the reasons why my hope is that using passkeys to login to 1Password is optional and not a replacement for the current account password + Secret Key + (optional) hardware security key (e.g., Yubikey).
0 -
I agree with YellowVista.
0 -
They have already announced it as an alternative. You will be able to switch between modes, but you won't be able to have both modes at the same time.
0
