To protect your privacy: email us with billing or account questions instead of posting here.

Passkey and the privacy implications

darkmar
darkmar
Community Member
edited March 2023 in Memberships

I am a new user of 1password, and for the most parts, it seems to have the right goals concerning privacy and its design of being no knowledge. That is why the new passkey announcement seems weird, and I can't seem to understand the reasoning behind it.

I AM NOT A LAWYER This is just my understanding from research.

Using a passkey as the main way to unlock your 1password account makes the security of that device and how it handles those keys the entire, complete security of everything in your digital life. From a technical perspective, we are being asked that whatever phone manufacturer we are using has not made any errors in the implementation on the passkey. If there is a bug, they will update before an exploit. We know that this is a very tall ask, and the main reason is that we like the security key solution from 1password.

Besides Technical, there are the real world and legal. I have thought of a few cases where passkey would expose all the vaults.

  1. Travel: there are customs where it is required to provide unlocked devices and biometric unlocking. 1password has travel mode for this reason, but if your phone is the passkey to the account, order agents can go to the website, unlock your full vault, and get every login.
  2. court orders: It is my understanding that passwords have been considered protected under the 5th amendment, but devices and biometrics are not and can be compelled ( https://www.lawfareblog.com/fifth-amendment-decryption-and-biometric-passcodes )

My main concern is that 1password has sold itself as users being able to control and protect our data securely from design, and using passkeys to login into 1passwords is a complete 180. Am I the only one feeling this?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Dave_1P
    edited February 2023

    Hello @darkmar! 👋

    One of my colleagues, who is part of the team leading our passkey efforts, recently responded to a similar thread on Reddit and I'd like to link to his excellent post: mitchchn comments on The risk with passkeys

    Please don't hesitate to let us know if you have any followup questions. 🙂

    -Dave

  • darkmar
    darkmar
    Community Member

    @Dave_1P Thank you. for the response. I have been following that thread, but honestly, one of the most concerning things for me was the quote from Steve Won "... However, our goal is to go passkey-only as soon as possible.” in the verge article https://www.theverge.com/2023/2/9/23592917/1password-passkey-password-account-security-biometric-authentication

  • Tertius3
    Tertius3
    Community Member

    I guess much confusion arises from the black box appearance of passkeys. Nobody understands how passkeys actually work internally, and it's literally nowhere explained in a way common people are able to understand. So they start to assume there's some hidden magic property about this.

    A way to get a basic understanding is that passkeys is keeping a small data blob on the user side and another small data blob on the website's side that's both used to authenticate the user. Not much different to the user having a password and the website storing the corresponding password hash as it is today. The difference is the way these two data blobs are created. They are generated keys in a cryptographical sense. Generated at signing up, and individual for every website. Due to the cryptographic nature, it's impossible to guess the user's data blob even if the website's user database is hacked. And since it's everything generated and not selected by the user, it cannot suffer from some "weak password" syndrome or from password reuse.

    Think of passkeys as "strongest generated password ever". There is more to it, for example the inclusion of biometrics, but that's the general idea.

    A password manager stores the user side small data blobs, one for each account he has. Nothing different to some passwords being saved.

    So going "passwordless" for 1Password, you still need a means to store the passkeys user data blob for your 1Password account somewhere, and you need some app that can actually perform the authentication. There is no way to enter that data blob into an input field like a conventional password - there's some cryptographic operation to perform with this, and you cannot do this manually.

    Common current apps and devices that can act as passkeys authenticator are browsers or FIDO2 security hardware keys. As far as I know, Windows 10+11 has some support for this (not clear to me where the user data is actually stored), and Apple devices as well (keychain or whatever it is called). These have to have an integrated storage for the passkeys user data blobs. To access 1Password, you still need one key outside of 1Password: the key to access 1Password itself. It's like the account password you have today.

  • darkmar
    darkmar
    Community Member

    @Tertius3 Thank you for the answer. We all want to give 1Password the benefit of the doubt, but some big things are left in the open. Right now. I do understand how FIDO2 works and also that, as protocol, it was never really designed to be used for consumers, but they have been trying to make it work. To the point that the protocol does NOT have a way to export keys. Meaning that whatever device/key/software/ecosystem is used to create an initial passkey, that is it. There is no way to migrate to another. This is not the fault of the password. This is the fault of FIDO2. Imagine how much worse this is if this is for the key to your vault.

    These are very important details that @Dave_1P 1Password needs to educate their users.

This discussion has been closed.