Passkeys, multiple devices and having no biometric reader

Quexx

Hi,

This is perhaps a stupid question... but I have read your blogs about passkeys and still can't really understand how this scenario works.
Let's say I register on an app on my iPhone. I select passkey as login method when registering. Since it's an iPhone, I would use FaceID. I would then store the passkey in my 1P account as a login item.

If that app also has a website and I want to login to that website on my computer (Windows PC). I have 1P installed on the computer. How do I authenticate? Will I be required to pick up my phone and use FaceID every time I want to login to one of those websites since that's what I used when creating the passkeys?

And likewise reverse. Let's say I register on a website on my Windows PC (e.g. 1P community forums) and choose passkey as login. I don't have a biometric reader nor camera on my PC (stationary PC) so I'd use Windows Hello pin I guess? If I then want to login to that website on my iPhone when I'm out and about, do I need to authenticate via Windows Hello pin?

I'm a software developer so I understand the concept about public/private keys, I use them a lot with SSH, etc. I just don't understand how the biometric part comes into play and how that would work if you're on a device with no biometric reader available.

As a kicker question, if I were to convert my 1P master password to passkey, how would I sign into my 1P app at all on my Windows PC where I have no biometric reader/camera?

I hope I were able to explain my question XD

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

GreyM1P

Hi there @Quexx

Any passkeys that you store in 1Password will be available whenever you unlock 1Password, just like your passwords are right now. You can use biometrics to unlock 1Password where those are supported.

I'll come to some other points below:

If that app also has a website and I want to login to that website on my computer (Windows PC). I have 1P installed on the computer. How do I authenticate?

Based on the above, you'd unlock 1Password like you do now (if needed), and that passkey would be used automatically to sign in on the website.

Let's say I register on a website on my Windows PC (e.g. 1P community forums) and choose passkey as login. I don't have a biometric reader nor camera on my PC (stationary PC) so I'd use Windows Hello pin I guess?

If 1Password is unlocked, then you wouldn't have to do anything. If it was locked, you'd need to unlock it first in the same way as you do at the moment. Essentially, saving a passkey in 1Password will work exactly the same as saving a password.

If I then want to login to that website on my iPhone when I'm out and about, do I need to authenticate via Windows Hello pin?

You'd unlock 1Password in the usual way.

As a kicker question, if I were to convert my 1P master password to passkey, how would I sign into my 1P app at all on my Windows PC where I have no biometric reader/camera?

If you had a valid passkey to unlock your 1Password account stored on your Windows PC, you'd need to use your Windows password or PIN to authorise its use. However, this wouldn't be part of 1Password, and would be something managed by Windows in that case.

Similarly, if you had a passkey to unlock 1Password on your iOS device, that would be authenticated using Face ID, Touch ID, or your device's passcode, because that passkey would be provided by iOS, not 1Password.

The short version of the above is:

• To save or use a passkey stored in 1Password, you unlock 1Password in the same way as you do now.
• To save or use a passkey outside 1Password, (including any passkeys you set up to unlock 1Password), you'll use your device's biometrics or password.

☞ Note that unlocking 1Password itself with a passkey isn't yet available, and is coming later in the year.

I hope that answers your question fully, but please do let me know if I can be of any further help. :)

— Grey

Quexx

Thank you Grey, I think that answers my questions!
So basically, the biometric part is not tied to the passkey at all, really. It's just used to unlock the password manager (1P, iCloud, etc) where your passkey is stored, but the actual passkey itself is just a regular public/secret key, similar to for instance SSH?

That makes the concept much easier to understand, haha. I was always wondering how the biometric was tied to the passkey but now I know :)

It will be interesting to see what happens when "everything" is unlocked with passkeys. E.g. if unlocking 1P is done via passkey, that passkey could for instance be stored on my iCloud keychain (which would require me to scan the QR code with my phone if I'm logging into 1P on my PC). But what if the entire Apple ID is logged in via passkey, where would that be stored?

Problem for another day I guess! Thanks for the reply, Grey! :)

GreyM1P

@Quexx

You're welcome! If you have any questions, send them our way. :)

B1948J

Sorry, I still don't see how this any more secure than using a seriously secure master password in 1P. It seems to me that anyone who can figure out my 4-digit pin on my phone or Windows computer could then access all my 1P accounts with impunity. Using faceID or fingerprint biometrics just isn't far enough along as a technology. Sure, facial identification works great on TV or for the CIA but a tiny thing like wearing sunglasses completely baffles my Samsung phone. And a damp finger will never unlock anything where the original finger was dry. So, if my master password to 1P is 6Hvpq9#x.R4r (it's not), I change it every 3 months and all my other passwords are all different, random 20-character combinations, how are passkeys superior to this?