To protect your privacy: email us with billing or account questions instead of posting here.

will passkeys be as secure

9elsen
9elsen
Community Member
edited September 2023 in Memberships

I understand that passkeys are more secure than passwords, however they are also the only thing you will need to login.
With that in mind, is it a good idea to use them for protecting the 1password vault, which would leave the keys available to Apple, Microsoft or Google (e.g. Apple key chain). I understand it would require some request before they would provide your data to a third party, but they can, because their vaults are not truly end-to-end encrypted.
Have I overlooked something, or is this not less secure compared to what is offered today with security key and a personal password.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Hello @9elsen! 👋

    Good questions! We want to make security simple and convenient. Passkeys are a great solution for the challenges we see with passwords. Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can’t be phished like a traditional password because the underlying private key never leaves your device – this also makes them resistant to social engineering scams.

    With that in mind, is it a good idea to use them for protecting the 1password vault, which would leave the keys available to Apple, Microsoft or Google (e.g. Apple key chain). I understand it would require some request before they would provide your data to a third party, but they can, because their vaults are not truly end-to-end encrypted.

    Since the post is in the iOS beta forum I'll speak to Apple: iCloud Keychain is indeed end-to-end encrypted. Only you hold the private key that can decrypt the data stored there and Apple isn't able to access any passkeys stored in the iCloud Keychain. You can find a list of items that are end-to-end encrypted on Apple's devices and services here: iCloud data security overview - Apple Support (CA)

    This means that, if you choose to use a passkey to unlock 1Password in the future, you'll be able to store that passkey in iCloud Keychain and know that only you can access it. If you'd like to know more then we have a Frequently Asked Questions page here: Passkeys: Frequently Asked Questions (FAQs)

    You can also continue to use your account password and Secret Key instead if that is your preference. 🙂

    -Dave

  • 9elsen
    9elsen
    Community Member
    edited August 2023

    iCloud Keychain is indeed end-to-end encrypted.

    Thanks @Dave_1P for linking me to the documentation, it can sometimes be hard to find.
    I see that passwords and the keychain is one of the data types that have end-to-end encryption - which makes it an easy choice on the Apple ecocystem.

  • @9elsen

    I'm happy to help, let me know if you have any other questions.

    -Dave

  • Zaka7
    Zaka7
    Community Member

    So in my opinion, Passkeys, as a security geek and someone trying to get people more secure online, (which includes almost forcing everyone I know to use 1 Password) I think they're great. Everything about them is 100x better in terms of ease of use, phishing resistance and security.

    Now whilst I think that for all my accounts. The thing I personally cannot comprehend is why it would be beneficial to use a Passkey for 1 Password itself. In my opinion this is less practical / secure than having a traditional password and hardware security key set up alongside the secret key as I do now.

    It also makes any data legacy set ups potentially more difficult if devices perish with you (morbid I know).

    The other reason I think this is that it's almost certain the device I and many others would use to store said passkey, would be an Apple device, Now my Apple device details are stored within 1 Password. Isn't this like putting the keys to the safe inside a locked safe? I just can't get my head around it so am basically looking for others opinions on this one :) Not to mention that a passkey can be viewed with a device passcode, so if you (which I hope you don't) use a basic device passcode, the passkey really isn't anywhere near as well protected as the Security Key + Secret Key + Master Password Combo.

    For these reasons, it is my opinion, that whilst Passkeys are the future, and I will enable them on everything I possibly can (and store in 1 Password, That wil NOT extend to 1 Password itself, for me at least, I believe the traditional offering to be the reason I joined this service in the first place and for it to still be the most secure.

  • 9elsen
    9elsen
    Community Member
    edited September 2023

    It is hard or impossible to avoid that you need to type the master password every now and then - easy for me but a roadblock for e.g. my parents, I hope passkeys for unlock will smoothen that hurdle totally.
    Generally I see people do not understand passwords, and that is the reason to “un-invent” passwords, it can only happen to slow.

  • Hello Community,

    @Zaka7, thank you for sharing your insightful perspective on passkeys and their application to 1Password. Your thoughts reflect a deep understanding of security dynamics and the diverse needs of our user base.

    You're right; there's an inherent security comfort in the traditional account password, Secret Key, and hardware security key combination. It’s robust and has been a trusted framework for many. Passkeys introduce a different paradigm, focusing on making authentication simpler and phishing-resistant, which is crucial in the current cyber landscape.

    However, the use of passkeys for 1Password isn't a one-size-fits-all solution. Its suitability depends on individual preferences and threat models. We always advocate for what makes our users feel most secure. For those like you, who find solace in our traditional security model, that option remains available and supported.

    Regarding the potential concerns with device passcodes, it's always important to ensure that any device passcode or biometric used is strong and unique. This acts as a first line of defense against unauthorized access. Additionally, the point you raised about data legacy setups is certainly an essential aspect of the conversation, and it's something we continue to consider in our feature development.

    @9elsen, you bring up an important point. The ultimate goal is to make security more accessible and user-friendly. For many, especially those not as tech-savvy, managing complex passwords can be a daunting task. Passkeys aim to bridge that gap, offering an easier but still secure way to authenticate. Like you mentioned, for some users, especially those who might struggle with remembering complex account passwords, passkeys could offer a smoother experience.

    Remember, at the core of every feature we introduce is our commitment to providing options that cater to the diverse needs and preferences of our users, while ensuring the utmost security.

    Thank you both for your feedback, questions, and shared experiences. They play a pivotal role in shaping the future of 1Password. 😊

  • Zaka7
    Zaka7
    Community Member

    @julia.v_1P Sorry I missed this. Thank you for your reply. I fully understand that it isn't a one sized fits all. And for those less 'geeky' than I passkeys is 100% a benefit for the 1PW log in. But I don't agree with all the noise online about them being more secure. Whilst they are in 99.9% of cases. The Password manager itself, the keys to the kingdom are (in my opinion) far more secure utilising the current set up.

  • Hey @Zaka7
    Security is multifaceted. It's not solely about the strength of encryption or authentication mechanisms but also about how users interact with these systems.

    For clarity on the topic, here's why passkeys are considered more secure than traditional passwords:

    • Generation: Unlike passwords, you can’t create a weak passkey. Every passkey is generated by your device using a public-private key pair, ensuring they're strong and unique right from the start.
    • Phishing Resistance: Passkeys can't be phished like traditional passwords. The reason? The underlying private key never leaves 1Password, making it impossible for attackers to trick users into revealing them.
    • Social Engineering Resilience: The design of passkeys makes them resistant to social engineering scams, which are tactics used to manipulate individuals into divulging confidential information.

    However, as you rightly emphasized, there might be scenarios where the traditional account password, combined with the Secret Key and a hardware security key, offers a more comprehensive sense of security.

    Our commitment remains consistent: to provide users with options that allow them to choose their preferred security approach. As we innovate and introduce features like passkeys, we also maintain support for the trusted methods that many have come to rely on.

    Thank you for being an integral part of this important conversation. Your insights are invaluable as we journey through the ever-evolving security landscape.

This discussion has been closed.