Question about passkey integration in 1password

sj0123

Hello.
Today, I heard from 1password news that 1password is going to allow passkey based login soon.
It would be really great as we finally no longer have to memorise even a single password.
It would also possible to use 1password on public computers when used with a hardware security key, as potential keyloggers aren't a concern anymore.
However, this raises a question.
As far as I know, 1password derives its encryption key by using PBKDF2 on account master password and secret key combined.
Since most FIDO2 based passkey solutions often doesn't permit private keys to leave the dedicated secure hardware, how does 1password derive encryption keys for accounts that only have passkey registered?
Also, does derived key provide the same level of entropy as master password plus secret key?
And finally, can I make sure that my password data are safe as long as the security key is on my hand?
Thank you in advance, and I'm looking forward to see the new passkey integration.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

julia.v_1P

Hello @sj0123,

You've raised excellent points! We're excited about the passkey feature, and I understand your curiosity about how this integration will work.

1. Encryption Key Derivation with Passkeys: While the authentication process sees a transformation with passkeys, the underlying encryption of the 1Password vault remains robust. The traditional method combines the account password and the secret key. Even when using passkeys, a master secret exists and is used for encryption. This secret is securely managed within 1Password's infrastructure, preserving the integrity of your data.

2. Entropy Level: The keys derived from passkeys are designed to be as strong as those derived from the combination of an account password and a secret key, ensuring top-notch security without sacrificing convenience.

3. Security of Your Data with a Security Key: Passkeys leverage the power of public-key cryptography. This means each passkey has two components: a public key and a private key. When you decide to secure an account with a passkey, the public key is stored on the respective website's server. For authentication, your private key, which is securely stored on your device, comes into play. This private key is never exposed externally, making it a tough target for attackers. In essence, even if someone gets your security key, without the corresponding private key, they can't access your account.

To further expand on the concept of public and private keys: Think of them as interlocking puzzle pieces. The public key is accessible to anyone, often stored in a directory. The private key, however, must remain confidential. For instance, when sending an encrypted message, the sender uses the recipient's public key. Only the recipient, with their private key, can decrypt this message.

In the realm of passwordless authentication, such as passkeys, this asymmetric encryption comes to the forefront. When signing up on supported platforms, a public key is stored on the server, while the matching private key remains on your device. During sign-in, the system issues a challenge encrypted with your public key. Your device uses the private key to respond, facilitating a secure sign-in process without sharing the private key.

1Password, at its core, utilizes secure encryption practices. Your data in 1Password is shielded by a key employing 256-bit AES encryption. To access your encrypted data, your account password and Secret Key are required, both of which are not stored on our servers. This design ensures that even in unlikely scenarios where encrypted data is compromised, without the necessary decryption components, the data remains secure.

I hope this provides clarity on your queries. As we roll out the passkey feature, we aim to deliver not only convenience but also unwavering security to our users. Stay tuned for more updates on this exciting development!