Passkey implementation and usage

lodaka
lodaka
Community Member
edited November 2023 in Android

Hello, I wasn't sure where to post this; so, please move this thread to an appropriate place if needed.

After the recent update, I am now experimenting with the passkey function of 1Password. I've read many articles but I still not 100% sure how this works in real life, and where 1Password fits in.

As my first foray into this, I enabled Passkey on one of the websites, using the Windows app of 1Password. I see that it now created a "passkey" entry in the program. I have two issues:

  1. It still left the password / mfa entries alone, both in 1Password and the website. I am assuming that it's now safe to remove the password / mfa? Is this recommended?

  2. I then used my phone to go to the same website, thinking that 1Password somehow will be sync'ing this same passkey to my phone for me to "use". However, I am not sure how this sync'ing is supposed to work. How does the website know that I have this passkey? For instance, when I tried logging in using "Passkey", it says something like "Your device is not registered". Does this mean I have to repeat the same procedure for each device?

I think I understand passkey better as a concept than how it works in real life. I am a bit more concerned about #2 above, as I would not be able to to "copy and paste" the passkey (haha) the same way I would with passwords. This makes sense except that I shudder to think that I need to create a passkey for each device I have.

Any guidance would be much appreciated.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • lodaka
    lodaka
    Community Member

    Just following up on this. I am especially curious about the situation #2. Thank you.

  • rickapel
    rickapel
    Community Member
    edited September 2023

    This post captures my questions perfectly as I just created my first few passkeys this week. We need strategies in general as most of us now have a PW, passkey, and 2FA set up. We need advice on removing unneeded items to create a safe login while leaving a minimal set of attack vectors in place. I'm going to pile on my questions, hoping that others see them and respond,

    1) One of the things I have in the back of my mind is if some of the advice would be based on how passkeys were implemented on the different web sites. Is this assumption correct?

    2) When I was researching hardware devices, it was mentioned that a backup plan was necessary if the hardware was lost. I believe the advice was to set up 2 hardware devices in case you lost one so you could at least login and remove the 1st device.

    In the instance of using 1password, I would not think that would be necessary as you have software copies of the passkeys on multiple devices. I would like this advice to be validated per the second comment from the OP, who received the "Your device is not registered" message.

    I would think that a passkey is a passkey regardless of the device the client is using. My other thought on this is that the message the OP received above was sent due to a web site specific validation which might have been outside of the protocol used for the validation of passkeys.

    (I do believe that one web site gave me a recovery key to be used but I'm going from memory on that one and just want to focus on getting these questions posted for now)

    3) I share a few accounts with my kids (now adults), one who has their own 1password account, and one who does not.
    I typically share a 1password link with the kid who has 1password and life is good. I've done this when creating OTP's and would assume the passkeys would migrate over too. Am I Correct on this assumption?

    4) With the kid that doesn't use 1password, I managed to get him set up such that he uses a 3rd party app with the OTP key that I originally created with 1password. My kid who uses 1password quickly saw the value of it, but I'm still working on the other kid to start using it instead of using scraps of paper. Is there a way to export a passkey so that kid can temporarily use passkeys with a 3rd party app during the interim period?

    Thanks in advance for any responses?
    Fredrick (Rick) Apel

  • GolferWHH
    GolferWHH
    Community Member

    Excellent thread. I am also exploring transitioning from passwords, and some 2FA where warranted, to Passkeys.

    Read and viewed numerous articles/ videos on Passkeys. It all makes sense and looks very similar to a Public Key Infrastructure system implemented way back in 2006 at my employer. It all makes sense and seems real simple until you run into the great world we all, or most of us, live in.

    Our home environment is a Windows desktop, a Windows Laptop, a Pixel 7 and 1Password. My wife also uses the two Windows devices and has her own Pixel 6. I keep the SW as up to date as possible. This creates all sorts of anxiety when she is confronted with "transparent SW changes". The later is a great source of concern as she struggled with 2FA for banking/Credit Card accounts.

    So what is missing is a simple, if possible, tutorial/article on setting up Passkeys for one app that is accessed from Windows (2 devices), and a cellphone. A few pointers on the need for Biometric authentication, and what happens if this is not available on one or more devices.

    If I understand everything I've read, a separate Passkey (device registration) will be required for each device and will be linked to the account. I believe this is required to login to an account with passkeys from each device without requiring a separate device to "authenticate". Pardon me for not having the terminology correct as I'm sure some of what I've written is not using the correct terminology.

    BTW: Seems to me each Vendor playing in the Passkey space (Google, Microsoft, and 1Password) include some product sales/marketing in their user help/tutorials and this does help confuse it for us great unwashed.

    BTW2: Given my "tech support" role in our house, it strikes me one of the impediments to Passkey implementation is the level of technical information that is being provided/needed to use Passkeys. Suspect this is required due to the implementation/adoption phase of Passkeys.

    Thanks for opening this thread, it captures my issues perfectly.

  • wlclev42
    wlclev42
    Community Member

    Agreed: "A simple, if possible, tutorial/article on setting up Passkeys for one app that is accessed from Windows (2 devices), and a cellphone." Passwords are so important that using a different process without a clear understanding is beyond a concern.

  • Hello Community Members,

    Thank you for your insightful discussions regarding the passkey function in 1Password. Let's address the queries:

    For @lodaka:

    1. When you enable passkey for a website, it's advisable to keep the original password/MFA entries until you're certain the Passkey works seamlessly across all devices and situations. Once confident, you can consider removing the old credentials.

    2. Regarding the "Your device is not registered" message: Passkeys can be of two types: single-device credentials and multi-device credentials.

    Single-device credentials, like a YubiKey, are specific to one device. They can only be validated on the device where they were initiated. This means if you set up a passkey of this type on one device, other devices won't recognize it.

    On the other hand, many in the industry, such as Apple and 1Password, are moving towards multi-device credentials. These passkeys can be synced across different devices. So, even if you establish a passkey on one device, it can be recognized and utilized on another.

    However, it's important to note that if you're using an Android phone, passkey functionality is not yet supported. Google is actively developing Android 14, which will introduce APIs allowing password managers like 1Password to create and utilize passkeys within Chrome and other supported apps. Once these APIs become available, 1Password is poised to offer support, enabling more seamless passkey use across Android 14 devices.

    To @rickapel:

    1. Yes, the implementation of passkeys might slightly differ depending on the website's infrastructure and security protocols.
    2. Ideally, a passkey should be device-independent. The message @lodaka received could be from an additional security layer added by the website.
    3. Sharing passkeys within 1Password's family plan functions similarly to sharing any other data type. If you share a link or vault with another 1Password user, they should gain access.
    4. At this stage, you cannot import or export passkeys. We’re working closely with platform vendors and other password managers through the FIDO Alliance to create a secure way to import and export passkeys. We believe it’s your choice where to store and use your passkeys. Hopefully we’ll have more to share soon.

    For @GolferWHH:
    Creating a step-by-step tutorial for setting up passkeys across various devices sounds invaluable. Ensuring users transition smoothly to new security measures is a priority. At the moment we have this support guide to help you get started with passkeys: Save and sign in with passkeys in your browser

    For @wlclev42:
    Absolutely agreed. Transitioning from traditional passwords to passkeys is a significant shift, and understanding this new procedure is paramount. We're on it.

    In essence, we're evolving alongside advancements in the security realm, ensuring 1Password remains a reliable guardian of your digital life. Your feedback propels us forward, and we thank you for your patience and insights.

  • lodaka
    lodaka
    Community Member

    @julia.v_1P Thanks for some insight. This is very helpful in understanding what probably went wrong in my attempt. The website that I was experimenting on was the DocuSign website, in case this sheds some light.

    At least at this point, I don't plan to expand my experiment beyond DocuSign, until I can be sure that I can work with DocuSign first and then see where we go from there.

    Your note on Android 14... was very surprising. Yes, I am on Android 13, which probably explains the above issue, although I am still not clear on exactly how a website like DocuSign can determine what passkey I have. However, like most things in life, I suppose I don't need to know how it works as long as... it works. If syncing on 1Password can work seamlessly in the background across multiple devices somehow, there is nothing I want more.

    I see some great comments / experiences by others in this thread. I think we are all on the same boat. We are all very security conscious and have been greatly intrigued by the development of passkey. We all want to be as secure as possible on this wild wild west aka the Interwebs. I try and protect the security of the people around my life by "half-forcing" them to use 1Password and teach them about cybersecurity, and most of them begrudgingly go with it, but rely on me to "help" them if things somehow don't work.

    I am excited about passkey and have been waiting for 1Password to implement it (beyond beta that is) and was very excited to try and test it out. This tutorial video idea sounds like something that could be helpful, in understanding how passkey works and its limitations as well. I think I've seen enough videos about the passkey concept, but it would be great to see some videos like: "Here is how you set up a passkey on Google on multiple devices" or something similar. Thank you and the other posters. I knew there would be bumps on this road, but it's great to share some of these experiences.

  • Hello @lodaka,

    I'm grateful for your comprehensive feedback and the valuable insights you've provided. Let me dive into your points.

    Firstly, regarding your experiment with DocuSign, each website has its own implementation and understanding of FIDO2 and WebAuthn standards. While we strive for a seamless experience, the interaction between 1Password and third-party services, like DocuSign, might not always be straightforward, especially during these early stages of broad passkey adoption. Your feedback in real-world scenarios like this is immensely helpful as we continue to fine-tune our processes.

    About Android 13: You're right, and I apologize for any inconvenience this may have caused. As technology evolves, so do the layers of interoperability between systems, apps, and services. We're eagerly awaiting the enhancements coming with Android 14, and we believe they'll significantly improve the passkey experience for 1Password users on Android.

    Your enthusiasm for passkeys is infectious and aligns with our vision for a more secure and user-friendly internet. We're always working on educational content, and your suggestion of specific tutorial videos is spot on. Demonstrating the real-world application of passkeys across various platforms and services will indeed be beneficial for our user community.

    Lastly, your dedication to promoting good security habits among your circle is commendable. We genuinely appreciate the trust you place in 1Password and your commitment to ensuring a safer online environment for those around you. It's interactions like this that keep us inspired and constantly striving to better our offerings.

  • lodaka
    lodaka
    Community Member

    @julia.v_1P You must be on forum duty this morning... Your avatar is plastered all over this forum. :)

  • Hi @lodaka

    Haha, you caught me! Yes, I've been quite active today. It's always a pleasure to engage with our community and address any questions or concerns. If you have any further inquiries or need assistance, don't hesitate to ask. I'm here to help! 😊

  • rickapel
    rickapel
    Community Member

    @julia.v_1P Love the play on words with your community id! You are truly a VIP with the comprehensive answers you provided today.

  • @rickapel Thank you so much for the kind words! Your feedback truly brightens my day. 🌞

  • lodaka
    lodaka
    Community Member

    Thought I'd provide an update on this topic now that my phone got an upgrade for Android 14 last night. Nothing changed with respect to the passkey implementation issues -- but more confused in a way.

  • ag_audrey
    ag_audrey
    1Password Alumni

    Hey @lodaka, happy to hear you've upgraded to Android 14! Would you be able to share the aspect that was confusing?

  • lodaka
    lodaka
    Community Member

    @ag_audrey Hi there, the thread above kind of explains this. With respect to the problem that I was having initially, i.e. the passkey (created by Windows) for DocuSign not sync'ing with my phone (or unable to use the same passkey when using the phone), based on the discussion with Julia, we kind of "soft" concluded that this may have something to do with Android 13.

    After I upgraded to Android 14, I was half expecting for things to work properly (yes magically somehow), but the issue remains the same. Perhaps, 1Password needs to be updated to take advantage of whatever Android 14 provides, but this was the reason for my confusion.

This discussion has been closed.