Passkeys vs Masterpassword
Hi,
since the last update I‘m happy to use passkeys on various online accounts.
I also read that it would be possible to use passkeys for the 1PW vault. Is this correct?
Now I‘m asking myself how this would work and what is more secure - passkey or masterpassword + secret key?
I understood the concept to have all the passkeys in 1PW vault, but where should the single passkey to access 1PW be stored? On the devices default keystore? In that case I have the feeling that my master password in mind in combination with the secret key is more secure, or?
Regards
Finke
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi Finke,
yes. Passkeys will be an option to unlock 1Password. This recent 1Password Blog post goes into more detail about that, including which is more secure (according to the post: both!)
https://blog.1password.com/passkey-secret-key-account-security/It says there that „[t]he private key is stored on your device unless you securely sync passkeys across devices.“ Which seems to be aligned with your assumption that it is the device‘s default keystore. But maybe a staff member can clearly confirm. (I haven’t been active in the forums for a while and there are maybe already posts explaining this detail).
But as @ag_josephine writes here (https://1password.community/discussion/142215/unlocking-1pw-with-a-passkey-blog-post#latest) they currently recommend to store the Passkey on a Plattform account like iCloud anyway to prevent loosing access irrevocably.
I also do not feel comfortable to just ditch passwords just yet. Luckily, passwords and passkeys can co-exist. And this will be also true for the 1Password implementation!
0 -
Luckily, passwords and passkeys can co-exist. And this will be also true for the 1Password implementation!
I wonder whether that is true. How can they both lead to the same encryption key (on any device)?
0 -
Hi all.
At the moment, unlocking 1Password itself using a passkey is still very much in development. A small cohort of invited beta testers have been able to create a test 1Password account which unlocks using a passkey, and there is currently no way to switch between using a passkey and using a Secret Key and account password for your everyday 1Password account.
We're expecting that you'll use either a passkey or Secret Key and account password to unlock a 1Password account, but not both at once.
As @XIII implied, we need to be able to derive the Account Unlock Key (and other keys as well), which right now is seeded from either the passkey or a combination of the Secret Key and account password. We would need to run multiple valid keys in parallel to allow you to use either unlock method, which isn't how our security model works right now and would probably represent quite a lot of cryptographic work to allow it, although not being a developer, I couldn't estimate how big a job that would be.
We'll have more to announce about unlocking 1Password with a passkey as things continue, and if you haven't already, you can sign up for our passwordless newsletter to be kept in the loop:
☞ Sign up for our passwordless newsletter
— Grey
0 -
Hi @Finke03 (I posted this elsewhere, but thought I'd offer my opinion here too)
So in my opinion, Passkeys, as a security geek and someone trying to get people more secure online, (which includes almost forcing everyone I know to use 1 Password) I think they're great. Everything about them is 100x better in terms of ease of use, phishing resistance and security.
Now whilst I think that for all my accounts. The thing I personally cannot comprehend is why it would be beneficial to use a Passkey for 1 Password itself. In my opinion this is less practical / secure than having a traditional password and hardware security key set up alongside the secret key as I do now.
It also makes any data legacy set ups potentially more difficult if devices perish with you (morbid I know).
The other reason I think this is that it's almost certain the device I and many others would use to store said passkey, would be an Apple device, Now my Apple device details are stored within 1 Password. Isn't this like putting the keys to the safe inside a locked safe? I just can't get my head around it so am basically looking for others opinions on this one :) Not to mention that a passkey can be viewed with a device passcode, so if you (which I hope you don't) use a basic device passcode, the passkey really isn't anywhere near as well protected as the Security Key + Secret Key + Master Password Combo.
For these reasons, it is my opinion, that whilst Passkeys are the future, and I will enable them on everything I possibly can (and store in 1 Password, That wil NOT extend to 1 Password itself, for me at least, I believe the traditional offering to be the reason I joined this service in the first place and for it to still be the most secure.
I do of course understand that not everybody is as technically minded as each other and peoples abilities and apatite's do vary, and if it meant using a password manager with a passkey or not using one at all. I know 100% I would be getting as many people signing up as possible!
1