Option to Always Require Biometrics for Passkeys?

The 1Password Browser Extension should require biometrics each time a user wants to use a passkey (even within the "auto-lock" time window). This is how just about every other implementation of passkeys works, and for good reason.

There are several security issues with the current behavior, in my opinion. The most obvious of which is that an attacker with remote access to your device can still login to your accounts within the auto-lock time window (or until you restart if auto-lock is set to "never"). This negates many of the security advantages of passkeys. If biometrics were required every time, an attacker with remote access would be able see that you have a passkey set up for a particular account in the 1Password app (within the auto-lock window), but they would not be able to do anything with it without your biometrics or master password.

This is the same reason physical security keys require you to physically tap on the key to authenticate. Even if you leave your key plugged in to your computer for a few hours (the equivalent of 1Password's "auto-lock" time window), an attacker still needs to physical access to your device to trigger the authentication.

Are there any plans to modify this behavior in the future?


1Password Version: 8.10.16
Extension Version: 2.15.1
OS Version: macOS 14.0
Browser: Brave

Comments

  • cysec
    cysec
    Community Member

    The 1Password Browser Extension should require biometrics each time a user wants to use a passkey (even within the "auto-lock" time window). This is how just about every other implementation of passkeys works, and for good reason.

    There are several security issues with the current behavior, in my opinion. The most obvious of which is that an attacker with remote access to your device can still login to your accounts within the auto-lock time window (or until you restart if auto-lock is set to "never"). This negates many of the security advantages of passkeys. If biometrics were required every time, an attacker with remote access would be able see that you have a passkey set up for a particular account in the 1Password app (within the auto-lock window), but they would not be able to do anything with it without your biometrics or master password.

    This is the same reason physical security keys require you to physically tap on the key to authenticate. Even if you leave your key plugged in to your computer for a few hours (the equivalent of 1Password's "auto-lock" time window), an attacker still needs to physical access to your device to trigger the authentication.

    Are there any plans to modify this behavior in the future?


    1Password Version: 8.10.16
    Extension Version: 2.15.1
    OS Version: macOS 14.0
    Browser: Brave

This discussion has been closed.