Trying to understand how passkeys can be shared

rgrim
rgrim
Community Member

I've researched this a bit and I'm still not coming up with a satisfying answer. To my understanding, passkeys generate a private key unique to login device and a public key for use by the resource one is logging into. There's then some magic matchy matchy that goes on and then a login can be a success.

Since the passkey is unique to the device logging in, how can 1Password share that passkey to a different device? I'm assuming the passkey being shared is the "private" one and since, by definition, it's unique, so how can it then be shared?

I'm certain this is answered elsewhere, but I just haven't found it so my apologies if this is clear to most other folks. I'm still scratching my whiskers on this one, however.


1Password Version: 8.10.18
Extension Version: 2.16.0
OS Version: Various
Browser: Various

Comments

  • Hello @rgrim! 👋

    Good question! Passkeys stored in 1Password can be shared just like your passwords can, it's one of the great features of 1Password. Create a shared vault and everyone with access to that vault will be able to access the passkeys stored there: Create and share vaults

    Here's a guide on how to save and sign in with passkeys: Save and sign in with passkeys in your browser

    Let me know if you have any questions.

    -Dave

  • rgrim
    rgrim
    Community Member

    I know they can be shared with 1Password. My question is "how"? I don't mean on a deep technical level, just in theory. If the passkey is supposed to be unique to a device, how can that passkey be shared to other devices? It does work, I've tried it, but how can it? It should only work for the device it was generated for.

  • @rgrim

    Ah, I understand your question now. There are two types of credentials that use the same technology behind passkeys: single-device credentials and multi-device credentials.

    Single-device credentials are passkeys that are bound to a single device, meaning the credential can only be validated using the device that it was created on. Single-device credentials come in the form of hardware keys, such as a YubiKey. Because the authenticator isn’t embedded in another device, like a phone, it can be freely inserted into and removed from different devices.

    Multi-device credentials are passkeys that can be moved and synced between devices. This means that if you have multiple devices, they can use the same credential regardless of whether you’re using the device that was used to create the credential.

    Multi-device credentials are increasingly what folks mean when they use the word "passkey" to talk about the new authentication method that has been rolling out across the industry over the past several months. They're the kind of passkeys that are being deployed by Apple, Google, and also 1Password.

    Tl;DR: Passkeys, as multi-device credentials, are not unique to each device. Instead they are unique to each website that you save a passkey for. When you save a passkey in 1Password, that passkey can be used on all of your devices and it isn't bound or associated with a single device.

    -Dave

  • rgrim
    rgrim
    Community Member

    This is a great reply. Thank you so much. So, as I read it, if that multi-device credentials is compromised, then - in theory - a bad actor could log into the web resource that it is meant for? If this is true, it would seem like the advantage of multi-device credentials would just be that they are harder to discover. Or am I missing some information here?

  • So, as I read it, if that multi-device credentials is compromised, then - in theory - a bad actor could log into the web resource that it is meant for?

    Can you tell me a little more about what you mean by "compromised"? Passkeys that you save in 1Password are protected using the same encryption and security as your passwords. No one but you can access your passkeys because only you know your account password and Secret Key. If you share a passkey with a family member then they'll need their account password and Secret Key to access that passkey in the shared vault.

    You can read more about 1Password's security here: Find Out How Safe 1Password Really Is

    If this is true, it would seem like the advantage of multi-device credentials would just be that they are harder to discover.

    The advantage of multi-device passkeys is that you're able to use the passkey on all of your devices and you're able to share the passkey with your family members.

    -Dave

This discussion has been closed.