Why passkey login to 1Password?
I can't understand the reason to spend development dollars to enable passkey login to 1Password account. I must be missing something here. I am a huge fan of passkeys and 1Password as the repository for all my passkeys, but logging into 1Password with a passkey makes no sense to me.
My assumption is that to login to 1Password with a passkey, that passkey has to be stored on a device. For iOS/Mac that is iCloud keychain. For Windows, Linux, Android, or any other platform it will be stored somewhere else. Now the passkey, which is the gateway to my digital life, is stored in a whole bunch of places, with associated security or lack there of.
If this assumption is correct, then 1Password seems to be passing off the security of the whole platform to other platforms which means it is out of their control, and inherently less secure. (iPhone passcode could give access to iCloud Keychain for example).
One other question, if I loose all my devices, how do I get access to my 1Password account? No passkey or other logged in device available to validate. I go to 1password.com and ???
Help me understand why passkey login to 1Password is a benefit worth doing and using?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
As a user I have had the same thoughts. I wonder if 1password will let you store your passkey for your1password account on a USB drive which you could store in multiple safe places like: 1 in your home safe, 1 in your safe-deposit box and 1 in the home safe of a family member. I am sure you can appreciate the importance of having mutliple copies for redundancy.
0 -
Now the passkey, which is the gateway to my digital life, is stored in a whole bunch of places, with associated security or lack there of.
The platform owners (Google/Apple/Microsoft) are offering native support for passkeys, if they do not build that secure I guess the whole idea of passkeys goes down the drain?
0 -
Hello @rallyn1password, @oUNderge, and @9elsen! 👋
Thank you for the great questions! I'll answer them below:
I can't understand the reason to spend development dollars to enable passkey login to 1Password account. I must be missing something here. I am a huge fan of passkeys and 1Password as the repository for all my passkeys, but logging into 1Password with a passkey makes no sense to me.
We want to make security simple and convenient. Passkeys are a great solution for the challenges we see some people face with the account password + Secret Key model.
If someone is less technically savvy, they might not understand that they need to have access to both their account password and Secret Key in order to sign into 1Password. Or they might forget where they've stored their Secret Key when they need it. Or they might have a good grasp on how things work when they sign up for 1Password but then run into trouble a year later when they get a new device, try to add 1Password to that device, and find themselves having to remember what terms like "Secret Key", "sign-in address" and "Emergency Kit" mean.
Even if you are technically savvy, the process to add your 1Password account to a new device can be complicated and require many steps. Passkeys make signing into your 1Password account easy, convenient, and secure and do away with the need to memorize an account password and look after a Secret Key: Unlock 1Password With a Passkey: Now in Beta
That being said, if you're happy with the existing account password + Secret Key model then you can stick with that, there's no need to change anything.
If this assumption is correct, then 1Password seems to be passing off the security of the whole platform to other platforms which means it is out of their control, and inherently less secure. (iPhone passcode could give access to iCloud Keychain for example).
If you sign up for the passkey unlock beta then I recommend storing the passkey for your 1Password account somewhere safe. iCloud Keychain is end-to-end encrypted which means that no one, not even Apple, can access your passkey.
Biometrics are used by iOS AutoFill to access your saved passkey in iCloud Keychain. If biometrics fail then your iPhone will indeed fallback to your device passcode which you can change to be more complex if needed: Use a passcode with your iPhone, iPad, or iPod touch - Apple Support (CA)
The iOS 17.3 beta also introduces Stolen Device Protection which will provide an additional layer of security preventing access to your saved credentials in iCloud Keychain if your device is stolen and someone has obtained your device passcode.
One other question, if I loose all my devices, how do I get access to my 1Password account? No passkey or other logged in device available to validate. I go to 1password.com and ???
Folks using the passkey unlock beta are able to generate a recovery code that can restore access to their account if they lose access to their passkey. They can save the code in a safe location, and use it if they need to recover access to their account after losing all other means of access. Access to the email address associated with a 1Password account will still be required for verification purposes.
Our support page includes instructions on how to generate and save your recovery code: Unlock 1Password with a passkey (beta)
I hope that helps! 🙂
-Dave
1 -
Thanks for the reply Dave.
So it sounds like my concerns are well founded. You are delegating control of access to 1Password to other platforms out of your control, like Apple's iCloud Keychain, which could be compromised by observing an iPhone unlock code and stealing the phone. Yes, Apple is belatedly, slowly trying to address it in some future release, and users can use Screen Time passcode, but in the meantime, your whole platform is at risk and it is not in your control. There will be other issues in the future, that is the one thing we can guaranty.
You also say:
Folks using the passkey unlock beta are able to generate a recovery code that can restore access to their account if they lose access to their passkey. They can save the code in a safe location, and use it if they need to recover access to their account after losing all other means of access. Access to the email address associated with a 1Password account will still be required for verification purposes.
In the worst case scenario of losing all my devices, and my email password is in 1Password, and you require me to have access to my email to recover my 1Password access, then I have just been locked out out of the platform, correct?
I appreciate the information, but at this point, I will not be allowing anyone in my family group / friends to use Passkey login to 1Password. Having to know a login name, password and security key is at least dependable, reliable, secure, and easy to explain and share between trusted users. Passkey login to 1Password seems to be none of those.
0 -
Thank you for the reply. It's important to be aware that your passkey, stored in iCloud Keychain, is by itself not enough to add your 1Password account to a new device. You'll always need to perform an additional step: confirming the sign in from an existing trusted device.
In the worst case scenario of losing all my devices, and my email password is in 1Password, and you require me to have access to my email to recover my 1Password access, then I have just been locked out out of the platform, correct?
We recommend adding several trusted devices to your passkey account. A trusted device can be used to gain access to your account, or to grant access to another device should you lose one. This will allow each of your trusted devices to receive verification codes if you lose access on one of your devices, or need to sign in on a new one.
You're correct that your recovery code by itself is not enough to recover access to your 1Password account. You’ll also need access to your email address to receive a verification code. It's unlikely that you would lose access to all of your devices where you have access to your email at the same time.
That being said, if you do end up in a situation where you don’t have access to your email address on any of your devices then you can reach out to your email service provider for help with resetting the password for your email account. Once you’ve regained access to your email account, you’ll be able to use your recovery code to recover access to your 1Password account.
I appreciate the information, but at this point, I will not be allowing anyone in my family group / friends to use Passkey login to 1Password. Having to know a login name, password and security key is at least dependable, reliable, secure, and easy to explain and share between trusted users. Passkey login to 1Password seems to be none of those.
Passkey unlock for 1Password is currently in beta and you and your family/friends can certainly choose not to join the beta and just stick with your existing accounts. As the beta progresses we hope to share more regarding things like account recovery for family accounts and more. 🙂
-Dave
0 -
Thanks for additional info. If they steal the iPhone, then they have the trusted device in their hand and the iCloud Keychain access, so little comfort there, and sure hope it is not easy to get access to email without credentials, but I get where you are headed, more than just the passkey is required. This is just not a direction I think I can support at this time for my users.
One other question along this line, if I work across iOS, Android, Windows, Mac, and Linux with multiple web browsers on each platform, and multiple devices (phone/tablet) on iOS/Android, do I get a unique passkey for each browser / device / OS? So I would now have a whole collection of passkeys? Or one passkey now on many devices?
Thanks again for the follow ups.
0 -
That being said, if you do end up in a situation where you don’t have access to your email address on any of your devices then you can reach out to your email service provider for help with resetting the password for your email account. Once you’ve regained access to your email account, you’ll be able to use your recovery code to recover access to your 1Password account.>
I find it odd to fault a third party (mail provider) for this situation. Additionally, suggesting the activation of multiple devices seems impractical, considering the average user likely owns just a phone and a computer. The only sensible option to prevent the user from locking themselves out would be if the recovery key were tied to a passkey and not to an mail address.
0 -
Thanks for the reply. If you choose to unlock 1Password with a passkey, I recommend storing that passkey in a synced passkey provider and have this provider signed in on more than one device (iCloud Keychain on your iPhone and Mac or Google Password Manager on your phone and browser).
If you've saved your passkey in one provider (such as iCloud Keychain) you can still sign in using that passkey on a device that doesn't support that provider by scanning a QR code. Alternatively, you can add multiple passkeys to your 1Password account from each platform provider that you use.
I'm sorry for being unclear, no one is being faulted here. I was just providing an option that might be helpful in a situation where you've lost all of your devices and lost access to your email account. 🙂
Passkey unlock for 1Password is currently in beta and the team appreciates your feedback as we continue to iterate. I've passed along your thoughts regarding the recovery code process to the team.
-Dave
ref: PB-37487363
ref: PB-374874230 -
The problem with the proposed solution is that it implies the loss of all devices and the mailbox are separate events, which isn't true. For most users, their mail password is most probably stored in 1Password. I really hope another (additional?) solution is implemented here that can truly be a lifesaver in such situations.
And I'd like to take this opportunity to wish the 1Password team a Merry Christmas.
2 -
If you are requiring a second factor for passkey login (which I did not think was a thing), then why not use the Secret Key? Email makes no sense, as I have lost access to email as I cannot get into 1Password to get my email password.
I thought the idea of passkeys was that 2FA is already addressed as to access the passkey, you have to biometrically authenticate to the passkey store. So why the added hurdle for 1Password? It seems at odds with the whole idea of passkeys.
My understanding also is that passkeys cannot be stored outside of a designated passkey storage platform for security, as biometrics or other 2FA are required. So how do I get into iCloud Keychain or Google Password manager without access to 1Passowrd to login?
This continues to look like a circular problem with the result of being locked out of 1Password if I lose all devices.
2 -
The problem here is that not only do people store their email password in 1Password, they also store their email’s 2FA in 1Password too. Not good and I agree this is bad circular implementation to use email.
2 -
This content has been removed.
-
Thank you for the feedback regarding the beta! I've passed your comments and requests for more recovery options along to the team internally. 🙂
-Dave
ref: PB-37671036
ref: PB-376710630 -
One thing that seems to be missing from the discussion here is that the passkey for 1password can be stored on a security key. That way you don’t have to rely on Apple or Google ecosystems, although you can use them in addition to the security key, if you so desire.
1 -
@timl23 , hardware keys become ineffective if there is no access to additional trusted devices. This represents a significant flaw in this type of implementation and contradicts the purpose of passkeys.
1 -
A major problem for me with the 1password passkeys implementation is that the passkey isn't used for encrypting the unlocking keys, similar to how the secret key + account password is used.
Instead, it's just used to authenticate yourself against the 1password servers for enrolling a new client, and even if you unlock 1Password. According to the security design paper, it's also possible to unlock 1password offline, and in this case the OS biometric system is used. I'm using Windows, so Windows Hello is used to provide and validate my passkey.
According to the security design paper, a "credential bundle" is decrypted by the device key, and the keys required to decrypt the vault data become available.
However, where is the credential bundle stored in this case on my Windows PC, and the device key? I see a possible attack surface on the credential bundle and the device key, because on Windows there isn't a protected storage except in the TPM, and TPM usage isn't mentioned anywhere. So I'd like to see proof that it isn't possible to crack my local 1password database if someone just copies my system disk and gets access to every single file on my computer.
As far as I read, the device key is the crucial part, and on Windows it isn't stored in a secure storage, so it's possible to obtain it from anyone who has access to the hardware.
And that's the difference between passkey implementation and secret key+password: someone with access to the hardware only has access to the secret key. He still isn't able to decrypt the vault data, because he still hasn't the account password, the second half of what is used to encrypt everything.
But with passkeys, you're only authenticating against some API, and this API can be circumvented - you just need to emulate it or provide your own implementation.
A major drawback of passkeys also is the complexity of the implementation. People simply don't understand how it works as a whole. But if you don't understand something, you don't trust it. The inner working is obscure, is a blackbox, and is in vast contrast to the user experience. The user experience is that there is a popup, you click a button, and you're logged in (optionally with a short pin). And I am supposed to trust that what went on behind the scenes that moment is more secure than using userid+password. And that's my acceptance problem. Is all this magic working behind the scenes actually secure? Isn't there any secret data drain to some spyware? Is the good user experience actually just the peak of good program design, or is it just a dummy, and behind the scenes some very primitive and not secure at all mechanism just says: "give him access"?
In the end, it's again a matter of trust. I have to trust people, if they say: "our passkeys implementation is secure, and it is more secure than using passwords". With passwords, I can choose good passwords to control some kind of security level. But with passkeys, I have no control.
0