Can I store the passkey for my 1Password account on a Yubikey?

telephoneman2
telephoneman2
Community Member
edited November 2023 in Unlock with passkeys

Hey guys, I just read your newsletter about passkeys and login into 1PW.com and the authentication details. Is there any way to add the passkey and the "hidden secret" to a Yubikey - To have such kind of keys as backup? Or would the migration to 1PW.com Passkeys result in the need to have at least one PC, Smartphone, Tablet as trusted device. And Yubikeys won't be supported any more? (not from Webauthn perspective) but the hidden secret string can't be passed to the HW Key?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • XIII
    XIII
    Community Member

    Yes, wondering about this as well.

    I have multiple Apple devices, so I can use iCloud Keychain to have a "backup", but what if I ever lose access to my iCloud account?

    For that I want a YubiKey (multiple actually) as a backup (and maybe to use on a very old Windows PC) to access 1Password.

  • telephoneman2
    telephoneman2
    Community Member
    edited November 2023

    @XIII yes, that's exactly what I was thinking about. Having these HW-Keys somewhere on the ceiling in a dusty paper box in case of emergency or another one somewhere in the house of my relatives

    But I don't think iCloud will help here, as the hidden secret isn't stored in iCloud. I understood this will be pushed from 1Password installation instance to instance outside of iCloud Keychain? iCloud will just store the passkey and not the secret. Or did I got that detail wrong?

  • XIII
    XIII
    Community Member

    iCloud will just store the passkey and not the secret. Or did I got that detail wrong?

    I think you are right. I was probably thinking too much of regular passkey usage...

  • telephoneman2
    telephoneman2
    Community Member

    @XIII if it was "just" the passkey - it would be easy to use Yubikeys as well. But the hidden secret is the question, which is not part of the passkey ... Lets see if someone from the officials here comments here 😊

  • telephoneman2
    telephoneman2
    Community Member

    Hello, No one here to have an answer on this?

  • Hi @telephoneman2

    Apologies for the delay in reaching back out to you here. The development team have absolutely heard yours, and many other users', calls to be able to unlock 1Password with a passkey stored on a security key. Recently, the ability was added to add multiple passkeys to an unlock with passkeys account by signing in on 1Password.com, selecting your name in the top right, then selecting Authentication. This helps address those concerns about wanting a backup passkey stored in another service if you ever lose access to your main passkey.

    Could you also let me know what "hidden secret" you have in mind here? If you're thinking of the public-private key pair of a passkey; one key is public and connected to the website or app you’re using (in this case, 1Password.com), the other key is private and only stored on your device where the passkey was created. If you were to create a passkey on a Yubikey, the private key would be stored on there.

  • telephoneman2
    telephoneman2
    Community Member

    @jac.pd_1p it's been a while I saw a video of you, where you presented the login to 1PW.com (I think on a conference, tech talk or similar) how login will work. And I understood you will have the passkey but also a third parameter to encrypt the database, which plays a similar role like the "Secret key" (I think in white paper you called that combination "credential bundle") I understood you authorize new devices by approve this on an already trusted device. And I understood if you lost all trusted devices you are locked out. So question is: Will it ever be possible to have a backup door without having any trusted device available? Eg. by Using Yubikeys. - Will there be an "emergency kit"? Nowadays you can store your emergency kit paper sheet in bedroom under mattress - but how will that be, when it's passkey based? Or will the emergency kit printout remain?

  • telephoneman2
    telephoneman2
    Community Member
    edited December 2023

    @jac.pd_1p So now you added a beta. So the backup way to go is: So in case of all all trusted devices are lost I can use the recovery key without any passkey - is that right?

  • @telephoneman2

    Apologies for the delay in getting back to you, things have been crazy gearing up for the unlock 1Password with a passkey public beta launch!

    Will it ever be possible to have a backup door without having any trusted device available?

    As you have discovered already, our answer to this is the recovery code that was introduced during the private beta. This 69-character code will be part of the process in regaining access if you somehow lose access to your passkey and all your trusted device. You can save this recovery code in a safe location anywhere you'd like as you can do with traditional accounts secured by an account password and Secret Key.

    And for those who don't know where to keep their recovery codes safe, we have a blog post on our website giving some examples: Where to Store Your 1Password Emergency Kit.

    So the backup way to go is: So in case of all all trusted devices are lost I can use the recovery key without any passkey

    You've hit the nail on the head there. You can generate a recovery code and use it in the event that you somehow lose access to your passkey and all your trusted devices. You will still need access to your email address since this is part of the verification step to confirm ownership of the 1Password account. Then once you're back in the account, you can save a new passkey to the account and continue as usual.

  • telephoneman2
    telephoneman2
    Community Member

    @jac.pd_1p thanks - but in this case, what is for regular login the benefit of the passkey? An enter of email address in login screen, Approve on trusted device + enter the dynamic created approval code on new device should be sufficient? What's the passkey for? The passkey just "bypasses" the email address verification step thing. And it seems not to be part of the de/encryption process? Somehow that recovery code seems to be the "encryption key" (or call it secret key). So somehow in the new process you invented a way to push the "secret key" from trusted device to new device to decrypt the vaults. And the passkey has the same role as formerly username/password? I am not complaining about this new way - no I think the trusted device approval makes the "find your secret key string" obsolete, that's really cool. But should have worked with user/password authentication also?

  • @telephoneman2

    Thank for the reply. With a passkey you never have to type anything, just use your saved passkey to authenticate your account and then confirm sign in on a trusted device.

    The passkey authenticates you to the 1Password server which then sends a notification to all of your existing trusted devices. Your trusted devices will then ask you if you'd like to setup a new device, if you provide confirmation then the keys to unlock your account are sent to your new device via an end-to-end encrypted tunnel.

    Without the passkey, you wouldn't be able to authenticate with the 1Password server. Your passkey is an essential component of the authentication and decryption process. You can read more about passkey unlock security here: About the security of unlocking 1Password with a passkey

    Let me know if you have any questions. 🙂

    -Dave

This discussion has been closed.