1Password does not use a second factor before allowing use of passkeys
An important part of the use of physical-backed security key (yubikey, passkeys, etc) is that there is a second factor (typically biometrics). This prevents a remote attacker with access to the device from using the key as a sole factor for authentication which would weaken security.
Since 1Password announced that they'd be supporting passkeys, I've been wondering how they'd implement this since it's typically handled through biometrics at the OS level. iOS and Windows will not allow you to authenticate using FaceID/touchID, and Windows Hello respectively over a Remote Desktop session. Yubikey obviously has a physical sensor. This check is done for every request to private key.
Sure enough, when I remote desktop into my Windows 11 machine and unlock 1Password with my master password, it will then permit all the passkeys to be used without a second factor.
This is a serious problem because, in the above scenario, an attacker already has full remote access to the device so the check for physical presence is the necessary second factor. I have seen this prevent an attacker in the real world be unable to move laterally in our environment. I have also seen real world attackers wait for password vaults to be unlocked and steal credentials in the 1 minute (or whatever) that they're open.
Does 1Password have any plans to require a second factor (eg. physical presence) before permitting use of passkeys?
1Password Version: 8.10.20
Extension Version: 2.18.0
OS Version: Windows 11
Browser: Not Provided
Comments
-
Bump
0 -
Hello @whisper! 👋
Thank you for the question! Passkeys that you save in 1Password are protected using the same encryption and security as any of your other items. In order to unlock 1Password you'll need to enter your account password to decrypt your vault or use biometrics if you've enabled that option.
You can set 1Password to lock more quickly by changing auto-lock settings: How to set 1Password to lock automatically
It's important to remember that, if an attacker already has control of your computer and knows your account password then there is little that 1Password can do to protect you in that scenario. Even if biometrics were required, the attacker would just be able to copy your vault to another device, unlock using your account password, enable biometrics there, and access your passkeys.
It's important to keep your devices protected from malware and remote attackers by keeping them up-to-date, using reputable anti-malware software, and installing apps only from trusted sources like the Microsoft Store.
-Dave
0