Feedback regarding the passkey recovery flow
First, congrats on the beta launch for all platforms! I've been looking forward to this all year, and it surely wasn't an easy feature to add.
After reading the expected device setup and recovery flows, I'm a bit confused and disappointed, however. Let me explain:
When adding new devices, the passkey is used as the first step here - all good. Then, an additional confirmation is needed on one of the connected devices - ok, I guess. It's similar to the "password + secret key" flow, where the passkey replaces the password, and the confirmation on another trusted device replaces the secret key.
Of course, devices can get lost, so what happens then: with "password + secret key", the secret key is part of the emergency kit, and the password can (but doesn't have to) be written down as well depending on the user preference. That means setting up a new device requires only the emergency kit and, optionally, knowledge of the password (if the user didn't write it down on the emergency kit) - no need to have any of the previously connected devices.
Well, with passkeys, there's now a new "recovery code", except it doesn't actually replace a lost device; it replaces a lost passkey. In this case, the passkey isn't required at all, but instead the user needs access to their email. This makes little sense to me for the following reasons:
- Passkeys are easy to back up, while connected devices are not, so this solves the wrong problem. For example, I expected to have the app installed on my PC and phone and have another 1 - 2 Yubikeys keys added and stored somewhere safe so that I can set up new devices with them if needed. Losing the passkeys wouldn't really be an issue then because there would be four in total. But if the Yubikeys are not enough to log in without one of the existing devices, and there is no backup code to replace the confirmation from an existing device, then the HW keys are entirely useless, and the whole setup depends on those two connected devices.
- Using email as part of the recovery process seems rather funny, as I would expect that for most users, credentials to their email are stored in 1Password. If they lose access to 1Password, they likely lose access to the email as well and can't use the recovery anyway.
I understand HW keys are not for everyone, so losing the passkey is surely a possibility worth considering, but it seems that the current recovery process won't work for many users anyway because of the second point, while it also completely neglects the other scenario, where you do have the passkey but no longer have any connected device and email access.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
I understand that recovery codes are used to replace trusted devices and passkeys at the same time.
Just tried it here in a new browser, and the only secondary code asked was the 6-digit code sent by email.
0 -
Yes but that's the thing - passkeys are easy to store in a safe place on a HW key. Email access can easily be lost together with 1P access. There should be a recovery flow based on recovery code + passkey, not recovery code + email.
1 -
Oh I see. Fair point indeed.
1 -
Would love to see some reaction from 1Password here especially as the issue of needing email access for recovery has come up in several other comments/posts.
2 -
Hello @MaKolarik! 👋
Thank you for the feedback on our public beta for passkey unlock! The team continues to iterate and improve this exciting new feature and I appreciate you taking the time to let us know your thoughts.
You're correct that the passkey is used as a "first step" when it comes to authenticating to the 1Password server, the actual keys used to decrypt your data are transmitted from an existing trusted device to the device that you're signing in on using end-to-end encryption.
I recommend that you add as many trusted devices as possible to avoid being locked out. Saving a recovery code is also a good idea.
The recovery code allows you to perform a recovery of your data but, as you mentioned, it alone isn't enough to fully restore access. This is by design since we want to make sure that a stolen recovery code can't lead to account takeovers. This is why an extra step, using a confirmation code sent to your email address, is required when using a recovery code.
I understand that the email address confirmation step may not work for everyone and I've passed along your feedback to the team. Passkey unlock is still in beta which means that a lot can change before the final release, your feedback that you'd like to see other recovery options helps us to improve passkey unlock for everyone. 🙂
-Dave
ref: PB-37674399
1
