Request: Allow log in from browser without forcing authorization from an already authorized device
Hello,
I am testing the unlock with passkey feature currently with Yubikeys. I added two Yubikeys as a passkey and I am able to use them on my iPhone and on the browser. But one thing is really annoying:
the requirement to authorize a new browser on a trusted device when connecting to 1password from a different browser and the impossibility to disable this behavior
Why? Well let's describe a scenario which might happen quite easily...
- I use 1password on my iphone and on my Mac
- i am on a trip far from home, only with my iphone and my (heavy) mac is safe at home
- My iPhone gets stolen
- Of course my passwords are safe as they don't have any Yubikey neither their pincode
- But now I am unable to get access to any password during the whole trip: if i borrow the computer of a friend 1password will refuse signing in with my Yubikey because it will send an authorization to my (stolen) iPhone and my Mac is alone at home !
... So simply by getting my phone stolen I am locked out of my digital identity because of that authorization : no emails, no social media account access, no banking app access ! Just a few examples of how annoying this can be.
Now don't come with you just have to setup a recovery code. Not only in my setup this is a big security leak (compared to simply adding enough backup yubikeys). Even if I do so, it won't be in my wallet while on holiday. It's in a bank deposit box or at home in some drawer.
I am aware that for most users the authorization feature is good and adds extra security especially if their master passkey is stored on the iphone itself.
But please add an option to disable this. It's (in my opinion) compromising the ease of use of passkeys especially in an already secure enough scenario with hardware keys which are already a strong 2FA.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
As my discussion was deleted without any comment, I am posting it here again... as I really think that it is of concern
Feature request: Possibility to disable forced authorization by a trusted device when signing in on a new browser or device
I am testing the unlock with passkey feature currently with Yubikeys. I added two Yubikeys as a passkey and I am able to use them on my iPhone and on the browser. But one thing is really annoying:
- the requirement to authorize a new browser on a trusted device when connecting to 1password from a different browser and the impossibility to disable this behavior
Why? Well let's describe a scenario which might happen quite easily...
- I use 1password on my iphone and on my Mac
- i am on a trip far from home, only with my iphone and my (heavy) mac is safe at home
- My iPhone gets stolen
- Of course my passwords are safe as they don't have any Yubikey neither the pincode
- But now I am unable to get access to any password during the whole trip: if i borrow the computer of a friend 1password will refuse signing in with my Yubikey because it will send an authorization to my (stolen) iPhone and my Mac is alone at home !
... So simply by getting my phone stolen I am locked out of my digital identity because of that authorization : no emails, no social media account access, no banking app access ! Just a few examples of how annoying this can be.
Now don't come with you just have to setup a recovery code. Not only in my setup this is a big security leak (compared to simply adding enough backup yubikeys). Even if I do so, it won't be in my wallet while on holiday. It's in a bank deposit box or at home in some drawer.
I am aware that for most users the authorization feature is good and adds extra security especially if their master passkey is stored on the iphone itself.
But please add an option to disable forced authorization by a trusted device. It's (in my opinion) compromising the ease of use of passkeys.
0 -
I would very much like to see this option as well, but I'm afraid it isn't actually possible using the current encryption model. Using passkeys on their own for encryption is quite problematic, and I was looking forward to seeing how 1Password solved that problem. After reading through the details here and the white paper, I have to say the answer is: they didn't.
Even though the feature is marketed as "unlock with passkeys" the encryption is not based on passkeys at all. Instead, each device has its own local keys, and setting up a new device involves a device-to-device data transfer, which is why I think the confirmation on an existing device is unavoidable. The passkeys are merely used to make sure it's you adding the device before a notification to the existing device is sent, so that you can't spam the approval requests for random accounts.
This design is overall a little disappointing because based on all the marketing talk during the year, it did seem passkeys would be playing a more important role here - but it's also understandable given the limitations of using passkeys directly for encryption.
I think at least the recovery process could be simplified a little but it would still require you to know the recovery code: https://1password.community/discussion/143668/feedback-regarding-the-passkey-recovery-flow - and nobody from 1Password responded on that thread so far :(
1 -
Hello @rednaxela123! 👋
Thank you for helping us test passkey unlock in our public beta! The requirement to use an existing trusted device to add your 1Password account to a new device or browser is part of the architecture of passkey unlock and isn't merely an additional verification step that can be turned off.
As MaKolarik mentioned, your passkey authenticates you to the 1Password server which then sends a notification to all of your existing trusted devices. Your trusted devices will then ask you if you'd like to setup a new device, if you provide confirmation then the keys to unlock your account are sent to your new device via an end-to-end encrypted tunnel from that existing trusted device. While the passkey authenticates you to our server, it is the keys from your trusted device that allow you to decrypt your account data on the new device.
Without the keys from an existing trusted device you wouldn't be able to decrypt your items. You can read more about the security of passkey unlock here: About the security of unlocking 1Password with a passkey
... So simply by getting my phone stolen I am locked out of my digital identity because of that authorization : no emails, no social media account access, no banking app access ! Just a few examples of how annoying this can be.
I'm happy to pass along your feedback to the team but I was curious about this portion from your post. Isn't this the same situation as what you'd already be facing if your phone was stolen when using a traditional 1Password account secured by your account password and Secret Key? Or do you currently carry a printed copy of your Secret Key or Emergency Kit with you when on vacation?
I look forward to hearing from you.
-Dave
0 -
Hello Dave and MaKolarik,
thank you very much for these detailed explanations. I understand now the requirement of the authorization by a trusted device. It’s the device which creates the encryption key, and it is stored on the device. While I understand the complexity of implementing passkey unlock I am disappointed that the secret generated by the secure enclave whether it’s the one on the Yubikey or the biometrics of the phone are not used to protect the 1password master key, as I thought. So how is the secret protected now if the passkey only is used for authentication to 1password servers ? the device’s key chain security ? that would mean that i delegate the quite strong protection of the current master password only known by me to the protection of the key chain. as i read recently it is possible to reset the apple id password of a stolen phone just with the pin code, so currently, I am not convinced of apple’s way of handling key chain security. they work on an improvement but due to trusted locations there will be still flaws in their security. So I think I’ll stick with the master password until it’s possible to encrypt and decrypt the master key truely with a secret stored on a secure external device only like my Yubikeys. It’s not so convenient but at least i know that the master key will always be protected by the zero knowledge principle.@dave: i indeed carry around my printed secret key (without any hint what it is for of course). It’s only a phishing protection for me. you may have me robbed by some gangsters now… ;-) But, in my humble opinion, it is not possible even with the secret key to get access or to decrypt the vault of to 1password as the master password is still in my head only so if i stick to the scenario that only my phone gets stolen but i still have my printed secret key, i would have plenty of time to login from a browser to get access to 1password even on vacation, change important account passwords and change my secret key as well by the way. even if the stolen phone would have been unlocked it does still not allow to unlock 1password. If i would carry the new recovery key with me that seems more dangerous: an unlocked stolen phone gives access to email account, so if i also get my wallet stolen (with the recovery key) they can gain access to 1password and i would have no way to stop it : without the provider’s password from 1password i cannot access my email account and i cannot recover it as the fallback of the email provider likely is the phone number of the phone which is stolen. so the thief would have plenty of time to identify as myself on 1password and take over the account with the recovery key. you need to have really bad luck to all this happening, but it’s possible, and for me true security is only working if one element is true zero knowledge all the time (currently my master password). this does not seem to be the case with the current passkey unlock impIementation. am sorry i did not have read the white paper before. i naively thought that my good old master password would simply have been replaced by a strong key on the Fido2 device (yubikey, secure enclave) secured by a pin or biometrics. but i know understand that you implemented a whole different concept. would be glad to know the reason why it’s not possible to implement it like I thought. Of course feel welcome to correct me or add information if i got something wrong. besides that, being a developer myself as well I understand that things sometimes aren’t that easy as they look like. Great job for continuously improving 1password.
0 -
Thank you for the reply. When you choose to unlock your 1Password account with a passkey, a unique and random device key is created and stored on your device. This device key never leaves your device and it is used to protect the account unlock key that decrypts your items. It is the combination of your passkey (authentication) and the device key (encryption) that is used to unlock 1Password on your device.
On macOS and iOS devices, since you mentioned iCloud Keychain, we protect the device key with your device's hardware security features.
If i would carry the new recovery key with me that seems more dangerous: an unlocked stolen phone gives access to email account, so if i also get my wallet stolen (with the recovery key) they can gain access to 1password and i would have no way to stop it
The recovery code isn't meant to be used to add your 1Password account to new devices, you use your passkey and an existing trusted device to do that. The recovery code is meant to be used rarely as an emergency measure in those situations where you've lost access to either your passkey or to all of your trusted devices.
If someone steals your phone then 1Password would still be protected since the thief wouldn't be able to unlock the phone without your face/fingerprint or device passcode. If your phone is unlocked then they wouldn't be able to unlock 1Password itself without your face, fingerprint or your passkey.
When printing the recovery code, we designed the print out to exclude any reference to your specific 1Password account to avoid a thief from knowing what account the code was for. I would still recommend storing it somewhere safe.
i naively thought that my good old master password would simply have been replaced by a strong key on the Fido2 device (yubikey, secure enclave) secured by a pin or biometrics.
You can already save a passkey for your 1Password account on a security key if you wish: Unlock 1Password with a passkey (beta)
To add your 1Password account to a new device you'll need the passkey (from either platform manager like iCloud Keychain or your security key) and confirmation from an existing trusted device.
-Dave
0 -
Hello @Dave_1P additionally to the trusted device and the printed recovery code. As additional option: Did you ever thought about using certificates / digital signatures or similar which can be installed on HW keys like yubikey? So customer can choose to use passkey + trusted device; passkey + certificate on a hardware key or alternative use the backup code recovery process. The certificate on that HW key would registered like other installed trusted 1P instances and could be revoked as well in 1password.com
0 -
DELETED
0 -
Thanks for the suggestion! That system seems a little confusing to me since it would require that a user manage the saving of both a passkey and the "certificate" which is similar to having to work with both an account password and Secret Key today. The goal of passkey unlock is to make signing in easier than using an account password, Secret Key, and the rest of your account information.
What would be the purpose of making a "certificate" a trusted device? Isn't it easier to just use an existing trusted device to finish the sign-in process? Are you able to provide examples of other services, that also use end-to-end encryption and not just authentication, that work with certificates of the type that you mentioned?
-Dave
0 -
Hi Dave, thanks for reply
I understood it needs 2 things to login to your cloud and decrypt the vault. 1. Passkey to authenticate against your servers 2. the already trusted device to confirm and decrypt the vault (or the recovery key). For the recovery process rednaxela123 complains that you need access to your email-Account and the recovery key. Which is a problem if your Mobile device got lost in vacation and it's the only device you have with you, and the access to eMail is also not possible as the password for eMail account is locked in the 1P vault where you don't have access. Or even worse when access to Mailbox is only possible with a fancy new passkey ;) )
So if you could decrypt the vault thru a certificate in addition, which can be installed on a Yubikey you could have that with you (Or put it at a friends house) - secure protected via PIN.Idea would be to "hash" the required decryption secret in a certificate or digital signature which is stored on the Yubikey. So user can authenticate against your servers with the passkey and unlock the vault thru the certificate. Just to be clear - this should not replace the "approve access on trusted device" what is implemented now. It should be an additional method which is independent from Mailboxes and printed emergency recovery keys.
So flow is
1. login into 1Password.com
2. Manage credentials
3. Create digital decryption certificate / Signature
4. Store on yubikeyIf you need to login to a new 1PW instance on a new device or foreign PC. 3 Methods
A. Passkey (eg. on iCloud or Google Cloud or Yubikey) + Approve on existing trusted 1PW instance - Standard process
Backup:
B. Passkey on Yubikey + Signature or certificate from Yubikey
C) eMail and printed recovery code0 -
Thank you for the reply! I can see how additional recovery methods would be useful and I've passed along your feedback and suggestions to the team.
-Dave
ref: PB-38447300
0