Use of PRF extension

guillaume0
guillaume0
Community Member
edited January 10 in Unlock with passkeys

Hi,

I've tried out the beta to unlock 1Password with a passkey, and it seems to work well, but I'm surprised that passkeys only serve the purpose of authentication. According to the white paper, the actual encryption key is stored on the already logged in clients, wrapped by a key provided by the server when the authentication succeeds.

This is different from the way Bitwarden has released its passkey unlock beta. The encryption key is directly derived from the passkey using the FIDO2 PRF extension. This allows the use of security keys as passkeys. I know that 1Password does support physical tokens as passkeys too, but it is not of much use, since you need a trusted device to transfer the encryption key anyway, which means you can not rely on your key as a backup method. The absence of PRF also means that users can not take advantage of the passkey backup offered by Google Password Manager and iCloud Keychain.

I think that the ability to set up PRF with supported authenticators would be a great addition to the system. It would allow a much more consistent experience and would probably prevent some account losses due to the recovery code not being saved (or access to the associated email being lost, e.g. because it was stored within 1Password). I know that not all platforms currently support PRF, but it is already quite widespread, as from what I have tried, at least Android, Chromium and YubiKeys do support it. Even users of unsupported browsers would benefit this feature since they could temporarily use a supported platform to regain access when needed.

By the way, based on my test with Bitwarden, 1Password as an authenticator (for third-party websites) doesn't seem to support PRF. This would be a great addition too, because it's the most practical way to use zero-knowledge encryption with passkey login, so we can probably expect more and more websites to implement it.

Thanks a lot for your work!

Guillaume


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Hello @guillaume0! 👋

    Thank you for the feedback! The team appreciates your help in trying the beta and helping us test passkey unlock for 1Password!

    Regarding why we went with a trusted device model rather than PRF, my colleague Mitch went into some detail in our Reddit AMA back in October: https://www.reddit.com/r/1Password/comments/16to6x7/hey_reddit_were_the_team_behind_passkeys_in/k3g2df3/

    The Tl;DR is that we built our own solution for handling encryption when using a passkey since emerging standards like PRF are not yet widely supported. Our trusted device solution allows you to securely use passkeys to sign in to your 1Password account on any platform that you use without having to fallback to an account password for unsupported platforms.

    That being said, the future of passkeys is bright and I've let the team know that you'd be interested in seeing support for technologies like PRF. 🙂

    The absence of PRF also means that users can not take advantage of the passkey backup offered by Google Password Manager and iCloud Keychain.

    Can you tell me a little more about this? If you save your passkey for 1Password in iCloud Keychain, it will be synced and available on all devices signed into the same Apple account.

    -Dave

    ref: PB-37768273

  • guillaume0
    guillaume0
    Community Member

    Hi Dave, thank you for your reply!

    Yes, indeed, PRF still lacks general support, and I think that the encryption scheme you have developed is a very good and safe alternative for devices that lack support. The only problem I see is that you need a trusted device to gain access to your account, which means a YubiKey by itself is useless. It seems that up-to-date Android and Chromium browsers do support it (and probably iOS, but I can't test), so it should cover a majority of users. Maybe an idea could be to use PRF wherever it's possible, and fallback to a trusted device otherwise?

    Can you tell me a little more about this? If you save your passkey for 1Password in iCloud Keychain, it will be synced and available on all devices signed into the same Apple account.

    I was thinking of the following scenario: you use 1Password on your phone and it is lost. If you're able to recover your Google/Apple passkeys on another phone, you won't be able to unlock your 1Password data unless you have another device set up (or your recovery code + email account accessible without 1Password). With PRF, you would be able to decrypt the data with the passkey.

    By the way, another suggestion that comes very close to this topic: I think it should be possible to recover an account with passkey + recovery code (currently, you need passkey + trusted device or email access + recovery code). My reasoning behind this in the event of a complete device loss (like a burglary or a fire), you may still have a YubiKey on your keyring and a safe copy of the recovery code, but not access to your email account (especially if it's stored within 1Password).

    Thanks again for your explanation and being open to community suggestions!

  • MaKolarik
    MaKolarik
    Community Member

    I've just read the details on the Bitwarden release and was about to post the same thing - very glad to see I'm not the only one seeing the advantages in that model and @guillaume0 already summarized it very well.

    I'll add just one more thing: it seems the current passkey implementation is less secure than a master key on some platforms because there's not a really safe place for storing the device key (Windows, Linux, web). With encryption keys that are really based on the passkey, nothing needs to be stored directly on the device.

  • @guillaume0

    Thank you for the feedback regarding PRF, I've passed it along to the team. 🙂

    Regarding account recovery, our recommendation with the current implementation is to:

    1. Store your passkey in a platform provider (like iCloud Keychain) so that it's backed up and available on all devices signed into that platform provider.
    2. Add as many trusted devices to your 1Password account as you can.
    3. Generate and save a recovery code that you can use to restore access to your account if you lose your passkey or all of your trusted devices. As you mentioned, you will need to confirm the recovery using your email address.

    I appreciate your thoughts on how the recovery process could be improved, especially if someone has lost access to their email address at the same time as losing their passkey or trusted devices. While I can't make any promises, I've shared your suggestions for recovery with the team as well.

    Thank you for helping to test and improve passkey unlock for everyone. 💙

    -Dave

This discussion has been closed.