Exporting passkeys
Comments
-
Thanks for those details, I've shared them with the team. Weβre continuing to work with platform vendors and other password managers through the FIDO Alliance to create a secure, and standardized, way to export and import passkeys.
Hopefully we'll have more to share in the future. π
-Dave
ref: PB-38107156
1 -
We've had to keep passkeys disabled at our organization because of portability concerns. While there aren't any tools that can import them yet, I think we'd enable Passkeys if at least they could be exported. Even an encrypted JSON blob would be fine.
I do worry about our team members creating passkeys on personal accounts, and accidentally locking themselves in to 1Password. It's really a challenging UX given how both 1Password and specific sites are promoting passkeys during login and registration flows.
0 -
Thank you for sharing that feedback, I've passed it along to the team.
For the time being, you can create a new passkey for a website any time within another provider and remove any existing passkeys from 1Password. But I do understand the need for a more streamlined export/import option.
-Dave
ref: PB-38551106
1 -
Keepass, the open source password manager, will let you export a passkey. But you obviously can't import it anywhere except keepass.
The fact that the FIDO Alliance came up with passkesy and didn't even think that import and export was a feature needed on day 1 is a HUGE oversight. I've been playing with passkeys, but I don't dare use them until there is a universal export and import format for them. If the FIDO alliance won't come up with one, then it's for the password managers to come up with their own solution together. Maybe adopt what keepass has done.
0 -
We currently don't support passkey export because there isn't a secure way to do so, yet. We don't think exporting passkeys in plain text is a best practice security wise and we won't be introducing that type of export functionality for passkeys.
We are aware of others using this plain text method, but we'd rather be patient and keep working within FIDO to introduce the passkey import/export standard that is inline with the security passkeys and 1Password brings.
For now I would recommend Dave's advice.
Create a new passkey for a website any time within another provider and remove any existing passkeys from 1Password.
0 -
I also recently started switching to passkeys and as I always keep a recent backup of the entire 1Password DB as 1pax file on an encrypted flash drive, I would also like to see passkey export/import functionality within these unencrypted 1pax files. As everything in these files is unencrypted, I don't see the danger of dumping the passkey data into this file as well. Ideally other password managers such as KeePass would at some point use the same standard so that they could also import the passkeys. But I suppose this is up to the FIDO alliance. However, waiting till this has been resolved and not giving the possibility to get the data out and into 1Passoword via a manual backup also doesn't feel right. It would certainly be nice if you could allow this already (maybe call it "1Pax export (passkey preview version)")
0 -
Thank you for reaching out. Exports aren't really designed to be used as a backup since they lack features like versioning, they're just intended to be used to transfer your items to another password manager if you decide to leave 1Password in the future.
Your 1Password membership already includes automatic backups of your items to your account in the cloud. If you need to restore a previous version of an item because it was accidentally edited or deleted then you can do so from 1Password.com:
I would also like to see passkey export/import functionality within these unencrypted 1pax files. As everything in these files is unencrypted, I don't see the danger of dumping the passkey data into this file as well.
Exporting a passkey into plain text would remove the security and anti-phishing benefits of passkeys. It would just turn passkeys into fancy versions of passwords that can be phished and stolen. The inability to export or render a passkey into plain text is part of the security design of passkeys.
As mentioned earlier in the thread, 1Password is working with partners in the FIDO Alliance to create a standard and secure way to export and import passkeys across various password managers. I don't have any news to share but hopefully we'll hear more in the future. In the meantime, I've let the team know that you're eager to see this functionality be released. π
-Dave
ref: PB-39555580
0
